Solved Use DoT/DoH but keep UDP Port 53 free on Debian

Solved issue

Harhkl

New Member
Joined
Apr 12, 2024
Messages
22
Reaction score
4
Credits
149
Hi there,

I would like to host a Debian mail server, where additionally an OpenVPN server instance is listening on UDP Port 53. The server itself should use DoH if possible, else DoT. I can not get it to work however.

I tried using resolved, but without avail. Can someone point me in the right direction?
 


I suggest you unbound, I use it personally for encrypted DNS and you can specify any port you want, I'm using port 53 as listening port for DoT.
DoT however uses port 853 for upstream servers.

If you need configuration file I'll share it with you.

To install it run:
Code:
sudo apt install unbound

Your custom config should be placed into /etc/unbound/unbound.conf.d/unbound.conf
Documentation is here:
 
Im not sure if I understand it correctly. Wouldn't this set-up a DNS server itself? I was talking about my server being the client who uses DoH/DoT.

Don't get me wrong, I would set it up as a DNS server if this is the "only" solution and you already said, that it should be able to run it on another port. But after the unbound set-up is done on let's say port 5555, how do you use it then? My own server would need to know to use port 5555 on 127.0.0.1/0.0.0.0 for dns resolving (iptables maybe?) and I would need a certificate for DoH/DoT for the IP adress(es) 127.0.0.1/0.0.0.0?

My ideal solution would be to just be a DoH/DoT client
 
Wouldn't this set-up a DNS server itself?
Yes

I was talking about my server being the client who uses DoH/DoT.
Yes, your server (Debian) will be able to use unbound for DNS resolution over DoT at any port you set. (but not DoH)
In addition if you have multiple computers or devices on your LAN they will also be able to contact unbound that is running on Debian, but only if you configure it so.

Don't get me wrong, I would set it up as a DNS server if this is the "only" solution and you already said, that it should be able to run it on another port.
It's not the only solution because there are other DNS servers other than unbound but unbound is what I use and I can tell from my experience it's very good primarily because it has a ton of options to customize it's behavior.

But after the unbound set-up is done on let's say port 5555, how do you use it then? My own server would need to know to use port 5555 on 127.0.0.1/0.0.0.0 for dns resolving (iptables maybe?) and I would need a certificate for DoH/DoT for the IP adress(es) 127.0.0.1/0.0.0.0?
unbound should be configured to listen on port other that default 53, so yes you can configure it to listen on port 5555.
In addition you can configure on which IP addresses or interfaces it will listen to.

For your debian system' to be able to contact unbound you need to set unbound to listen on 127.0.0.1 and then set in NetworkMangager this address and the system would use that for DNS.

And for firewall, you should be using nftables instead of iptables, it's needed to create loopback rules for locahost and inbound rules if you plan to use unbound on LAN.

My ideal solution would be to just be a DoH/DoT client
Yes this will work, in unbound config file you configure upstream server which are remote DoT servers.
The way it works is, your debian system contacts unbound and unbound then forwards the request to DoT enabled server.

This way you have DoT over any port and IP you want.

If you're ready for set up let us know.
Btw. which debian version do you use?
 
Last edited:
First of all, thank you so much for helping me here. I guess I will try to use unbound. Not to be rude, but I still don't get how my server can act as a client when configuring unbound to a port other than 53. You said that I would set up NetworkManager to use the address, but it would need also be able to understand to not query the default 53 port. And what about certificates? Normally, the other DoT servers provide a valid certificate for their domain but I would have an own server which would need an own certificate, no?

Edit: I use Debian 12 stable
 
Last edited:
Not to be rude, but I still don't get how my server can act as a client when configuring unbound to a port other than 53.
The server would contact itself for DNS.
In the context of DNS you can configure your system to act either as DNS client only or as both DNS client and server, it's up to you and how you configure it.
Since you want it to be DNS client only, I'll repeat that will work, you have my word ;)

You said that I would set up NetworkManager to use the address, but it would need also be able to understand to not query the default 53 port.
I must admit I didn't test this scenario!
But I suppose NetworkManager might figure this out on it's own.

And if it doesn't then you can disable networking daemon and enable systemd-networkd which is a modern solution and replacement for networking but it's disabled by default on Debian due to silly reasons that Debian installer still depends on networking, but once installed it's safe to dump it and enable systemd-networkd, I did it myself and works great.

