[WIP] Integrating dnscrypt-proxy

[licaon-kter]

(no root needed, if you have root DENY access for this app)

source: https://github.com/licaon-kter/android-unbound-dns/tree/dnscrypt-proxy
latest test APK build 14: in the comments below

what's modified:

• updated unbound to 1.5.10 and openssl to 1.0.2l
• added dnscrypt-proxy, dnscrypt-resolvers.csv and libsodium.so from the precompiled Android version of dnscrypt-proxy to package.zip:\bin\
• added this start procedure at the end of unbound-control-setup
• modified listen port to 5300 so it does not need root
• added 2 forwarders in the config, that point to the 2 instances of dnscrypt-proxy running locally

how to run:

• get that APK and get NetGuard
• install AndroidUnbound but don't start it
• install NetGuard
• NetGuard->Settings->Advanced->(enable Filter)->Port redirect->(+)->UDP/53/127.0.0.1/5300/Android Unbound
• Netguard-> be sure that AndroidUnbound and RootProcess are Allowed on both Wi-Fi and mobile (greenish icons)
• start AndroidUnbound
• no root needed, if you have root DENY access for this app
• check the box "start on boot"
• uncheck the box "root"
• exit AndroidUnbound and use main Android>Settings>Apps>AndroidUnbound>Force Close
• restart AndroidUnbound
• look in the MAIN log tab (swipe right) where you should see the key generation, dnscrypt-proxy output etc
• WAIT FOR THE OUTPUT, it may take a bit for things to unpack, setup keys, certs, etc.
• ignore the warnings
• test with these links: [Question] keepalive DNSCrypt/dnscrypt-proxy#393 (comment)
• hide notifications for both NetGuard and AndroidUnbound (they'll run in background anyway)
• except (NOT OPTIMIZED) both NetGUard and Unbound in Battery settings.

issues:

• some tests say other servers are used too (eg. those added by the Wi-Fi connection), not sure why these are seen, might be an Android issue (reported here too)
• sometimes telco mobile APNs add a proxy that will override your DNS: edit APN to remove proxy
  and port, save, reconnect
• keep in mind that as long as NetGuard is running (with the port redirection active) if AndroidUnbound and/or dnscrypt-proxy does not work correctly you can't connect to sites, since apps can't get DNS resolved
• useless warnings in logs
• all the other issues are there unfixed

future:

• add a separate dnscrypt-proxy start script, and a view to edit it (eg. choose servers)
• add a way to update dnscrypt-resolvers.csv (eg. view to edit, one can copy/paste/save/restart app)

/LE: added source and lastest APK links

/LE2: I didn't figured it out why port 5300 (actual unbound process) fails to resolv, in the mean time use port 5301 or 5302 to query a dnscrypt-proxy instance directly (yes you lose the unbound features but at least it works)

[smarek]

Hi @licaon-kter , cool stuff, before I test it, do you have the source, from which you've compiled this APK, published? I haven't found it here: https://github.com/licaon-kter/android-unbound-dns

Thanks a lot!

[licaon-kter]

Did not push them in a repo yet, as I need to re-write packing scripts, and yes I know what you mean, loading APK from strangers off the internet :).

You can just unpack the APK and grab my package.zip already, look at the scripts. you can replace those binaries if you want, etc.

[avently]

How to use your app with root and iptables? Now I got connection refused every time even without root

[licaon-kter]

How to use your app with root and iptables?

With root just use dnscrypt-proxy by itself with either NetGuard port redirect (as mentioned above but with the correct port of 53 or whatever) or with iptables as the 99dnscrypt script mentiones.

Now I got connection refused every time even without root

Who says that? Detail your setup.

[avently]

Hm, you advised me to use your solution because it will not drain battery when device goes to sleep. Now you are saying I can use dnscrypt instead. It's a little bit strange.

Without root:

WARNING: linker: Warning: unable to normalize ""
WARNING: linker: Warning: unable to normalize ""
WARNING: linker: Warning: unable to normalize ""
[1490260598] libunbound[16601:0] notice: init module 0: validator
[1490260598] libunbound[16601:0] notice: init module 1: iterator
root.key does not exist
fail: the anchor is NOT ok and could not be fixed
[1490260612] unbound-control[16607:0] error: connect: Connection refused for 127.0.0.1
[1490260613] unbound[16611:0] notice: init module 0: validator
[1490260613] unbound[16611:0] notice: init module 1: iterator
[1490260613] unbound[16611:0] info: start of service (unbound 1.5.10).

