ad blocking

[macster2075]

I think you have answered my question. I was confused because in videos on how to implement Unbound, they say I can use an upstream dns along with Unbound, but now you're saying it's an either or.
I just don't want to setup Unbound if it's not going to provide any benefit to me since I will also need to use OpenDns for adult content filtering.

So, you're saying this image does not look correct?

 

[RMerlin]

BTW, running your own recursive resolver does not improve privacy, security, quite the opposite.

When you run your own rescursive resolver, it means your DNS server will directly contact the authoritative domain servers for domains you try to connect at, exposing information about your connection. Look at how "DNS leak tests" work, and replace these test with a malicious server.

All I`d have to do is register maliciousdomain.com, set up its authoritative DNS to servers that I manage, and post a link to the maliciousdomain.com within a webpage. Once you visit that page, I will get your IP address, or possibly your local client subnet (if using EDNS Client Subnet) just by getting you to visit that website.

 

[SomeWhereOverTheRainBow]

All I`d have to do is register maliciousdomain.com, set up its authoritative DNS to servers that I manage, and post a link to the maliciousdomain.com within a webpage. Once you visit that page, I will get your IP address, or possibly your local client subnet (if using EDNS Client Subnet) just by getting you to visit that website.

You sound like you have done this before, (or heard of someone doing this before)... hahaha.

 

[macster2075]

Ok.. that sounds scary.. sticking with OpenDns.. problem solved.

 

[SomeWhereOverTheRainBow]

BTW, running your own recursive resolver does not improve privacy, security, quite the opposite.

When you run your own rescursive resolver, it means your DNS server will directly contact the authoritative domain servers for domains you try to connect at, exposing information about your connection. Look at how "DNS leak tests" work, and replace these test with a malicious server.

All I`d have to do is register maliciousdomain.com, set up its authoritative DNS to servers that I manage, and post a link to the maliciousdomain.com within a webpage. Once you visit that page, I will get your IP address, or possibly your local client subnet (if using EDNS Client Subnet) just by getting you to visit that website.

This is more likely to happen using big box DNS servers than someone looking for lone little 'ole' me recursive dns server. Wait, it already happened here:

DNS cache poisoning attacks exploited in the wild

UPDATE: Arbor Networks have provided more details in their "30 Days of DNS Attack Activity" analysis, SANS confirmed HD Moore's statement on DNS cache poisoned AT&T DNS servers. Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in...

www.zdnet.com

 

[jata]

This is a good and informative thread and demonstrates that nothing we do is completely private/safe and there is a balance depending on the need of the user/family and the primary use case/purpose. What I have found a good balance (for my family) is.

Main objective: Easy to manage setup with strong/good adblocking for all LAN clients with some additional malware/adult blocking

My setup is as follows:

• Merlin on my router - of course
• Primary DNS: RPI running dietpi with adguard home and unbound setup (mainly automatically configured/setup managed)
• Secondary DNS: NextDNS on a their free service (<300k lookups/mth i think) - this is used to catch stuff that does go through primary (e.g. if i need to reboot primary). Also allows me to use nextDNS app to block ads on my iphone when off the LAN
• WAN DNS: set to google DNS or my ISP (don't care really as not really used - only by router f/w stuff)
• DHCP DNS: set to primary and secondary as outlined above. All clients using DHCP...
• DNS Director: Off (not needed for me. I have local client name lookup/resolution by adding the following to unbound config) - [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53

Been running like this for around 3mths. Very happy. Let my paid NextDNS service expire so also saving a little $$$

 

[SomeWhereOverTheRainBow]

This is a good and informative thread and demonstrates that nothing we do is completely private/safe and there is a balance depending on the need of the user/family and the primary use case/purpose. What I have found a good balance (for my family) is.

