DNS over HTTPS with Unbound and Stubby

Use the following configuration and set the DHCP server to hand out and fd00:2d3f:7fc8:3::53 as DNS server.

Note: local network will not resolve with this Unbound config.


  - 0::1@8053
root@doh:~# cat /etc/unbound/unbound.conf.d/*
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    qname-minimisation: yes
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    directory: "/etc/unbound"
    username: unbound
    # make sure unbound can access entropy from inside the chroot.
    # e.g. on linux the use these commands (on BSD, devfs(8) is used):
    #      mount --bind -n /dev/random /etc/unbound/dev/random
    # and  mount --bind -n /dev/log /etc/unbound/dev/log
    # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
    pidfile: "/etc/unbound/unbound.pid"
    verbosity: 1
    root-hints: root.hints
    do-not-query-localhost:  no
    # listen on all interfaces, answer queries from the local subnet.
    interface: ::0
    access-control: allow
    access-control: fd00:2d3f:7fc8::/48 allow
    interface-automatic: yes
  name: "."
    forward-addr: ::1@8053
curl --output /etc/unbound/root.hints https://www.internic.net/domain/named.cache
root@doh:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

source /etc/network/interfaces.d/*
auto eth0
iface eth0 inet static
iface eth0 inet6 static
        address fd00:2d3f:7fc8:3::53/64
        # use SLAAC to get global IPv6 address from the router
        # we may not enable ipv6 forwarding, otherwise SLAAC gets disabled
        autoconf 1
        accept_ra 2