Hi! I am using DNS over TLS caching DNS, port 853 on Unbound 1.19.3 It works but it doesnt work with Quad9. My unbound.conf:
# DNS Over TLS, Simple ENCRYPTED recursive caching DNS, TCP port 853 ## FreeBSD 14 unbound config # server: port: 53 directory: "/usr/local/etc/unbound" username: unbound chroot: "/usr/local/etc/unbound" module-config: "validator iterator" access-control: 127.0.0.1/8 allow # access-control: 192.168.0.0/16 allow # access-control: fddd::/48 allow # unblock-lan-zones: yes # insecure-lan-zones: yes aggressive-nsec: yes cache-max-ttl: 14400 cache-min-ttl: 1200 # root-hints: /usr/local/etc/unbound/root.hints # auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" include: /usr/local/etc/unbound/voidZones logfile: /usr/local/etc/unbound/unbound.log verbosity: 1 log-queries: yes log-time-ascii: yes val-log-level: 2 use-syslog: no do-ip4: yes do-ip6: yes do-tcp: yes do-udp: yes hide-identity: yes hide-version: yes qname-minimisation: no # minimal-responses: yes harden-glue: yes harden-dnssec-stripped: yes # disable-dnssec-lame-check: yes interface: 127.0.0.1 interface: ::0 pidfile: /var/run/unbound.pid prefetch: yes prefetch-key: yes rrset-roundrobin: yes so-reuseport: yes val-clean-additional: yes unwanted-reply-threshold: 10000 tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt" use-caps-for-id: yes # Unbound from pkg built with libevent; increase threads and slabs to the # number of real cpu cores to reduce lock contention. Increase cache size to # store more records and allow each thread to serve an increased number of # concurrent client requests. num-threads: 4 msg-cache-slabs: 8 rrset-cache-slabs: 8 infra-cache-slabs: 8 key-cache-slabs: 8 msg-cache-size: 128M rrset-cache-size: 256M outgoing-range: 950 num-queries-per-thread: 512 # forward-addr format must be ip "@" port number "#" followed by the valid public hostname # in order for unbound to use the tls-cert-bundle to validate the dns server certificate. forward-zone: name: "." forward-tls-upstream: yes forward-first: no forward-addr: 116.203.32.217@853#fdns1.dismail.de forward-addr: 159.69.114.157@853#fdns2.dismail.de # forward-addr: 9.9.9.9@853#dns.quad9.net # forward-addr: 149.112.112.112@853#dns.quad9.net and in resolve.conf I have: nameserver 127.0.0.1 options edns0 DNSSEC=no No errors. Thank you. LuMiWa -- "If you can't explain it to a six year old, you don't understand it yourself." — Albert Einstein