Hi all,
What's the recommended way to expose an unbound instance with the dns-over-https (doh) protocol?
Thanks!
--Martin
Front-ending with dnsdist works great. Here's a basic config:
--snip----
addACL('0.0.0.0/0')
addACL('::/0')
newServer({address="127.0.0.1", name="unbound-upstream"})
addDOHLocal("192.0.2.1:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
addDOHLocal("[2001:db8::1]:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
--snip----
More info at https://dnsdist.org/guides/dns-over-https.html
FYI, coredns can expose unbound over dns-over-https://coredns.io/explugins/unbound/