Now the thing about systemd-networkd is that it let's you specify DNS port, I again didn't test it but I know specifying ports is possible.

And what about certificates? Normally, the other DoT servers provide a valid certificate for their domain but I would have an own server which would need an own certificate, no?
Yeah, certificates are needed, but unbound handles this, debian package already includes tls-cert-bundle: option which by default refers to wrong path but correct one is /etc/ssl/certs/ca-certificates.crt
Therefore you don't need to do much about it except adjusting some options because default ones do not work!

---

bottom line the only unknown variable now is that how will NetworkManager know DNS port other than 53, I bet on systemd-networkd if NetworkManager is that dumb.

Btw. I have my mobile phone set to use my DNS server on PC and it's contacting port 853 even though it has no clue that I use DoT, so I think NetworkManager should figure it out.

In any case do not expect things to just work out of the box, but I'll be here to help if you want to continue.
 
Alright, so I am not sure but I think NetworkManager is not installed in my debain system. I did spin up a test AWS debian 12 instance to try your recommondations out. I made an unbound server, listening on port 5555. How can I tell systemd-networkd to use this port now? I could not find anything about port specification.

Edit: it looks like NetworkManager is NOT installed on the fresh AWS debian instance as well
 
I made an unbound server, listening on port 5555
Please first run the following test to confirm unbound works at this port:

Bash:
# Clear unbound resolver cache
sudo systemctl restart unbound

# Force resolving on port 5555 without consulting local cache
dig google.com -p 5555

Post output of the command.
 
Does work. But sure:

Code:
dig google.com -p 5555
;; UDP setup with ::1#5555(::1) for google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with ::1#5555(::1) for google.com failed: network unreachable.
;; no servers could be reached

;; UDP setup with ::1#5555(::1) for google.com failed: network unreachable.

; <<>> DiG 9.18.24-1-Debian <<>> google.com -p 5555
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6268
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A

;; ANSWER SECTION:
google.com.        1200    IN    A    142.251.209.142

;; Query time: 56 msec
;; SERVER: 127.0.0.1#5555(127.0.0.1) (UDP)
;; WHEN: Sun Apr 14 08:41:35 UTC 2024
;; MSG SIZE  rcvd: 55
 
Ok, it works but there is some misconfiguration because dig should work without reporting any errors, we'll get back to that later.

Next step is to configure your NIC to contact unbound over port 5555

First learn your NIC name:
Bash:
ip link show

From this output identify your NIC name which you use to connect to internet, example below assumes it's called eth0 but you update the value Name= with correct value.

Next identify your current IP address of that NIC (this will then be then static IP):
Bash:
ip addr show

The example below assumes the address is 192.168.11.100 but you update the value Address= with current IP and don't forget CIDR prefix, the example below assumes it's /24 which corresponds to netmask 255.255.255.0
You can see current prefix from the ip command above

Next is DNS= entry which is set to localhost IP and port is specified to that which you configured 5555 (note the colon to separe port from address)

And lastly update Gateway= entry with your router IP, you can obtain the IP with the following command

Bash:
ip route show to default

Code:
[Match]
Name=eth0
Type=ether

[Network]
Address=192.168.11.100/24
Gateway=192.168.11.1
DNS=127.0.0.1:5555

Next copy the config above and write it to the following location:

Bash:
# NOTE: rplace eth0 below with your NIC name
sudo nano /etc/systemd/network/eth0.network

# Copy\paste sample config into nano editor and press CTRL + O followed by CTRL + X to save

Now that configuration is in place next step is to disable networking daemon with these steps:

Please note that steps which follow might make your system not being able to use DNS.
If that happens rename back /etc/network/interfaces.save and reverse the process with (disable and stop systemd-networkd and enable and start networking)
If this doesn't fix the problem reboot system
sudo systemctl reboot

Bash:
# Backup previous config
sudo mv /etc/network/interfaces /etc/network/interfaces.save

# Stop networking
sudo systemctl stop networking
sudo systemctl disable networking

# Start systemd-networkd
sudo systemctl start systemd-networkd
sudo systemctl disable systemd-networkd

# Verify all is ok
sudo systemctl status systemd-networkd
sudo systemctl status unbound

Finally run test again but without specifying port:

Bash:
# Clear unbound resolver cache
sudo systemctl restart unbound

# Test resolving on port 5555 without consulting local cache
dig google.com

Post the result of the dig command.
 