[licaon-kter]

Now you are saying I can use dnscrypt instead. It's a little bit strange.

Read the first post here.... NO-ROOT.
But if you ask about root I'll answer on how to use that, again, like I said, this works most of the time ok with sleeping devices.

Also I did not remember you and your issues precisely. :)

Did you follow the steps exactly? try to Force Close the app and retry. What settings does the main settings screen has?

[avently]

I removed your app. Then installed again. Unchecked first option and checked other 3 options.
Then i saw the log I already wrote here. Nothing more, nothing less.

[avently]

Maybe it's not working because I'm not using netguard? Is it required?
I use this:
iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5300 &&
iptables -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5300

[licaon-kter]

Now I got connection refused every time

Missed it in your log, that's another issue, but not a problem here.

Unchecked first option and checked other 3 options.

My steps did not mention checking 3 options, just start at boot.

If you don't have root NetGuard it is required.

If you have root, iptables might actually interfere as it will redirect ALL traffic to local 5300, including this apps traffic (and dnscrypt-proxy runs under this app), so you'll just loop 53 to 5300 to 53 and so on.

Again, decide what mode (root/no-root) you want and stick with that, don't mix them.

[ghost]

hi

i don't know if this is a legitimate issue or not, but i'm trying to use this new instruction to use unbound on a tablet, its the sm-t230nu on 4.4.2 kitkat (stock, rooted) and i keep getting cannot link executable errors with all the binaries when trying to start unbound.

i've already tried the ./env.sh script to grant the app root access by uid and i still get the cannot link executable error.

is this compatible with 4.4.2 kitkat?

[licaon-kter]

This does not need root, the instructions clearly state that.

Not sure on compatibility though, this was tested only on 5.1.1 and 6.0.1.

If you have root you might not need this, install dnscrypt-proxy as usual (flash from recovery iirc) and just either use NetGuard with port redirection (53/127.0.0.1/53/root) or setup iptables.

[ghost]

thank you @licaon-kter for your answer.

however, my main issue is with the unbound android binaries not launching correctly in the tablet.

i'd like to deploy a local DNS resolver to use with dnscrypt, that is if its possible.

I am no networking expert, but as I understand in this experimental set up, you have netguard forwarding dns traffic to unbound, redirecting port 53 to a different specified port, and you have dnscrypt-proxy running two instances as a forwarder in unbound, also on specified ports.

your write up specifies using unbound within this process, is there now no need for it?

@smarek any suggestions for how to fire up unbound android on kitkat 4.4.2? are the cannot link executable errors platform specific?

[licaon-kter]

Does the normal app launch ok (https://github.com/smarek/android-unbound-dns/releases) ?

If you compile it, does it work ok? This is my build for this thing that I'm trying, I might have broken something (eg. libs)

minSdk is 17 hence on Android 4.2, 4.2.2 and later it should work.

Can you post the log?

[ghost]

@licaon-kter the normal app doesn't launch for me either, i get the same errors etc unbound-control-setup fatal error: could not genrsa, for example.

I'm also getting cannot locate symbol errors from signal (in unbound binary), sigfillset (in unbound-control binary), and __cmsg_nxthdr (in unbound-anchor binary)

yes, i can provide a full log. what do i have to do?

[ghost]

@licaon-kter @smarek, just wanted to follow up on this issue i'm having getting this fired up on my tab.

I can provide a log but from what source? the inbuilt log from the unbound app I believe is provided more or less, did I exclude any important info? or is logcat preferred?

[licaon-kter]

The one from the app for starters.

[ghost]

@licaon-kter thx for the swift reply

is there a way to export the log from within the app to .txt to upload? or do I have to alternatively copy the log text from the app, save to .txt and upload?

[licaon-kter]

Copy, open browser to https://gist.github.com paste, post link here.

