FreeBSD 使用 unbound 配置 DNS over TLS

local_unbound 是 FreeBSD 内置的组件，应对本机使用的 DNS 服务配置没有问题，这里我们只使用它来初始化配置：

$ sudo service local_unbound onesetup

Performing initial setup.
destination: 
Extracting forwarders from /etc/resolv.conf.
/var/unbound/forward.conf created
/var/unbound/lan-zones.conf created
/var/unbound/control.conf created
/var/unbound/unbound.conf created
/etc/resolvconf.conf created
Original /etc/resolv.conf saved as /var/backups/resolv.conf.20240629.050713

自动生成的文件 /etc/resolvconf.conf 里面和 local_unbound 相关的名称都调整成 unbound：

# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
libc="NO"
unbound_conf="/var/unbound/forward.conf"
unbound_pid="/var/run/unbound.pid"
unbound_service="unbound"
unbound_restart="service unbound reload"

想要体验完整特性还是需要安装完整版本的 unbound：

$ sudo pkg install unbound

unbound 的 DoT 需要依赖 security/ca_root_nss：

$ sudo pkg install security/ca_root_nss

然后再开启完整版本的 unbound：

$ sudo service unbound enable

unbound 默认加载的配置文件路径是 /usr/local/etc/unbound/unbound.conf，在 rc.conf 中可以配置默认加载的配置文件路径：

$ sudo sysrc unbound_config="/var/unbound/unbound.conf"

把 unbound 安装包自带的 root.key 复制到 /var/unbound 目录中：

cp /usr/local/etc/unbound/root.key /var/unbound/

由于 /var/unbound/forward.conf 会被 resolvconf 自动覆盖（因为在 resolvconf.conf 指定了这个路径），所以要把 /var/unbound/unbound.conf 文件中的相关路径注释掉：

server:
  username: unbound
  directory: /var/unbound
  chroot: /var/unbound
  pidfile: /var/run/unbound.pid
  auto-trust-anchor-file: /var/unbound/root.key
  prefer-ip6: yes
  num-threads: 2
  interface: lo0@53

# include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf

新建一个自定义的配置文件 /var/unbound/conf.d/custom.conf，把 DoT 的配置写在里面：

forward-zone:
  name: "."
  forward-first: no
  forward-tls-upstream: yes
  forward-addr: 1.1.1.1@853
  forward-addr: 8.8.8.8@853
  forward-addr: 9.9.9.9@853

重启系统：

sudo reboot

然后试试 nslookup 命令：

$ nslookup github.com

Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	github.com
Address: 140.82.116.4

参考：https://github.com/freebsd/freebsd-ports/blob/main/dns/unbound/files/unbound.in