Last edited:
I cannot get the network configuration to work with systemd-networkd. It just does not use it. Here is the debug output https://pastebin.com/raw/gARC9R3A

I could give you access to the AWS machine if you post an SSH pubkey here. Its an empty instance anyway with the only purpose to test this set up, its not a production env. whatsoever.
 
@Harhkl
Btw. I have updated my post since first reply to account for my own mistakes, but I will inspect the log to see if there is anything useful
 
ip addr show

Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:3b:35:e9:3d:2b brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 172.16.24.121/19 metric 100 brd 172.16.31.255 scope global dynamic ens5
       valid_lft 3521sec preferred_lft 3521sec
    inet6 fe80::3b:35ff:fee9:3d2b/64 scope link
       valid_lft forever preferred_lft forever

Code:
ip route show to default
default via 172.16.0.1 dev ens5 proto dhcp src 172.16.24.121 metric 100


Code:
cat /etc/systemd/network/ens5.network
[Match]
#Name=ens5
#Type=ether

[Network]
Address=172.16.24.121/19
Gateway=172.16.0.1
#DNS=127.0.0.1:5555
DNS=9.9.9.9

#[DHCP]
#UseDNS=true

#[DHCPv4]
#UseMTU=true

I tested with different Match settings, this is the latest version, no version worked out though.
 
The log says:

Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign address (configured): 172.16.24.121/19 (valid forever, preferred forever), flags: permanent, scope: global
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: link_check_ready(): link is not activated.
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign route (configured): dst: 172.16.24.121/32, src: n/a, gw: n/a, prefsrc: 172.16.24.121, scope: host, table: local(255), proto: kernel, type: local, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign route (configured): dst: 172.16.31.255/32, src: n/a, gw: n/a, prefsrc: 172.16.24.121, scope: link, table: local(255), proto: kernel, type: broadcast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign route (configured): dst: 172.16.0.0/19, src: n/a, gw: n/a, prefsrc: 172.16.24.121, scope: link, table: main(254), proto: kernel, type: unicast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign route (configured): dst: 172.16.0.1/32, src: n/a, gw: n/a, prefsrc: 172.16.24.121, scope: link, table: main(254), proto: boot, type: unicast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Received new foreign route (configured): dst: n/a, src: n/a, gw: 172.16.0.1, prefsrc: n/a, scope: global, table: main(254), proto: boot, type: unicast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Forgetting foreign route (n/a): dst: n/a, src: n/a, gw: 172.16.0.1, prefsrc: n/a, scope: global, table: main(254), proto: boot, type: unicast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Forgetting foreign route (n/a): dst: 172.16.0.1/32, src: n/a, gw: n/a, prefsrc: 172.16.24.121, scope: link, table: main(254), proto: boot, type: unicast, nexthop: 0, priority: 0, flags: n/a
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Flags change: -UP -LOWER_UP -RUNNING
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Link DOWN
Apr 14 09:52:11 ip-172-16-24-121 systemd-networkd[367]: ens5: Lost carrier

Which indicates some routing problems.

Please do this, update /etc/systemd/network/ens5.network with the following entries exactly:

Code:
[Match]
Name=ens5
Type=ether

[Network]
DHCP=ipv4
DNS=127.0.0.1:5555

In addition please configure loopback interface as follows:

Bash:
sudo nano /etc/systemd/network/lo.network
# Paste loopback config below here
Code:
[Match]
Name=lo
Type=loopback

[Network]
Address=127.0.0.1/8

Then restart systemd-networkd

Bash:
sudo systemctl restart systemd-networkd

Try again dig command and if you still encounter issues please reboot system and try again without changing anything.

If even after reboot it doesn't work post output of the following:

Bash:
sudo systemctl status systemd-networkd
sudo systemctl status unbound
sudo systemctl status networking
ip route show
 
Did not work. Here the requested outputs:


Code:
sudo systemctl status systemd-networkd | cat
sudo: unable to resolve host ip-172-16-24-121: Temporary failure in name resolution
● systemd-networkd.service - Network Configuration
     Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/systemd-networkd.service.d
             └─10-debug.conf
     Active: active (running) since Sun 2024-04-14 10:31:52 UTC; 19s ago
TriggeredBy: ● systemd-networkd.socket
       Docs: man:systemd-networkd.service(8)
             man:org.freedesktop.network1(5)
   Main PID: 367 (systemd-network)
     Status: "Processing requests..."
      Tasks: 1 (limit: 515)
     Memory: 3.1M
        CPU: 45ms
     CGroup: /system.slice/systemd-networkd.service
             └─367 /lib/systemd/systemd-networkd