[ghost]

@licaon-kter hmm decided to upload from tab directly. the text is from no root version of your revision to the app. i force closed from within app and copied the log output from start till after 10 or so secs.

reason for the short log time is the unbound-control error loops infinitum, or should I allow the log to run longer?
tmp_untitled-1838409509.txt

[licaon-kter]

Ok, this is over my head unfortunately.

[smarek]

@itspull ok, no, that is correct behavior, we do compile against NDK API level 21, which is Android version 5.0
So I guess you could try recompiling with lower API settings, see https://github.com/smarek/android-unbound-dns/blob/master/_setenv_android.bash#L31

[licaon-kter]

@itspull If you can build, build the main project as usual (but with NDK19) and get my package.zip contained in my APK (it has dnscrypt-proxy inside and the scripts).

I'll try a rebuild too, asap.

[ghost]

@smarek, @licaon-kter ok guys thx so much for narrowing the issue down for me! so,the builds available for downloading here were made with lollipop in mind and won't work with anything lower.... got it.

as for building from scratch i can't seem to get the hang of it! all the different tools, instruction sets, etc. troubleshooting, the different programming languages each program is build with, its all a bit dizzying for a common app user such as myself.

however, i have a tremendous amount of respect for what you guys do so again, thank you @licaon-kter, @smarek for sorting this out for me! i'll try my hand at building again maybe i'll have an easier time with this.

[ghost]

@licaon-kter thx for a rebuild you could possibly provide for backward compatibility.

I would appreciate it, as I mention I'm not totally proficient with building apps from source.

[licaon-kter]

@itspull Here you go build 9, hopefully the NDK 19 setting sticked
link: https://mega.nz/#!QUoyCCbJ!ufgDWByaVTKkcQP_aLE4Cxr_gn9iTuV_vomUrCvzH7M
sha1sum: 4561d5791ce525c1e547692af227c594d7004cf0

(and updated to dnscrypt-proxy 1.9.4)

[ghost]

@licaon-kter thank you so much! this one seems to work but i'm still having connection problems.

i think this is an issue with netguard and how it's trying to communicate with my tab, no pages will load when i flip it on.

i'll come back with logs and screenshots of how i have netguard set up. will you accept a debugging log for netguard here or should i post that in a different place?

[licaon-kter]

Lets not fill this up, comment here instead: licaon-kter@4337642

[smarek]

@licaon-kter so still, except for this commit, your APKs in this thread are closed-source? :-))

[licaon-kter]

Like I've said above, you can just get the package.zip from inside, the script modification is plain text, while dnscrypt-proxy and the .csv are copied from that package.

I did not yet bother actually integrating this in a build workflow because of those issues mentioned in the first post.

Also, this has not gained much traction/testing as you can see.

Now, having a successful build again I'm thinking that I could take another look at this, I tried to update the libs inside a while ago and I got flooded by linking errors.

/LE: So I've written that, tried to open a page in Firefox to no avail, netstat says everyone is listening 5300/5301/5302 yet the resolvers can't be reached. FC the app, start it, working again.
Yup, switching from Wi-Fi to mobile (and presumely back too) somehow messes things up. :(

[licaon-kter]

That being said, I've recompiled yet again, so dnscrypt-proxy/libsodium from git and updated openssl 1.0.2l, resulting 2 builds:

• Unbound 1.6.4 (build 13) - APK / sha256sum: 624d77913d10a7a694401851f0ef74ec291872388bf2d829ee4ba9865eeecd7d
• Unbound 1.5.10 (build 12) - APK / sha256sum: 0bd8e56955ac7dc4472240cb48aebb12ffdf353077620eab1f610bdb8831b40c

After using them for a while I can repro the behaviour, basically you use the device, turn off the screen for a while, open it again:

• 1.5.10 will reply slow but it will respond to the queries
• 1.6.4 might start later on but the waiting time makes it unusable, one can dig at the dnscrypt-proxy ports (5301/5302) and they respond right away with NOERROR and the IP, while unbound says SERVFAIL (port 5300)

[ghost]

@licaon-kter yes build 9 exhibits the same behaviour for me, turn off the screen and the log is emptied (was the report for your build 12 and 13 a response to the log screen going white or what? What steps did you take to 'repo the behaviour'? terminal commands?), but the processes still seem to run. Maybe turning up the default verbosity will help the log to keep ticking after turning off the screen?

