Problem with combining DoT, DoH and DNScrypt using unbound and dnscrypt-proxy

Call me crazy, but I wanted to combine the ability to resolve DNS via TLS, via HTTPS and using DNScrypt.

For that I use unbound on port 53 and forward "." to dnscrypt-proxy v2 on port 5353.
Using DoH and DNScrypt through dnscrypt-proxy works, and using DoT in unbound works.

But using BOTH in parallel does NOT work for me and I am looking for a solution.
I hope you can help me.

The current part of the forward-zone for "." looks as follows:

    name: "."
    forward-first: no
    forward-tls-upstream: no
    forward-addr: # dnscrypt-proxy running on localhost (no TLS upstream!)

    forward-tls-upstream: yes

The intention is to resolve via dnscrypt-proxy which is using various remote DoH and DNScrypt resolvers, and also to use in parallel the Cloudflare DNS resolvers via DoT.

However, it seems to me that the "forward-tls-upstream" directive can be used only once for a "forward-zone". If that would be true, then I could either use dnscrypt-proxy or DoT resolvers for the same forward-zone. That would be a pity.

Do you know a way to make both work for the same forward-zone?

You can do whatever you want with dnsmasq + proxies of your choice (stubby, dnscrypt, etc), I see no need to install unbound.
You will need to use --all-servers with dnsmasq:

By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

AndrewZ that may be, but since I have unbound already in place for DoT, it would be easier to get that to work instead of installing stubby and reconfiguring everything back to dnsmasq.

If wanting to run own DNSCrypt server unbound provides a dnscrypt server implementation - if compiled with --enable-dnscrypt, which however is not the case with unbound package compilation in OpenWrt.

That aside, it is not really clear what you want to achieve since


is not the same - least combine and parallel are different semantics. What do you mean by parallel?

bears no relevance of which servers unbound chooses to forwards DNS queries to since it pertains to TLS for transport.

You can enumerate unlimited number of forward-addr: per each forward-zone: name: and unbound will utilize those in a round-robin fashion unless otherwise specified.
Hence, unbound forwards DNS queries either to dnscrypt-proxy local instance or to one of the WAN DoT instance - which would meet the combine semantic.

Since this is not really OpenWrt specific it might be worthwhile to peruse the unbound documentation.

@anon45274024: lemme clarify, if you look closely to the config that I have posted, then you will notice that the remote DoT servers use TLS while the remote dnscrypt-proxy instance does not TLS.
The problem is that it seems not to be possible to have some servers for the same forward zone which use TLS and some of which that do not use TLS.

I hope it is more clear, if not, lemme know.

Of course I have consulted the unbound documentation but it does not specify this topic conclusively. I have not checked the source code, though.

Indeed, and though it dawned to me later, that pinpoints the issue.


applies for the entire forward-zone and not selectively per forward-addr | forward-host.
But I might be wrong and you find better counsel via the unbound-users mailing list instead.