I wish I was more up to speed on how all this worked. I am getting there... So apologies for the apparent ignorance.
I have unbound running on a PC. It has the local network defined as private-domain: - local-zone:, local-data, local-data-ptr: localhost: etc. All other queries are forwarded to servers that support DoT. forward-zone: name: "." forward-tls-upstream: yes # Quad9 forward-addr: 2620:fe::fe@853#dns.quad9.net forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 2620:fe::9@853#dns.quad9.net #forward-addr: 149.112.112.112@853#dns.quad9.net # Cloudflare DNS forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com forward-addr: 1.1.1.1@853#cloudflare-dns.com forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com forward-addr: 1.0.0.1@853#cloudflare-dns.com There are no other DNS servers that rely on this one for any services whatsoever its 100% standalone. All queries to the internet go via the forward server which supports DoT so that should be doing the donkeywork to the wider internet and returning the results. Unbound from the log file does many queries to that server (all using TLS authenticated over TCP) to gather all the information it requires to either return the queried name as either insecure or if it has been signed it checks that the signature can be validated. If DNSSEC fails you get a SRVFAIL an no useful data returned (e.g. no IP address in the A or AAA record) If its not been signed you get the data whatever, its then up to you if you think where you are sent is valid (e.g. when using a browser) So at this point I can't see where UDP would be used? As far as I can see there are no queries that go to other servers on the internet that are NOT those defined in the forward list. What am I missing? Regards Ray -----Original Message----- From: Havard Eidnes <[email protected]> Sent: 24 July 2019 12:49 To: [email protected] Cc: [email protected] Subject: Re: DoT and UDP requirements > Having setup DoT and got it all working, I was under the impression > that all DNS queries would now use TLS over TCP. Where? Between your client and your unbound recursor (where you have control and can enable DNS-over-TLS-over-TCP), or outwards from your unbound recursor to the rest of the net? For the latter to work, each and every publishing name server out there would have to have deployed DNS-over-TLS-over-TCP. To put it mildly, "we're not there yet", and I'm doubtful we ever will be. Even if you dropped "TLS", and only wanted to do TCP, I think that would also work poorly, since still too many publishing name servers either don't do DNS-over-TCP or there are firewalls on the path which prohibit it from working. Regards, - HÃ¥vard