I will mention just now- i dont know that its an 'issue', per se, maybe for non root users-one thing I don't like about the unbound port to android overall is, it seems you can't launch the binaries standalone in the terminal without root.

I myself have not figured that out, maybe theres a way? This ought to be implemented, as the current idea being pushed for all of this is, 'using unbound dns with dnscrypt behind netguard, no root'. (correct @smarek?)

so, there's that.

anyway, @licaon-kter I want to try one of your new builds. I'm currently using build 9. What happened to build 10? It looks like you scrapped that one.

And what of build 11? Was that one intended for testing?

This really needs an official changelog.

[licaon-kter]

After the screen is off you are at the mercy of the Android battery policies, either Doze or OEM. Now, unbound being a PC app first might not be that smart to cope with suspend.

You can launch binaries, the only limit is this (as far as I can see): you can only make program executable and launch them IF they're located in the apps data folder.

Eg on how I tested dnscrypt-proxy with Termux:

• extract package.zip from APK
• extract files from package.zip in /sdcard/Downloads/package
• in Termux copy package folder to home dir of the app (actually located at /data/data/org.termux/files/home) by running: cp -r /sdcard/Downloads/package ~/
• enter bin folder: cd package/bin
• make them all executable: chmod 755 *
• run whatever

Build numbers are just to keep my testing on a plan (actually I've build a lot of these and scrape them if failing):

• build 9 is unbound 1.5.10
• build 10 was scraped internal testing (trying to omit some app views that are useless like unbound-control and trying to get rid of the first page checkboxes)
• build 11 was updated to unbound 1.6.3 since that's the latest, also first build of the actual branch with the published source code
• build 12 updated unbound 1.6.4 and openssl 1.0.2l, with the new "Create random list of dnscrypt servers on packaging" commit
• build 13 as build 12 except that is using unbound 1.5.10, as it copes better with the needs of mobile (suspend) in my testing.

Builds 12 and 13 are for comparison at this moment, hope you (or others?) can use them both for a few days and make a judgement.

About that last commit, I had dnscrypt.eu-dk in builds 9 & 11 IIRC and it failed to resolve even on desktop for some reason, that made testing even harder.

[ghost]

@licaon-kter ok, so as far as the terminal is concerned, I'm using data/data/jackpal.androidterm.

I'll report back to follow your instruction set to use the binaries standalone without root, thanks for the hint.

so, your response, in regards to your build numbers, seems to me to suggest that build 12, as of now in the current development, is the recommended test release, yes?

[licaon-kter]

12 and 13 are both, since the issues I have with Unbound 1.6.x. Hence my request to test them both.

[ghost]

So, reporting back to use the binaries without root.

As I expected, it's not working for me. I've pushed the extracted package.zip to home directory of terminal emulator app at data/data/jackpal.androidterm/app_HOME, cd from there to package/bin, and in an example test, the command ./dnscrypt-proxy --version, I get a 'CANNOT LINK EXECUTABLE' error from libsodium.so, despite it being in the same directory.

I've set permissions to executable 755 for all files there, even the folders themselves, reboot, cd back to the directory, executed the same test, and experience the same result.

I don't expect you to provide a direct answer, but i ask anyway: what is termux doing differently as there are no errors for you to use it with the unbound binaries standalone without root, but with terminal emulator im experiencing the issue I've listed above?

can you test the binaries using jackpal.androidterm to see if you too experience the same issue?

[licaon-kter]

F-Droid has jackpal.androidterm from 2012, not sure if that's useful for testing.
I see that Termux needs Android 5 or later, hence you can't use it.

Anyway, that's is for testing, now, using the app (build 12 or 13) what does the log say?

[ghost]

I'm using build 12.

Build 9 is a bit 'snappier' for me. It could be the dnscrypt resolvers you set to default in that build, maybe from my location I get a quicker response time.

Just a theory, I haven't bothered with ping.

The issue of having to force stop the app, kill dnscrypt/unbound in terminal, delete all server files, and restart the app after a reboot is still present, at least for me.

To just now mention that, its such a dirty workaround. There ought to be a sh script to help automate that, if it can't be fixed better yet. I'll try to get one together and maybe post it here if it works.

