On Tue, 2018-05-01 at 16:40 +0200, Peter Müller wrote:
> Hello,
> 
> > 
> > The unbound init and the cgi scripts use dig 9.11.3, which has no
> > native support for TLS.  I'm trying to configure stunnel to act as
> > MITM
> > so that dig can succeed.  I hope to restrict unbound to port 853
> > for
> > listen and send, and use stunnel to listen on port 53 and forward
> > to
> > 853.
> 
> as far as I am aware, the knot-utils from CZ.NIC are capable of
> DNS over TLS. Maybe we should think about moving to them, or wait
> until bind-utils/dig are updated (not sure if we are running the
> latest
> version anyway).
> 
> Best regards,
> Peter Müller
> 

I don't mind continuing with unbound, as it seems to be in active
development and is well documented.

Based on my (failing) testing, I'm abandoning using stunnel, and will
wait for a version of dig with native TLS support.

Until then, I'm using https://gitlab.com/snippets/1706804 to get around
my (only one available) ISP munging DNS.

Best regards,
Paul