| CARVIEW |
Navigation Menu
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Description
Current behavior
First of all, thank you very much for your contributions to the Unbound project. I am an enthusiastic user and have identified a potential feature that could improve user experience.
Currently, when adding DoT upstream servers in Unbound service, the forward-addr: parameter only accept IP:PORT .
forward-zone:
name: "."
forward-tls-upstream: yes
# Try Google DoT server with IP@PORT
forward-addr: 8.8.8.8@853
unbound-checkconf: no errors in local-test.confforward-zone:
name: "."
forward-tls-upstream: yes
# Try Google DoT server with DOMAIN
forward-addr: dns.google
[1722404185] unbound-checkconf[9868:0] error: cannot parse forward . ip address: 'dns.google'
[1722404185] unbound-checkconf[9868:0] fatal error: Could not set forward zonesforward-zone:
name: "."
forward-tls-upstream: yes
# Try Google DoT server with DOMAIN@PORT
forward-addr: dns.google@853
[1722404308] unbound-checkconf[9894:0] error: cannot parse forward . ip address: 'dns.google@853'
[1722404308] unbound-checkconf[9894:0] fatal error: Could not set forward zonesHowever, I have noticed that many DoT service providers, especially large internet companies, usually have multiple IP addresses, and sometimes use Anycast technology, resulting in a single domain name possibly corresponding to multiple IPv4 and IPv6 addresses.
For example, Cloudflare's DoT servers have multiple IP addresses. In such cases, manually adding all IP addresses can become tedious and error-prone.
Cloudflare supports DNS over TLS (DoT) on 1.1.1.1, 1.0.0.1, and the corresponding IPv6 addresses (2606:4700:4700::1111 and 2606:4700:4700::1001) on port 853.
If your DoT client does not support IP addresses, Cloudflare’s DoT endpoint can also be reached by hostname on one.one.one.one.
I discovered that some DNS forwarders or server software similar to Unbound support a feature called "Bootstrap DNS".
This feature allows users to only fill in the DoT server's domain name (port optional), and the system will resolve the domain name to the correct IP address through Bootstrap DNS during initialization.
Implementing this feature could offer the following benefits:
- Simplify the configuration process, reducing repetitive operations for users.
- Enhance system flexibility, automatically adapting to changes in DoT server IPs.
- Improve reliability, automatically switching to other available addresses when a particular IP is not usable.
Describe the desired feature
Introduce Bootstrap DNS functionality in Unbound, whereby the forward-addr: field can use DOMAIN@PORT when adding DoT servers.
If a user provides a IPv4 / IPv6 address, Unbound should use this specified IP exclusively.
If no IP is provided, Unbound would automatically resolve the server's domain name to its current IP addresses at startup, through the Bootstrap DNS mechanism.
Potential use-case
Utilize existing DNS infrastructure to provide "Bootstrap DNS" - like functionality:
- Use the regular upstream DNS servers (
IP:PORT) set in Unbound (or the DNS servers in system) to resolve DoT server domain names. - This approach would leverage existing configurations to provide similar functionality without introducing new components.