Apr 14 10:31:55 ip-172-16-24-121 systemd-networkd[367]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a cookie=4 reply_cookie=2 signature=u error-name=n/a error-message=n/a
Apr 14 10:31:55 ip-172-16-24-121 systemd-networkd[367]: Successfully acquired requested service name.
Apr 14 10:31:55 ip-172-16-24-121 systemd-networkd[367]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a cookie=5 reply_cookie=3 signature=n/a error-name=n/a error-message=n/a
Apr 14 10:31:55 ip-172-16-24-121 systemd-networkd[367]: Match type='signal',sender='org.freedesktop.login1',path='/org/freedesktop/login1',interface='org.freedesktop.login1.Manager',member='PrepareForSleep' successfully installed.
Apr 14 10:31:55 ip-172-16-24-121 systemd-networkd[367]: Got message type=method_return sender=:1.4 destination=:1.1 path=n/a interface=n/a member=n/a cookie=6 reply_cookie=4 signature=n/a error-name=n/a error-message=n/a
Apr 14 10:31:59 ip-172-16-24-121 systemd-networkd[367]: ens5: NDISC: Sent Router Solicitation, next solicitation in 8s
Apr 14 10:32:06 ip-172-16-24-121 systemd-networkd[367]: ens5: NDISC: No RA received before link confirmation timeout
Apr 14 10:32:06 ip-172-16-24-121 systemd-networkd[367]: ens5: NDISC: Invoking callback for 'timeout' event.
Apr 14 10:32:06 ip-172-16-24-121 systemd-networkd[367]: ens5: NDisc handler get timeout event
Apr 14 10:32:07 ip-172-16-24-121 systemd-networkd[367]: ens5: NDISC: Sent Router Solicitation, next solicitation in 16s


Code:
sudo systemctl status unbound | cat
sudo: unable to resolve host ip-172-16-24-121: Temporary failure in name resolution
● unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-04-14 10:31:55 UTC; 1min 13s ago
       Docs: man:unbound(8)
    Process: 411 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 417 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
   Main PID: 420 (unbound)
      Tasks: 1 (limit: 515)
     Memory: 14.6M
        CPU: 190ms
     CGroup: /system.slice/unbound.service
             └─420 /usr/sbin/unbound -d -p

Apr 14 10:31:55 ip-172-16-24-121 systemd[1]: Starting unbound.service - Unbound DNS server...
Apr 14 10:31:55 ip-172-16-24-121 unbound[420]: [420:0] notice: init module 0: subnetcache
Apr 14 10:31:55 ip-172-16-24-121 unbound[420]: [420:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
Apr 14 10:31:55 ip-172-16-24-121 unbound[420]: [420:0] notice: init module 1: validator
Apr 14 10:31:55 ip-172-16-24-121 unbound[420]: [420:0] notice: init module 2: iterator
Apr 14 10:31:55 ip-172-16-24-121 unbound[420]: [420:0] info: start of service (unbound 1.17.1).
Apr 14 10:31:55 ip-172-16-24-121 systemd[1]: Started unbound.service - Unbound DNS server.



Code:
sudo systemctl status networking
sudo: unable to resolve host ip-172-16-24-121: Temporary failure in name resolution
Unit networking.service could not be found.

Code:
ip route show
default via 172.16.0.1 dev ens5 proto dhcp src 172.16.24.121 metric 100
172.16.0.0/19 dev ens5 proto kernel scope link src 172.16.24.121 metric 100
172.16.0.1 dev ens5 proto dhcp scope link src 172.16.24.121 metric 100
172.16.0.2 dev ens5 proto dhcp scope link src 172.16.24.121 metric 100
 
I thought about this:

Could I make the OpenVPN server listen on my WAN IP and then the DNS resolver could listen on localhost? This way both OpenVPN and DNS resolver may "share" UDP port 53? Not sure if possible though.
 
