Use at least version 1.5.5 of Unbound if you want to configure your server with a certificate (as support for intermediate certificates was introduced in this version).
Version 1.6.7 or later is recommended.
An example configuration file for Unbound that runs DNS-over-TLS on port 853 is below.
Depending on how your certificate is issued you may to add the intermediate certificate to your certificate file for clients to be able to validate. For example, if you use Let's encrypt to create your certificate you will need to add the intermediate certificate (found in the
<N>_chain.pem file) to the cert file.
If you are using a version earlier than 1.6.7 then Unbound listens on UDP on port 853 with the above configuration. If want to disable UDP both upstream and downstream then use
however this means all queries authoritative resolvers use TCP which may lead to resolution failures.
Also in older versions of unbound the
tls-* parameters where called ssl-*
A docker image kindly provided by Lard de Bruin is also available.