Re: How DoH settings should work

Tue, 16 May 2023 03:26:23 -0700 

Hi Vladimir,
'https-port:' makes sure that DoH is used for listening sockets using that specific port. 

In order to use the port you need to explicitly define it with 'interface:'.


The port in 'interface:' is optional and will default to 53, or the 
value of 'port:' if that is changed.



For example, if you set 'https-port: 53', and don't define a port in 
'interface:', Unbound will only listen for DoH.


In your case with the following configuration:
    interface: ::1
    interface: 127.0.0.1
    interface: ::1@3053
    interface: 127.0.0.1@3053
    https-port: 3053


Unbound will listen for plain DNS on port 53 and for DoH on port 3053 on 
127.0.0.1 and ::1.


Best regards,
-- Yorgos

On 16/05/2023 10:07, Vladimir Lomov via Unbound-users wrote:

Hello.


I have installed and configured unbound on some of my hosts and wanted 
to try

DNS-over-HTTPS provided by unbound.


I figured out how to configure unbound (`interface`, 
`outgoing-interface` and

`access-control`) to use it on the local host and from the local network.


To use DoH, I generated a certificate for DoH and put this in 
`unbound.conf`:


```
   tls-service-key: "/etc/cert/hosts/doh.key"
   tls-service-pem: "/etc/cert/hosts/doh.crt"
   https-port: 3053
```

But it didn't work, when I did

```
$ dig +https -p 3053 @::1 google.com
```

I got 'connection refused'.

I re-read the documentation carefully and found the following:

```
https-port: <number>


   The port number on which to provide DNS-over-HTTPS service. Only 
interfaces

   configured with that port number as @number get the HTTPS service.

   Default: 443
```

If get it right, then besides these lines (example!):

```
   interface: ::1
   interface: 127.0.0.1
```

I also need these

```
   interface: ::1@3053
   interface: 127.0.0.1@3053
```


I added the appropriate lines on three hosts and now `dig +https` 
works!  But

on the fourth host it works even without these lines! This puzzles me. The
hosts have different network settings, but the fourth host doesn't have a
public IPv6 address, only a ULA one.

So how should DoH be configured? If I change `https-port`, I MUST add
something like
```
   interface: ::1@PORT
```
or is the `https-port` setting enough?

---
WBR, Vladimir Lomov























					Reply via email to