Your routing table is odd because it's missing subnet suffix:

172.16.0.1 dev ens5 proto dhcp scope link src 172.16.24.121 metric 100
172.16.0.2 dev ens5 proto dhcp scope link src 172.16.24.121 metric 100

ip route syntax is:
Code:
ip route add {NETWORK/MASK} via {GATEWAYIP}
ip route add {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} dev {DEVICE}
ip route add default {NETWORK/MASK} via {GATEWAYIP}

I'd ignore this for a moment and not change anything for now, another problem is that there is no clue about your unbound config file contents, can you please share it's contents too? /etc/unbound/unbound.conf.d/unbound.conf

Then I'll see if it can be adjusted or if it contains mistakes.

Could I make the OpenVPN server listen on my WAN IP and then the DNS resolver could listen on localhost? This way both OpenVPN and DNS resolver may "share" UDP port 53? Not sure if possible though.
No, a local port can be bound to a single service only.
 
And the moment of failure most certainly lies in:
Code:
ls /etc/unbound/unbound.conf.d

Please share output of that too, because those files there should be renamed to *.backup extension and another file localed in another directory should be used instead, but that depends on your config file.
 
My configuration is stored in /etc/unbound/unbound.conf not in /etc/unbound/unbound.conf.d/unbound.conf


Code:
cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"


#Adding DNS-Over-TLS support
server:
    use-syslog: yes
    username: "unbound"
    directory: "/etc/unbound"
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

    do-ip6: no
    interface: 127.0.0.1
    port: 5555
    #port: 53
    prefetch: yes

    root-hints: /usr/share/dns/root.hints
    harden-dnssec-stripped: yes

    cache-max-ttl: 14400
    cache-min-ttl: 1200

    aggressive-nsec: yes
    hide-identity: yes
    hide-version: yes
    use-caps-for-id: yes
    
    #private-address: 192.168.0.0/16
    #private-address: 169.254.0.0/16
    #private-address: 172.16.0.0/12
    #private-address: 10.0.0.0/8
    #private-address: fd00::/8
    #private-address: fe80::/10

    #control which clients are allowed to make (recursive) queries
    #access-control: 127.0.0.1/32 allow_snoop
    #access-control: ::1 allow_snoop
    #access-control: 127.0.0.0/8 allow
    #access-control: 192.168.5.0/24 allow


forward-zone:
    name: "."
    forward-ssl-upstream: yes
    ## Also add IBM IPv6 Quad9 over TLS
    #forward-addr: 9.9.9.9@853#dns.quad9.net
    #forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 176.9.1.117@853#dnsforge.de



Code:
/etc/unbound# ls -l -R
.:
total 8
-rw-r--r-- 1 root root 1507 Apr 14 10:59 unbound.conf
drwxr-xr-x 2 root root 4096 Apr 14 07:45 unbound.conf.d

./unbound.conf.d:
total 8
-rw-r--r-- 1 root root 195 Feb 13 20:00 remote-control.conf
-rw-r--r-- 1 root root 190 Feb 13 20:00 root-auto-trust-anchor-file.conf
 
Your config file at the top says:
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

Please comment out or remove this line, it's causing a a known "bug" in Debian.

Please comment out also or delete forward-ssl-upstream: yes under forward-zone:

For testing purpose comment out forward-addr: 176.9.1.117@853#dnsforge.de and then copy\paste following code into forward-zone clause:

Bash:
    # Enabled or disable whether the queries to this forwarder use TLS for transport
    forward-tls-upstream: yes

    # If enabled, data inside the forward is not cached
    # This is useful when you want immediate changes to be visible (Default is no)
    forward-no-cache: no

    # The servers listed as forward-host: and forward-addr: have to handle further recursion for the query
    # https://github.com/DigitaleGesellschaft/DNS-Resolver
    # https://www.quad9.net/support/faq/

    # IPv4 primary
    forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
    forward-addr: 9.9.9.9@853#dns.quad9.net

    # IPv4 secondary
    forward-addr: 185.95.218.43@853#dns.digitale-gesellschaft.ch
    forward-addr: 149.112.112.112@853#dns.quad9.net

Then run the following 2 command to void bad files:
Bash:
sudo mv /etc/unbound/unbound.conf.d/remote-control.conf /etc/unbound/unbound.conf.d/remote-control.conf.orig

sudo mv /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf.orig

When you do this restart unbound and check status is OK:
Code:
sudo systemctl restart unbound
sudo systemctl status unbound

Try digging dig google.com again.
 


Latest posts

Top