Hi,

In latest -snapshot, is there a method where one can enforce
in unbound tls1.3 with no SNI ? Locally is unencrypted - this is
for dns queries going out over the net.

I've been reading the unbound.conf manual and trying with unbound.conf like so:

        forward-zone:
                name: "."                       # use for ALL queries
        forward-addr: 9.9.9.9@853               # Quad9 DoT
        forward-addr: 149.112.112.112@853       # Quad9 DoT

        forward-tls-upstream: yes

        #tls-protocols: TLSv1.3
        #tls-use-sni: no

        #tls-ciphers: 
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305:TLS_AES_128_GCM_SHA256"
        #tls-ciphersuites: 
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305:TLS_AES_128_GCM_SHA256"
#tls-version: "TLSv1.3"
The above as commented works, but wireshark shows it's using tls1.2 & 1.3
Uncommenting any of commented entries above causes unbound to fail to start.

Alternatively, is there a way to enforce tls1.3 --no-sni globally for all 
outgoing
connections?

thanks,
--

Reply via email to