Also, noticed you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?

[licaon-kter]

Build 9 is a bit 'snappier' for me...server

Yes server might be a factor.

its such a dirty workaround.

That should not be the case on EVERY start, I don't have that, basically plain Android force close and clean data will make it work (as that's a requirement for NO-root). I've mentioned that since you have root, you can control/check stuff a little better.

kill dnscrypt/unbound in terminal

Killing the app will do that... your ROM does not do that? Umm....

delete all server files

Android->Clean app data will do that... your ROM does not do that? Umm...

restart the app after a reboot

The app starts on boot fine here (in app checkbox checked)... your ROM does not do that? Other apps start?

There ought to be a sh script

See my last line in the comment above: #18 (comment)

you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?

There were always four (yes, they're hard coded for now, random chosen at build time), they get tested every time the app is started, first one that responds between 1 and 2 will listen on port 5301, and first one that responds between 3 and 4 will listen on port 5302. That depends on your connection and the server.

[ghost]

kill dnscrypt/unbound in terminal, Killing the app will do that... your ROM does not do that? Umm....

So, that's 'odd', and, yes, a force close from app manager on this rom (stock rom btw) doesn't attach the dnscrypt and unbound binaries to kill, so what processes is it 'closing'? I'm assuming the app id, but the binaries still run in background/foreground, I don't know.

I was mistaken about 'delete all server files-insert- with root explorer'. yes, the app manager does take care of that standalone.

However, its still nessesary, for me, to have to terminal root killall dnscrypt and unbound after a force close, otherwise I get a root.key error upon restarting the app.

The app starts on boot fine here (in app checkbox checked)... your ROM does not do that? Other apps start?

No, you misunderstood me there. It starts fine on reboot. The trust anchor presented twice is the issue as far as thats concerned. I created a separate ticket to mention that. For your build 12 I haven't yet tested it. Maybe it's fixed, although I doubt it.

Your builds are considered 'duct tape' as of now, correct?

there ought to be a sh script, See my last line in the comment above: #18 (comment)

I think I'm missing something there, care to explain? What does that have to do with a sh script workaround? Or, where's the sh script?

you're using a dnscrypt resolver count of 4 in build 12, for fall back reasons?, There were always four

Were there? I remember counting only two in build 9. Your most recent builds, yes, four resolvers. Is that what you mean?

[ghost]

Just downgraded to build 9. Your build 12, also maybe 13-Ive not tested that build- use the newly implemented conf file for dnscrypt.

In those builds, the resolvers are listed in the dnscrypt.conf file, yes, four.

Where's the same for build 9?

As to mention that just now, I've reviewed your initial dnscrypt addition code as prior to special build 9, there were only two servers listed there, namely ns0.dnscrypt.is and the soltysiak server, what were the other two?

Also, there's a dialog in your build 12 to mention the d0wn resolvers it connects to in its log. Is that a result of using a conf file for dnscrypt in that build, or, no?

There's no mention of the connecting resolvers in the build 9 log.

Would you call that a 'bug fix' to compare side by side your build 9 and build 12?

@smarek Please, get in here.

[licaon-kter]

Yes it's all duct tape, don't bother him about this :)

Remembered wrong, build 9 has only 3, one (between 1 and 2) will listen on 5301 and another one is setup for 5302. Build 11, 12 and 13 will mention in the log (view) the servers it has setup.

Or, where's the sh script?

There is no script, read again: the package.zip is extracted in some conditions.

The trust anchor presented twice

Yeah, the initial errors need to be better tackled.

[licaon-kter]

Build 14: https://mega.nz/#!tUBEBC4L!b7KL6nVlZQ2gpSzvRACPbI_-0HbUc6ZNVlo1If9CYxU
sha256sum: 16679a6008a8cc2ac708358b5c5d6cc644b7393cb024b721b0daefcf3301b0dc

Changes (unbound 1.5.10+openssl 1.0.2l):

• added PATH to setup script
• re-enabled some cleanup (that was in git but not in the script included in the APK)
• enabled D8 (not seeing any difference though)

[ghost]

@licaon-kter I'll take the new build for a spin and report back.

