Does DOT work for me under Unbound?

Klola · 28 May 2023 13:18

Hello,
how can I see if Dot is working correctly for me?
DietPi v8.17.2 with PiHole

Server 1: DNS-over-HTTPS- und DNS-over-TLS-Unterstützung [ffmuc.net/wiki/]
Server 2: GitHub - DigitaleGesellschaft/DNS-Resolver: Configuration files of our DoT and DoH servers

Config:

cat /etc/unbound/unbound.conf.d/dietpi-dot.conf

Adding DNS-over-TLS support

server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: “.”
forward-tls-upstream: yes

Freifunk München

forward-addr: 5.1.66.255@853#dot.ffmuc.net
forward-addr: 185.150.99.255@853#dot.ffmuc.net
forward-addr: 2001:678:e68:f000::@853#dot.ffmuc.net
forward-addr: 2001:678:ed0:f000::@853#dot.ffmuc.net

Digitale Gesellschaft (CH) DNS Server

forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 185.95.218.43@853#dns.digitale-gesellschaft.ch
forward-addr: 2a05:fc84::42@853#dns.digitale-gesellschaft.ch
forward-addr: 2a05:fc84::43@853#dns.digitale-gesellschaft.ch
EOF

Thanks a lot!

MichaIng · 28 May 2023 14:44

You could check the actual packets sent via tcpdump:

apt install tcpdump
tcpdump -ni any -p port 53 or port 853

Klola · 28 May 2023 15:45

Thank you, I get a few things displayed there. What exactly should I look for/search for between all the IP addresses?

Joulinar · 29 May 2023 08:36

Looks like it’s working as correct upstream DNS servers shown.

have a look for outgoing packages on port 853, they should target DNS servers you specified.

Klola · 29 May 2023 13:01

Thanks, should be okay.

192.168.176.30 is my DietPi with Unbound 185.95.218.43 is one of the DNS-Servers.

17:42:37.450201 IP 192.168.176.30.53906 > 185.95.218.43.853: Flags [R], seq 3461751606, win 0, length 0
17:42:37.451993 IP 185.95.218.43.853 > 192.168.176.30.53906: Flags [.], ack 520, win 254, options [nop,nop,TS val 4140082028 ecr 2243178216], length 0
17:42:37.452163 IP 192.168.176.30.53906 > 185.95.218.43.853: Flags [R], seq 3461751607, win 0, length 0

17:42:37.290227 IP 192.168.176.30.53904 > 185.95.218.43.853: Flags [.], ack 1, win 1004, options [nop,nop,TS val 2243178068 ecr 4140081865], length 0
17:42:37.290808 IP 185.95.218.43.853 > 192.168.176.30.53900: Flags [P.], seq 3682:3706, ack 514, win 254, options [nop,nop,TS val 4140081867 ecr 2243178056], length 24
17:42:37.291031 IP 192.168.176.30.53900 > 185.95.218.43.853: Flags [R], seq 3498417560, win 0, length 0
17:42:37.291852 IP 185.95.218.43.853 > 192.168.176.30.53900: Flags [F.], seq 3706, ack 514, win 254, options [nop,nop,TS val 4140081867 ecr 2243178056], length 0
17:42:37.291981 IP 192.168.176.30.53900 > 185.95.218.43.853: Flags [R], seq 3498417560, win 0, length 0
17:42:37.293764 IP 185.95.218.43.853 > 192.168.176.30.53900: Flags [.], ack 515, win 254, options [nop,nop,TS val 4140081869 ecr 2243178058], length 0
17:42:37.293933 IP 192.168.176.30.53900 > 185.95.218.43.853: Flags [R], seq 3498417561, win 0, length 0