DNS over TLS

June 9, 2019

When I’m not programming, sometimes I like to find small sysadmin-like projects to do for my home network. They’re less work and I don’t have to get in the zone to do them. One thing I had been wanting to do for a while was set up DNS over TLS.

In a nutshell, in a typical home internet setup, you ask your internet service provider (ISP) for an IP address and a DNS server. The DNS server lets your computer look up the IP address (from a name) when you want to connect to another computer on the internet. Some ISPs have slow DNS service, which means there might be some lag or latency when you connect to a website for the first time (the name to IP gets cached for a bit after a request). Some power users sometimes override the ISP’s DNS server with from Google (, Cloudflare (, or quad9 (, etc. That might help with lag.

Whatever you choose, that traffic isn’t encrypted, so everyone between you and the DNS server gets to see what name you are requesting. ISPs will obviously see it since it goes through them regardless of which DNS server you use, and maybe they’ll learn your interests and sell your data to advertisers. So, for whatever reason, you may decide to setup DNS over TLS so that you can encrypt the requests so that just the DNS server will see them.

At home, I have an Ubiquiti EdgeRouter Lite as my internet router. I found some instructions on how to set it up on this blog.

I’ll summarize below in case that site goes offline someday. This assumes your router is and you give out IP addresses on (I haven’t tested this):

ssh ubnt@
sudo apt-get update && sudo apt-get install -y unbound
sudo wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/lib/unbound/root.hints
set system name-server
set service dhcp-server shared-network-name YOUR-NETWORK-NAME-HERE subnet dns-server
set service dhcp-server use-dnsmasq disable
set service dns
sudo /etc/init.d/unbound restart

Below is my /etc/unbound/unbound.conf which forwards to

    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    verbosity: 1
    interface: ::0
    port: 53
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    access-control: allow
    access-control: allow
    root-hints: "/var/lib/unbound/root.hints"

    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    harden-dnssec-stripped: yes

    cache-min-ttl: 900
    cache-max-ttl: 14400
    prefetch: yes
    rrset-roundrobin: yes
    ssl-upstream: yes
    use-caps-for-id: yes


    #logfile: "/var/lib/unbound/unbound.log"
    verbosity: 0
    val-log-level: 3

    name: "."

Hopefully home routers in the future will make it easier to set up.