[doe9]

[1516619939] libunbound[30232:0] error: module init for module validator failed
root.key has content
resolve DNSKEY: initialization failure
error: SSL handshake failed
3067778444:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
[1516619940] unbound[30251:0] error: can't bind socket: Address already in use for 127.0.0.1
[1516619940] unbound[30251:0] fatal error: could not open ports
error: SSL handshake failed
3067577740:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
error: SSL handshake failed
3067889036:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:

[licaon-kter]

@doe9 What build? What device? What Android version?

[doe9]

I use build 14, Nexus 5, Lineages OS 14, honestly, I like your hard work, very cool apps.
Right now I using build 13, but I can't see mainlog, it looks like this build works fine.

[cgk78]

[licaon-kter]

I'd recommend you'd use build 14, build 13 might has different servers and one of them is down IIRC, remember to clear all app data after update, and be patient when you start the app again, it takes a bit to generate it's needed files.

Regarding the log, you can see it on first start, but not at any time, it does not matter actually.

Attach a new picture after 14 started.

Also see LE2 note in the first post here, use ports 5301 or 5302.

[cgk78]

If I use build 14, it won't start, I don't see notification from status bar (unbound not running) Im sure about this.

[licaon-kter]

The app won't actually start? Even if you uninstall build 13 and then install 14?

[cgk78]

Yes Sir.

[licaon-kter]

Some ADB log from when you start the app would be nice.

[cgk78]

Oops, sorry sir,
https://gist.github.com/cgk78/4b2124bd7ceccada4a155e07e0b36fa0

[cgk78]

Works perfectly in build 14, I changed 127.0.0.1 to my device IP address 192.168.1.42 at unbound.conf

[cgk78]

[licaon-kter]

Strange... this sounds like a ROM issue.

So how did you get it started after all?

[cgk78]

Before I changed to 192.168.1.42, I changed to 127.0.0.2 in interface, then reload, but I also got error in remote-control section, so I changed from 127.0.0.1 to 127.0.0.2 and reload, strange, because I don't see nothing in the mainlog, because my Linux box (laptop) I use unbound as local resolver, then I try to changed to 192.168.1.42 (android IP), reload the conf & works perfectly 😁.
I also confused, but doesn't work if changed conf like below:
server:
verbosity: 1
interface: 192.168.1.42@853
# interface: ::1
# interface: 0.0.0.0
port: 5300
do-daemonize: no
# access-control: 0.0.0.0/0 refuse
# access-control: 0.0.0.0/0 allow_snoop
# access-control: ::0/0 refuse
# access-control: ::0/0 allow_snoop
# do-not-query-address: 127.0.0.1/8
# do-not-query-address: ::1
do-not-query-localhost: no
# prefetch: yes
# prefetch-key: yes
cache-max-ttl: 604800
cache-min-ttl: 432000
directory: ""
chroot: ""
username: ""
logfile: "mainlog"
pidfile: "unbound.pid"
auto-trust-anchor-file: "root.key"
harden-dnssec-stripped: yes
rrset-roundrobin: yes
ssl-upstream: yes
# udp-upstream-without-downstream: yes
qname-minimisation: yes
minimal-responses: yes
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
outgoing-num-tcp: 64
rrset-cache-size: 256m
msg-cache-size: 128m

ssl-service-key: "unbound_server.key"
ssl-service-pem: "unbound_server.pem"
ssl-port: 853

forward-zone:
name: "."
forward-addr: 127.0.0.1@5301
forward-addr: 127.0.0.1@5302
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-addr: 145.100.185.15@853
forward-addr: 145.100.185.16@853
forward-addr: 184.105.193.78@853
forward-addr: 185.49.141.37@853
forward-addr: 199.58.81.218@853
forward-addr: 146.185.167.43@853
forward-addr: 89.233.43.71@853

remote-control:
control-enable: yes
# control-interface: 0.0.0.0
control-interface: 192.168.1.42
# control-interface: ::1
control-port: 8953
server-key-file: "unbound_server.key"
server-cert-file: "unbound_server.pem"
control-key-file: "unbound_control.key"
control-cert-file: "unbound_control.pem"

[cgk78]

I hope in the next release can work for DNS Over TLS with your great apps.