In a DNS over TLS config, every connection upstream to root servers gives an SSL error. Cannot resolve hostnames because of this problem:
sep 21 15:45:58 Kali systemd[1]: Started unbound.service - Unbound DNS server.
sep 21 15:46:02 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:02 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:02 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:02 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:03 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:03 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:03 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:03 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:06 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:06 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:14 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:14 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.7.83.42 port 53
sep 21 15:46:26 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:26 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:26 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:26 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:29 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:29 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:29 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:29 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
Not sure it should work this way, because actual DNS to be forwarded on TLS are Quad9 and Cloudflare ones (relevant config part):
#Adding DNS-Over-TLS support
forward-zone:
name: "."
forward-tls-upstream: yes
Quad9
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
Cloudflare DNS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com |