Secure DNS required TLS with certificate domain validation.

Without TLS certificate domain validation your DNS can still be intercepted, monitored, or manipulated by a man-in-the-middle attacker with nothing more than a self-signed certificate.

Here is how you set it up more securely.

Here is a minimal example configuration for Unbound, /etc/unbound/unbound.conf, that uses both Quad9 and Cloudflare Resolver as the forwarding resolvers and validates their TLS certificates against the expected domain names for each service:

server:
  tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

forward-zone:
  name: "."
  forward-tls-upstream: yes
  # Quad9.
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  # Cloudflare DNS.
  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
  forward-addr: 1.1.1.1@853#cloudflare-dns.com
  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
  forward-addr: 1.0.0.1@853#cloudflare-dns.com

The tls-cert-bundle option points to the local system’s root certificate authority bundle; including all the trusted root certificates of the operating system. You’ll get this bundle by installing the ca-certificates package in most Linux distributions.

The default location of the root certificate bundle is /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem on Fedora, and /etc/ssl/certs/ca-certificates.crt on Debian/Ubuntu. Refer to the documentation of your distribution if you can’t locate their root certificate bundle.

If you haven’t setup the tls-cert-bundle option correctly, you may end up with certificate validation errors (below) and Unbound refusing to connect to the remove resolver:

notice: ssl handshake failed 9.9.9.9 port 853
error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed