Running a fresh install of IPFire 2.27 (x86_64) - Core Update 160
I would like to configure my ipfire box so that it provides a DNS over TLS service to the network clients in the green network.
“Protocol for DNS queries” is of course set to TLS in the Domain Name System admin page but that does not seem to enable the local TLS service on port 853.
What am I missing? Am I supposed to just add port 853 entries to /etc/unbound/unbound.conf myself? (nobody has an example in that case?)
Current unbound.conf (not changed after installation):
#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
# Common Server Options
chroot: ""
directory: "/etc/unbound"
username: "nobody"
do-ip6: no
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
use-syslog: yes
log-time-ascii: yes
# Unbound Statistics
statistics-interval: 86400
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
# Privacy Options
hide-identity: yes
hide-version: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-log-level: 1
log-servfail: yes
# Hardening Options
harden-large-queries: yes
harden-referral-path: yes
aggressive-nsec: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
# Allow access from everywhere
access-control: 0.0.0.0/0 allow
# Timeout behaviour
infra-keep-probing: yes
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
# Include hosts
include: "/etc/unbound/hosts.conf"
# Include any forward zones
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"