DoT and UDP requirements

Unbound
1

Hi,

More questions on DoT…

Having setup DoT and got it all working, I was under the impression that all DNS queries would now use TLS over TCP. With that in mind I set:

do-udp: no

having changed that setting unbound will not answer any queries at all.

Either local-data

C:>dig -x 192.168.1.20

; <<>> DiG 9.14.4 <<>> -x 192.168.1.3

;; global options: +cmd

;; connection timed out; no servers could be reached

Or external

C:>dig www.microsoft.com

; <<>> DiG 9.14.4 <<>> www.microsoft.com

;; global options: +cmd

;; connection timed out; no servers could be reached

With UDP enabled there are no problems.

So the question is:

Why does UDP have to be enabled?

How can I be certain that ALL forwarded queries are over TCP if UDP is enabled?

Regards

Ray

2

Having setup DoT and got it all working, I was under the impression
that all DNS queries would now use TLS over TCP.

Where? Between your client and your unbound recursor (where you have
control and can enable DNS-over-TLS-over-TCP), or outwards from your
unbound recursor to the rest of the net? For the latter to work, each
and every publishing name server out there would have to have deployed
DNS-over-TLS-over-TCP. To put it mildly, "we're not there yet", and
I'm doubtful we ever will be.

Even if you dropped "TLS", and only wanted to do TCP, I think that
would also work poorly, since still too many publishing name servers
either don't do DNS-over-TCP or there are firewalls on the path which
prohibit it from working.

Regards,

- Håvard

3

Hi Ray,

Havard is right about the DNS ecosystem and the use of UDP.

However I want to clarify the unbound behavior in regards to what you
are trying to do:

Setting `do-udp: no` will disable UDP for unbound all together. That
means both upstream and downstream communication.
You can verify that by running the same dig commands but with the extra
`+tcp` option. This will force dig to use TCP to unbound and unbound
will answer normally.
Although you will get an answer because you forced your client to
connect via TCP, this cannot be guaranteed by other clients on your
system. That's why I don't advise on having `do-udp: no`.

From your configuration you should have something like

forward-zone:
  name: "."
  forward-addr: ...
  forward-tls-upstream: yes

If you don't have any other conflicting forward-zone or stub-zone
directives then all your upstream traffic goes to the defined DNS
servers above over TLS over TCP.

The only other caveat is the use of `forward-first: yes` inside
`forward-zone`. In your case you shouldn't use it because what it tries
to do is first try to get an answer from the configured dns resolver and
if that fails it falls back to it's own resolution.

I hope this is clear enough.

Best regards,
-- George

4

I wish I was more up to speed on how all this worked. I am getting there...
So apologies for the apparent ignorance.

I have unbound running on a PC. It has the local network defined as
private-domain: - local-zone:, local-data, local-data-ptr: localhost: etc.

All other queries are forwarded to servers that support DoT.

forward-zone:
  name: "."
  forward-tls-upstream: yes
  # Quad9
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  #forward-addr: 149.112.112.112@853#dns.quad9.net
  # Cloudflare DNS
  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com

There are no other DNS servers that rely on this one for any services
whatsoever its 100% standalone.

All queries to the internet go via the forward server which supports DoT so
that should be doing the donkeywork to the wider internet and returning the
results. Unbound from the log file does many queries to that server (all
using TLS authenticated over TCP) to gather all the information it requires
to either return the queried name as either insecure or if it has been
signed it checks that the signature can be validated.

If DNSSEC fails you get a SRVFAIL an no useful data returned (e.g. no IP
address in the A or AAA record)

If its not been signed you get the data whatever, its then up to you if you
think where you are sent is valid (e.g. when using a browser)

So at this point I can't see where UDP would be used? As far as I can see
there are no queries that go to other servers on the internet that are NOT
those defined in the forward list.

What am I missing?

Regards
Ray

5

Hi George,

OK I understand.

The use of UDP by Windows clients to "talk" to Unbound was not something I
had considered.

Thanks for clearing it up for me.

Ray