DNS-over-TLS on Unbound

Filename /etc/unbound/unbound.conf

Debian

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

server:
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
  name: "."
  forward-tls-upstream: yes

  forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
  forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
  forward-addr: 146.185.167.43@853#dot.securedns.eu
  forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net

Arch

DNSSEC checking is disabled due to it not working. Please help me if you find a fix.

server:
  use-syslog: yes
  do-daemonize: no
  username: "unbound"
  directory: "/etc/unbound"
  # TODO: fix DNSSEC check
  # trust-anchor-file: trusted-key.key
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
  name: "."
  forward-tls-upstream: yes

  forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
  forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
  forward-addr: 146.185.167.43@853#dot.securedns.eu
  forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net

See list of resolvers that support DNS-over-TLS

Setting unbound as system resolver

echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf && sudo chattr +i /etc/resolv.conf

This sets 127.0.0.1 as nameserver and locks the file (chattr +i). To unlock the file, run chattr -i /etc/resolv.conf

Captive portals

As captive portals don’t allow DNS-over-TLS, you need to reset your DNS to the network’s own.

Further reading