Dns – How to configure Unbound to validate a DNS over TLS server’s certificate

dnsunbound

I have configured Unbound to use DNS over TLS using the following configuration. How can I configure Unbound to validate the upstream certificate against a hostname?

forward-zone:
        name: "."
        forward-addr: 1.1.1.1@853
        forward-addr: 1.0.0.1@853
        forward-addr: 2606:4700:4700::1111@853
        forward-addr: 2606:4700:4700::1001@853
        forward-tls-upstream: yes

Best Answer

The bug report for adding support for validating the upstream DNS server's certificate was resolved on April 19, 2018.

Adapting the example from comment 9:

server:
        tls-cert-bundle: "/etc/pki/tls/certs/ca-bundle.crt"
forward-zone:
        name: "."
        forward-addr: 1.1.1.1#cloudflare-dns.com
        forward-addr: 1.0.0.1#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001#cloudflare-dns.com
        forward-tls-upstream: yes

There's also an explanation of how it works - the hashtag name allows for the tls authentication name to be set for stub-zones and with unbound-control forward control commands. There should be no spaces around the '@' and '#'.

Related Question