The recent announcement of Cloudflare's new privacy-focused recursive DNS service 1.1.1.1 prompted me to revisit the options for encrypted recursive DNS and finally enable DNS over TLS on my workstations.

As a brief reminder, Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) improve privacy online by using symmetric encryption to prevent eavesdropping and using public-key cryptography to authenticate recipients.

Due to increasing awareness and new revelations regarding sophisticated spying operations by governments and corporations, there has been a significant increase in the adoption of HTTPS (HTTP over TLS) over the past several years. According to Google, over 68% of Chrome traffic on Android and Windows is now protected.

However, recursive DNS, which is used before an HTTPS connection can be established, remains largely vulnerable to the same attacks that are used against unencrypted HTTP.

Fortunately, there are several options for protecting recursive DNS, including DNS over TLS, DNS over HTTPS, and DNSCrypt. Each option has various tradeoffs and may not be available depending on your specific operating system and internet provider. For example, you will need to ensure that the relevant ports are not blocked.

Unbound is a DNS resolver with native support for DNS over TLS. In version 1.7.0 you can use the appropriately named forward-tls-upstream option, while the same option was named forward-ssl-upstream in version 1.6.0. Older versions supported the global ssl-upstream option.

To set up a forwarding resolver with Unbound, simply create a forward-zone entry with name "." and the appropriate upstream addresses. Cloudflare supports DNS over TLS on 1.1.1.1 and 1.0.0.1 on port 853. The final result in your unbound.conf should look something like this:

server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

It is necessary to specify tls-cert-bundle to enable TLS certificate verification and the forward-addr suffix '#cloudflare-dns.com' to specify the expected subject name on the certificate.

Additional reading:

• Cloudflare Blog: Announcing 1.1.1.1: the fastest, privacy-first consumer DNS service
• Google Security Blog: DNS over TLS support in Android P Developer Preview
• Google Security Blog: A secure web is here to stay
• Ars Technica: How to keep your ISP’s nose out of your browser history with encrypted DNS
• NLnet Labs Documentation - Unbound - unbound.conf.5
• Arch Linux Wiki: Unbound