DoH plugin for BIND

Michael De Roover isc at
Thu Apr 30 12:45:42 UTC 2020

Thanks a lot for the detailed reply. That should be pretty 
straightforward to set up then, as I'm already using nginx for some 
other things and Debian appears to be using BIND 9.11.5 now. Until BIND 
gets native DoT/DoH support I'll probably run it behind nginx as well then.

On 4/29/20 10:19 PM, Tony Finch wrote:
> Michael De Roover <isc at> wrote:
>> On that subject, how about DoT?
> DoT is easier since you only need a raw TLS reverse proxy, and there are
> lots of those, for example, nginx:
> Note that if you enable DoT on port 853 on your normal DNS resolvers then
> Android devices will use it automatically. (I get a lot more DoT traffic
> than DoH traffic!) So it's worth tuning timeouts to control the number of
> concurrent TLS and TCP sessions on your server. Android's DoT client is
> very well-behaved so the server-side configuration knobs work nicely. Use
> BIND 9.11 or newer so you can support concurrent queries on one
> connection. As well as the nginx timeouts you can see at the link above,
> my named.conf has:
> 	tcp-clients 1234;
> 	tcp-idle-timeout 50; # 5 seconds
> 	tcp-initial-timeout 25; # 2.5s minimum permitted
> 	tcp-keepalive-timeout 50; # 5 seconds
> 	tcp-advertised-timeout 50; # 5 seconds
> The timeouts are short because they don't need to allow for much slowness
> on our metropolitan-area fibre network. 5 seconds is based on my rough
> eyeball assessment of when typical DoT connections are unlikely to be
> re-used. The number of TCP clients is a guess.
> Tony.
Met vriendelijke groet / Best regards,
Michael De Roover

More information about the bind-users mailing list