Unbound using TLS - not working as recursive DNS server anymore?

I was playing around a bit this afternoon and used this tutorial Configuring unbound as DNS resolver with DNS-over-TLS and DNSSEC to enable TLS.

Now I'm wondering: is Unbound acting as recursive DNS resolver, contacting authorative DNS servers directly or is it now using external DNS providers, in fact thus not acting as a recursive server anymore?

Noob question I guess - apologies beforehand.
(btw, it is all working well, so there is no specific issue)

Unbound will only contact the resolvers indicated in the config:

# upstream resolver settings
forward-zone:
    name: "."
    forward-addr: 2a05:
    forward-addr: 2a01:
    forward-addr: 2a02:
    forward-addr: 2a03:
1 Like

Thanks!
So does that mean it still acts as a recursive DNS server, and contact authorative DNS servers for DNS lookups?
In that case, how could I make sure the list of resolving servers that is used, is the one that is used normally with a 'standard' Unbound installation (i.e. without the mods for TLS)? Could I just take out the forward-zone part?

No, it will only contact the forward-addr servers.

Clear - so if I take out the forward-zone part of the config, it will act as a recursive DNS server again?

If you take those out then there's no DoT function, and if you're not using DoT then just follow Redirecting... instead. That's what we can support and offer guidance on.

OK.
So it's either DoT or have Unbound as recursive DNS then?

Yes, root servers don't speak DoT.

1 Like

Yes.

Configure unbound as a recursive resolver (with no forwarding) and it will get the IPs directly from the nameservers as described in the unbound guide in our docs.

Configure unbound as a forwarding resolver, and it no longer communicates with the authoritative nameservers. It gets the IPs from the recursive resolver you specified.

My opinion - you get better privacy going to the nameservers directly when running unbound as a recursive resolver. No upstream DNS provider has your DNS history. And, with encrypted DNS you hide very little from your ISP, as they see all the requests for IPs in clear text. After you get the IP through encrypted means (all hidden from the ISP), then you immediately send this IP to the ISP. With not much effort they can figure out where you are browsing.

2 Likes

Makes a lot of sense @jfb.
Decided to follow your advice and go back to having Unbound as recursive resolver.

1 Like