BIND9 9.21.21 DoT Forwarding Fails with Quad9 (9.9.9.9 etc) ; Cloudflare/Google/own unbound work OK
pgnd
pgnd at dev-mail.net
Sun May 3 18:51:58 UTC 2026
i'm doing some comparative performance checking for Bind9 DoT forwarding from my local bind 9.21.21
for config
...
tls vm-dot { remote-hostname "example.com"; };
tls quad9-dot { remote-hostname "dns.quad9.net"; };
tls cloudflare-dot { remote-hostname "one.one.one.one"; };
tls google-dot { remote-hostname "dns.google"; };
...
forward first;
...
with fwd from my local Bind9 instance to my VM unbound instance
forwarders port 853 tls vm-dot {
10.10.10.53;
};
all's good; dns leak test from local browsers shows my VM as IP source for the DNS queries
similarly, with Cloudflare
forwarders port 853 tls cloudflare-dot {
1.1.1.2;
1.0.0.2;
2606:4700:4700::1112;
2606:4700:4700::1002;
};
also works, and shows CF IPs as source.
same with Google.
but, with Quad9,
forwarders port 853 tls quad9-dot {
9.9.9.9;
149.112.112.112;
2620:fe::fe;
2620:fe::9;
};
seems NO forwarding; dnsleak test shows Comcast & WoodyNet IPs :-/
which is annoying.
looking for errors -- not finding them, yet. or a published reason/bug re: Bind9 forwarding 'vs' Quad9 DoT.
still digging, but ...
... any _known_ issues with Quad9?
More information about the bind-users
mailing list