I recently installed unbound-daemon and ca-bundle with the goals
- use unbound with DNSSEC and DNS over TLS
- configure multiple dns providers (in case one is down)
- use unbound as default DNS provider if there is nothing else configured (instead of my ISP's DNS server)
- (later): maybe use adblock with this
I tried to follow the unbound readme: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md with the parallel dnsmasq option
There are several guides regarding unbound, and all are differnent enough to cause confusion about what are the "right" settings...
Anyway, with this guide I can set the DNS in unbound and it is actually used (according to DNS leak test), so it basically works.
In /etc/config/unbound I have
config zone option enabled '1' option zone_type 'forward_zone' option fallback '0' option tls_upstream '1' option tls_index 'cloudflare-dns.com' option tls_port '853' list zone_name '.' list server '220.127.116.11' list server '18.104.22.168' list server '22.214.171.124@853#dns.google' list server '126.96.36.199@853#dns.quad9.net'
now for the questions:
- this looks like cloudflare is 'main' and the others are 'secondary' DNS providers. Is there actually any difference? If I make one copy of the zone for each DNS provider, then only one is used. (I actually plan to use different and maybe less reliable DNS servers later, but any should be fine for testing)
- what does the fallback option do? It is not set in other guides, and I don't understand the explanation from the readme: 'Permit normal recursion when the narrowly selected servers in this zone are unresponsive or return empty responses'
- according to https://dnssec.vs.uni-due.de/ DNSSEC does not work. What is wrong with my config?
- how can I reliably check whether DNS over TLS is working?