make bind prefer DoT for recursion

Tony Finch dot at dotat.at
Fri Mar 22 12:10:40 UTC 2019


Erich Eckner <bind at eckner.net> wrote:
>
> I am running a recursive resolver for my local network and was wondering
> whether it is possible (and if so: how) to make it resolve via DNS-over-TLS if
> that's available on the authoritative name servers.

BIND doesn't have any TLS support, and (as you said) it really needs to be
integrated into the resolver in this situation.

You could try the Knot Resolver, which has experimental support
https://knot-resolver.readthedocs.io/en/stable/modules.html#experimental-dns-over-tls-auto-discovery

Unbound can forward queries over TLS but it isn't clear to me whether it
can do opportunistic TLS to authoritative servers.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Plymouth, Biscay, Fitzroy: Variable 3 or 4, becoming northeasterly 5 or 6
later in Plymouth and northwest Fitzroy. Moderate, becoming rough later in
northwest Fitzroy. Occasional rain or drizzle in north. Good, occasionally
poor.


More information about the bind-users mailing list