From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [Fwd: Re: request for info: unbound via https / tls] Date: Thu, 03 May 2018 17:03:09 +0100 Message-ID: <1525363389.2479471.302.camel@ipfire.org> In-Reply-To: <1525194989.28527.7.camel@gmail.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0227698252481085336==" List-Id: --===============0227698252481085336== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, well I would actually like to get rid of as much of that shell stuff in that initscript as we can. This is just a bit too much testing and no matter how m= uch we tune that will never be where it should be. I wrote a little blog post about this today: https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-= our-resolvers There is more to come... Best, -Michael On Tue, 2018-05-01 at 12:16 -0500, Paul Simmons wrote: > On Tue, 2018-05-01 at 16:40 +0200, Peter M=C3=BCller wrote: > > Hello, > >=20 > > >=20 > > > The unbound init and the cgi scripts use dig 9.11.3, which has no > > > native support for TLS. I'm trying to configure stunnel to act as > > > MITM > > > so that dig can succeed. I hope to restrict unbound to port 853 > > > for > > > listen and send, and use stunnel to listen on port 53 and forward > > > to > > > 853. > >=20 > > as far as I am aware, the knot-utils from CZ.NIC are capable of > > DNS over TLS. Maybe we should think about moving to them, or wait > > until bind-utils/dig are updated (not sure if we are running the > > latest > > version anyway). > >=20 > > Best regards, > > Peter M=C3=BCller > >=20 >=20 > I don't mind continuing with unbound, as it seems to be in active > development and is well documented. >=20 > Based on my (failing) testing, I'm abandoning using stunnel, and will > wait for a version of dig with native TLS support. >=20 > Until then, I'm using https://gitlab.com/snippets/1706804 to get around > my (only one available) ISP munging DNS. >=20 > Best regards, > Paul --===============0227698252481085336==--