Bind9 is supporting DoT and DoH natively since a while now. There is no need to run another Server in front of the most current Bind9 major version anymore.
Because most Linux distributions ship older versions of Bind9 with their stable release, a lot of examples are still referring to the old configuration approaches using NGINX, Stunnel or HAProxy to terminate TLS.
The configuration of DoT is pretty straight forward. A Bind9 resolver for clients could be setup like this for example:
tls mytls {
cert-file "/etc/bind9/fullchain.pem";
key-file "/etc/bind9/privkey.pem";
};
options {
directory "/var/cache/bind";
querylog no;
auth-nxdomain no;
dnssec-validation auto;
minimal-responses no-auth-recursive;
listen-on port 53 { any; };
listen-on-v6 { any; };
listen-on port 853 tls mytls { any; };
allow-transfer { none; };
allow-recursion { 127.0.0.1; ::1; };
recursion yes;
};
Bind9 will then listen on any IPv4 and IPv6 address and allow recursion ("resolving") only for localhost. Port 853 is configured as TLS port using the certificate named "mytls". So multiple IPs/Ports can serve several certificates.
By default Bind9 doesn't respond with the AUTHORITY SECTION and the ADDITIONAL SECTION anymore. This can be controlled with the minimal-responses parameter.
Can't wait to have those features added to Debian stable/backports :-)