Use at least version 1.5.5 of Unbound if you want to configure your
server with a certificate (as support for intermediate certificates was
introduced in this version).
Version 1.6.7 or later is recommended.
An example configuration file for Unbound that runs DNS-over-TLS on port 853 is below.
server: directory: "/etc/unbound" username: unbound chroot: "/etc/unbound" # logfile: "/etc/unbound/unbound.log" #uncomment to use logfile. pidfile: "/etc/unbound/unbound.pid" # verbosity: 1 # uncomment and increase to get more logging. # listen on all interfaces on port 853, answer queries from the local subnet. interface: 0.0.0.0@853 interface: ::0@853 tls-service-key: "<path_to_private_key>" tls-service-pem: "<path_to_certifcate_file>" tls-port: 853 incoming-num-tcp: 1000 # Number of simultaneous incoming TCP connections per thread to allow # Listen on UDP but still issues queries upstream over UDP. # Only available in 1.6.7 and later do-udp: no udp-upstream-without-downstream: yes qname-minimisation: yes # Enable QNAME minimisation to increase client privacy
Depending on how your certificate is issued you may to add the
intermediate certificate to your certificate file for clients to be able
to validate. For example, if you use Let’s encrypt to create your
certificate you will need to add the intermediate certificate (found in
/etc/letsencrypt/certs/000<N>_chain.pem file) to the cert file.
If you are using a version earlier than 1.6.7 then Unbound listens on
UDP on port 853 with the above configuration. If want to disable UDP
both upstream and downstream then use
do_udp: no however this means all queries authoritative resolvers use TCP which may
lead to resolution failures.
Also in older versions of unbound the
tls-* parameters where called
A docker image kindly provided by Lard de Bruin is also available.