How to use a TLS proxy with a DNS nameserver

It is of course possible to configure a TLS proxy in front of a DNS nameserver to provide DNS-over-TLS. Example configurations for nginx and haproxy are given here

Nameserver config

To use the following with BIND to offer a TLS service, configure BIND based on the following named.conf snippet

options {
listen-on port 9999 {; };
allow-query {; };
tcp-clients 1024;


user www-data;
worker_processes auto;
pid /run/;

events {
worker_connections 1024;
# multi_accept on;

stream {
upstream dns_tcp_servers {


server {
listen 853 ssl;
proxy_pass dns_tcp_servers;

   ssl_certificate       /etc/nginx/lego/certificates/<cert>.crt;
   ssl_certificate_key   /etc/nginx/lego/certificates/<cert>.key;
   ssl_protocols         TLSv1.2;
   ssl_ciphers           ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
   ssl_session_tickets on;
   ssl_session_timeout   4h;
   ssl_handshake_timeout 30s;


log /dev/log local0
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 1024
pidfile /var/run/
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options force-tlsv12

   # Default SSL material locations
   ca-base /etc/ssl/certs
   crt-base /etc/ssl/private
balance roundrobin
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s

listen dns
bind ssl crt /etc/haproxy/lego/certificates/<cert>.pem
mode tcp
server server1