TK
Docs
Top Tags

Proxy DOT. Dns over Tls Cloudlfare with Unbound

Set up DNS over TLS (DoT) proxy using Unbound with Cloudflare's encrypted DNS service for enhanced privacy and security

dnsunboundcloudflaretlssecurityprivacydot

DNS over TLS (DoT) with Unbound and Cloudflare

Overview

DNS over TLS (DoT) encrypts DNS queries between your device and the DNS resolver, preventing ISPs and third parties from monitoring or manipulating your DNS traffic. This guide shows how to configure Unbound as a local DNS resolver that forwards queries to Cloudflare's DNS service over TLS.

Why DNS over TLS?

  • Privacy: Encrypts DNS queries to prevent eavesdropping and tracking
  • Security: Protects against DNS hijacking and man-in-the-middle attacks
  • Integrity: Ensures DNS responses haven't been tampered with in transit
  • Performance: Cloudflare's 1.1.1.1 service offers fast response times globally

How It Works

Client → Unbound (Local DNS) → TLS Tunnel → Cloudflare DNS (1.1.1.1)
  1. Clients send DNS queries to Unbound on port 53 (standard DNS)
  2. Unbound encrypts queries using TLS and forwards to Cloudflare on port 853
  3. Cloudflare resolves the query and returns encrypted response
  4. Unbound decrypts and caches the response, then sends to client

Configuration

Unbound config /etc/unbound/unbound.conf.d/my.conf

bash
1server:
2    use-syslog: yes
3    logfile: "/var/log/unbound.log"
4    verbosity: 2
5    username: "nobody"
6    interface: 0.0.0.0
7    access-control: 0.0.0.0/0 allow
8    prefetch: yes
9forward-zone:
10    name: .
11    forward-tls-upstream: yes
12    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
13    forward-addr: 1.1.1.1@853#cloudflare-dns.com
14    forward-addr: 1.0.0.1@853#cloudflare-dns.com

Configuration Breakdown

ParameterDescriptionValue
use-syslogEnable logging to system logyes
logfilePath to Unbound's log file/var/log/unbound.log
verbosityLog detail level (0-5)2 (operational info)
usernameUser to run Unbound asnobody (security)
interfaceNetwork interface to listen on0.0.0.0 (all interfaces)
access-controlAllow/deny clients0.0.0.0/0 allow (all networks)
prefetchCache popular queries before expiryyes (improves performance)
forward-tls-upstreamEnable TLS for forwardingyes
tls-cert-bundleCA certificates for TLS validationSystem CA bundle path
forward-addrUpstream DNS server with TLSIP@PORT#HOSTNAME

Installation and Setup

Install Unbound

bash
1sudo apt update
2sudo apt install unbound -y

Create Configuration

bash
1# Create custom config directory if it doesn't exist
2sudo mkdir -p /etc/unbound/unbound.conf.d
3

4# Create your custom configuration
5sudo nano /etc/unbound/unbound.conf.d/my.conf

Verify Configuration

bash
1# Test configuration syntax
2sudo unbound-checkconf
3

4# Expected output:
5# unbound-checkconf: no errors in /etc/unbound/unbound.conf

Enable and Start Service

bash
1# Enable Unbound to start on boot
2sudo systemctl enable unbound
3

4# Start Unbound service
5sudo systemctl start unbound
6

7# Check service status
8sudo systemctl status unbound

Testing DNS over TLS

Test Local DNS Resolution

bash
1# Query localhost (Unbound)
2dig @127.0.0.1 example.com
3

4# Should return answer section with IP address

Verify TLS Connection

bash
1# Monitor Unbound logs
2sudo tail -f /var/log/unbound.log
3

4# You should see TLS handshake messages like:
5# info: outbound ssl authentication for cloudflare-dns.com

Test from Remote Client

bash
1# From another machine on your network
2dig @YOUR_SERVER_IP example.com
3

4# Test reverse DNS
5dig @YOUR_SERVER_IP -x 8.8.8.8

Advanced Configuration Examples

Enhanced Security Configuration

bash
1# /etc/unbound/unbound.conf.d/security.conf
2server:
3    # Harden against attacks
4    harden-glue: yes
5    harden-dnssec-stripped: yes
6    harden-below-nxdomain: yes
7    harden-referral-path: yes
8    
9    # Don't send queries to authoritative servers from private IP ranges
10    use-caps-for-id: yes
11    
12    # Privacy settings
13    hide-identity: yes
14    hide-version: yes
15    
16    # Performance tuning
17    cache-min-ttl: 300
18    cache-max-ttl: 86400
19    prefetch-key: yes
20    
21    # Thread optimization (adjust based on CPU cores)
22    num-threads: 4
23    msg-cache-slabs: 4
24    rrset-cache-slabs: 4
25    infra-cache-slabs: 4
26    key-cache-slabs: 4

Network Restriction Configuration

bash
1# /etc/unbound/unbound.conf.d/network.conf
2server:
3    # Listen only on specific interface
4    interface: 192.168.1.10
5    interface: ::1
6    
7    # Restrict access to local networks only
8    access-control: 127.0.0.0/8 allow
9    access-control: 192.168.0.0/16 allow
10    access-control: 10.0.0.0/8 allow
11    access-control: 172.16.0.0/12 allow
12    access-control: ::1 allow
13    access-control: fc00::/7 allow
14    
15    # Deny everything else
16    access-control: 0.0.0.0/0 refuse

