TLS in Recursor Mode?

I have disabled my ISP provided DNS in ipfire, and have not specified any additional external DNS provider, which basically means ipfire is running on recursor mode mode.

My ISP is a mischievous one and randomly blocks certain domains via DNS censorship. They even blocked Github at one point and took 5 days to fix it. Due to how difficult it is to explain them an issue, I started using DNS over TLS till they fix these broken sites. if is blocked by my ISP, it would intercept any DNS query for and inject dummy response containing invalid IP. (I am not sure with DNSSEC enabled, how is this injection not picked up, different story ?)

So when I enabled recursor mode, I realized the sites known to be broken on my ISP are the same sites still not accessible in recursor mode. This does not happen if I use external DNS with TLS enabled. When I looked at traffic from firewall to red, I noticed in recursor mode Unbound is querying root name servers over UDP port 53 - which means these are plaintext (unencrypted) queries, which explains why my ISP is able to intercept these.

The " Protocol for DNS queries" is set to “TLS”. So why are recursor mode DNS queries unencrypted ? Is it by design ? Can I change it so root name servers are queried over TLS port 853 instead of port 53 ?

Hi Avinesh,

Have you seen this page on ipfire wiki?

There’s a link on that page to public available DNS over TLS servers which can be used for your DNS config.

I personally have stayed away from ISP DNS servers for the very reasons you share.

DNS response times are also much faster when using non ISP resolvers.



Thank you for sharing the link Robert.

While I can still use external providers that support DNA over TLS, I wanted to know why DNS over TLS not work in recursor mode? Am I running into a bug or this is not supported?

The reason why I prefer not use the external DNS providers is because then one organization knows all of my internet history, if I could somehow make DNS over TLS work in recursor mode that would be great, and am willing to bear the added latency.

Hi buddy,

I’m not sure what exactly isn’t working with your DoT setup, but it’s designed to secure the “last mile”. In other words, the flow from the forwarder/client to the recursor. I believe there is a taskforce investigating the encryption of the full DNS flow, but I’m not certain when it will be available (root+TLD).

This leaves you with roughy four options to mitigate:

  1. QNAME minimisation, you might be able to ‘fool’ your ISP by not providing much info on what you’re querying.
  2. Use a public recursor like OpenDNS/CloudFlare etc. (one which protects your privacy best)
  3. Install a recursor in the cloud, they typically don’t censor internet access and use that as your external recursor with DoT
  4. Use DoH (DNS over HTTPS):
  • the good: it uses HTTPS and is obfuscated by default, because it can’t be identified as DNS traffic
  • the bad: only a few resolvers exist and they are typically known, so if they want to censor you, they just block access to those servers. Also this leaves you little room for control on the DNS layer for your own protection (e.g against malware and C2)

Hi Rachid, thank you for throwing some light on this.

I’m not sure what exactly isn’t working with your DoT setup

I was under impression if I run Unbound in recursor mode and enable “TLS”, all the DNS queries will use DoT - i.e. I will never see Port 53 in the query chain. So if I query for, recursor will first query NS responsible for ORG zone, and then query NS responsible for IPFIRE.ORG zone, and I expect both of these queries to happen over port 853 which doesn’t seem like it is happening.

  • QNAME minimisation, you might be able to ‘fool’ your ISP by not providing much info on what you’re querying.

I set QNAME minimisation to strict but my ISP was still able to intercept the DNS query.

Thank you for your suggestion, if this is by design then I guess my best bet would be to setup a recursor on a VPS server and use it with DoT.

Interestingly though, if I keep everything unchanged and set DNS query protocol to “TCP”, whatever DNS censorship method my ISP is using breaks and I get DNS queries resolved as normally.

Is it possible that your ISP is only filtering DNS traffic over UDP but not over TCP ?

I think it’s very much possible that they do plain old UDP/53 filtering and every other implementation of DNS breaks their censorship :wink: Wouldn’t surprise me, filtering ALL DNS possibilities would be a maintenance nightmare anyways, so stick to UDP/53 and leave the rest (the 80/20 rule).

1 Like


to answer this question: No, using DNS over TLS does not work while running in recursor mode.

It is neither being standardised nor an easy task to implement: Running a full recursive resolver requires DNS queries to nameservers you don’t even know about before a user is making a DNS query. That way, there is no way to establish a trusted TLS connection (since you have no FQDN/SNI information at hand). Worse, plenty of nameservers will not be reachable via TLS - but opportunistically falling back to plain text introduces performance issues and contradicts the security intention.

To cut it short: Sorry, DoT is not possible in recursive mode.

Thanks, and best regards,
Peter Müller

1 Like