Multiple Upstream Providers Configuration

bash
1# /etc/unbound/unbound.conf.d/multi-upstream.conf
2forward-zone:
3    name: .
4    forward-tls-upstream: yes
5    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
6    
7    # Cloudflare (Primary)
8    forward-addr: 1.1.1.1@853#cloudflare-dns.com
9    forward-addr: 1.0.0.1@853#cloudflare-dns.com
10    
11    # Quad9 (Secondary - Privacy focused)
12    forward-addr: 9.9.9.9@853#dns.quad9.net
13    forward-addr: 149.112.112.112@853#dns.quad9.net

Split DNS Configuration

bash
1# /etc/unbound/unbound.conf.d/split-dns.conf
2# Forward internal domain to local DNS server
3forward-zone:
4    name: "internal.company.com"
5    forward-addr: 192.168.1.1
6    
7# Forward everything else via DoT to Cloudflare
8forward-zone:
9    name: .
10    forward-tls-upstream: yes
11    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
12    forward-addr: 1.1.1.1@853#cloudflare-dns.com
13    forward-addr: 1.0.0.1@853#cloudflare-dns.com

Monitoring and Troubleshooting

View Real-time Statistics

bash
1# Get Unbound statistics
2sudo unbound-control stats_noreset
3

4# View cache information
5sudo unbound-control dump_cache
6

7# Check configuration
8sudo unbound-control status

Common Issues

TLS Handshake Failures

bash
1# Check if CA certificates are installed
2ls -la /etc/ssl/certs/ca-certificates.crt
3

4# Update CA certificates (Ubuntu/Debian)
5sudo update-ca-certificates
6

7# Update CA certificates (Fedora/RHEL)
8sudo update-ca-trust

Port 853 Blocked

bash
1# Test connectivity to Cloudflare DoT
2openssl s_client -connect 1.1.1.1:853 -servername cloudflare-dns.com
3

4# Should show SSL handshake and certificate info

Performance Issues

bash
1# Increase cache sizes in configuration
2server:
3    msg-cache-size: 50m
4    rrset-cache-size: 100m
5    cache-max-ttl: 86400
6    cache-min-ttl: 300
7    
8    # Adjust based on available RAM
9    # Formula: rrset-cache-size = 2 * msg-cache-size

Firewall Configuration

Allow DNS Traffic

bash
1# UFW (Ubuntu)
2sudo ufw allow 53/tcp
3sudo ufw allow 53/udp
4

5# Firewalld (Fedora/RHEL)
6sudo firewall-cmd --permanent --add-service=dns
7sudo firewall-cmd --reload
8

9# iptables
10sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
11sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Allow Outbound DoT

bash
1# Ensure outbound connections to port 853 are allowed
2sudo ufw allow out 853/tcp
3

4# Or with iptables
5sudo iptables -A OUTPUT -p tcp --dport 853 -j ACCEPT

Performance Benchmarking

Compare DNS Resolver Performance

bash
1# Install dnsperf
2sudo apt install dnsperf  # Ubuntu/Debian
3

4# Create test query file
5echo "example.com A" > queries.txt
6echo "google.com A" >> queries.txt
7echo "github.com A" >> queries.txt
8

9# Benchmark local Unbound
10dnsperf -s 127.0.0.1 -d queries.txt
11

12# Benchmark direct Cloudflare
13dnsperf -s 1.1.1.1 -d queries.txt

Integration with System

Configure System to Use Unbound

systemd-resolved (Modern Linux)

bash
1# Edit resolved configuration
2sudo nano /etc/systemd/resolved.conf
3

4# Set:
5[Resolve]
6DNS=127.0.0.1
7FallbackDNS=1.1.1.1
8DNSStubListener=no
9

10# Restart service
11sudo systemctl restart systemd-resolved
12

13# Update symlink
14sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Traditional resolv.conf

bash
1# Edit resolv.conf
2sudo nano /etc/resolv.conf
3

4# Add:
5nameserver 127.0.0.1
6options edns0 trust-ad

NetworkManager

bash
1# Edit NetworkManager configuration
2sudo nano /etc/NetworkManager/NetworkManager.conf
3

4# Add:
5[main]
6dns=none
7

8# Restart NetworkManager
9sudo systemctl restart NetworkManager

Security Considerations

  • Access Control: Restrict access to trusted networks only in production
  • Logging: Consider privacy implications of DNS query logging
  • Updates: Keep Unbound and system packages updated for security patches
  • TLS Validation: Always verify TLS certificates to prevent MITM attacks
  • Fallback: Configure fallback DNS servers in case of DoT failures

Additional Resources

Alternative DoT Providers

ProviderPrimary IPSecondary IPHostname
Cloudflare1.1.1.11.0.0.1cloudflare-dns.com
Quad99.9.9.9149.112.112.112dns.quad9.net
AdGuard94.140.14.1494.140.15.15dns.adguard.com
CleanBrowsing185.228.168.9185.228.169.9security-filter-dns.cleanbrowsing.org