Main objective: Easy to manage setup with strong/good adblocking for all LAN clients with some additional malware/adult blocking

My setup is as follows:

• Merlin on my router - of course
• Primary DNS: RPI running dietpi with adguard home and unbound setup (mainly automatically configured/setup managed)
• Secondary DNS: NextDNS on a their free service (<300k lookups/mth i think) - this is used to catch stuff that does go through primary (e.g. if i need to reboot primary). Also allows me to use nextDNS app to block ads on my iphone when off the LAN
• WAN DNS: set to google DNS or my ISP (don't care really as not really used - only by router f/w stuff)
• DHCP DNS: set to primary and secondary as outlined above. All clients using DHCP...
• DNS Director: Off (not needed for me. I have local client name lookup/resolution by adding the following to unbound config) - [//50.168.192.in-addr.arpa/lan/local/]192.168.50.1:53

Been running like this for around 3mths. Very happy. Let my paid NextDNS service expire so also saving a little $$$

Yea I liked nextDNS at first, then the CLI methodology went from addon friendly to addon enemy with all the unfair practices the developers of nextdns CLI placed inside their staging scripts. ( basically they caused conflicts with other scripts running for dnsmasq.)

 

[shabbs]

• DHCP DNS: set to primary and secondary as outlined above. All clients using DHCP...

How do you control which DNS the clients hit (DNS1 vs DNS2) as there will be a small number that go directly to DNS2 without using DNS1?

 

[SomeWhereOverTheRainBow]

How do you control which DNS the clients hit (DNS1 vs DNS2) as there will be a small number that go directly to DNS2 without using DNS1?

options like strict-order or all-servers. I think even the newest version of DNSMASQ has more "order" options including specifying round robin options. (AsuswrtMerlin isn't running this newest version though).

 

[jata]

How do you control which DNS the clients hit (DNS1 vs DNS2) as there will be a small number that go directly to DNS2 without using DNS1?

Good question and one I have been thinking about looking into. I have done nothing 'additional' to my setup and find that around 90%+ go through primary and that keeps me below the 300k per month for NextDNS so I have just been monitoring it.

@SomeWhereOverTheRainBow - can you elaborate on the strict-order 'directive' please? Is this something i add to dnsmasq or is it part of the defaults?

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow - can you elaborate on the strict-order 'directive' please? Is this something i add to dnsmasq or is it part of the defaults?

You can find out more information about it from here https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

 

[jata]

Yea I liked nextDNS at first, then the CLI methodology went from addon friendly to addon enemy with all the unfair practices the developers of nextdns CLI placed inside their staging scripts. ( basically they caused conflicts with other scripts running for dnsmasq.)

This is the one limitation I had to accept. I no longer run the CLI setup for nextDNS on my router and so can't get client name (or IP) level stats - all categorised as 'unidentified'. But the intent is to minimise the use of the secondary DNS (so it's an acceptable limitation - for me)

 

[jata]

just looked into strict-order and the notes say that "Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf"

I added it to dnsmasq.conf.add - that now looks like this:

strict-order
no-resolv
server=192.168.x.x
server=45.90.28.249

I checked resolve.conf and see it only has the IPs of my WAN DNS servers.

Will this still work?

 

[shabbs]

options like strict-order or all-servers. I think even the newest version of DNSMASQ has more "order" options including specifying round robin options. (AsuswrtMerlin isn't running this newest version though).

Interesting. Cheers for the info.

 

[shabbs]

Good question and one I have been thinking about looking into. I have done nothing 'additional' to my setup and find that around 90%+ go through primary and that keeps me below the 300k per month for NextDNS so I have just been monitoring it.

@SomeWhereOverTheRainBow - can you elaborate on the strict-order 'directive' please? Is this something i add to dnsmasq or is it part of the defaults?

With my dual Pi-hole setup, I've found that it's just under a 90/10 split of traffic between DNS1 and DNS2. This is for ~110 clients on my home network. 300k+ requests / 24 hours across both Pi-holes in total.

 

[RMerlin]

ou sound like you have done this before, (or heard of someone doing this before)... hahaha.

No, simply that I've been managing DNS servers as part of my job for close to 20 years, so I have a good understanding on how the DNS system works.

 

[jtp10181]

just looked into strict-order and the notes say that "Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf"

I added it to dnsmasq.conf.add - that now looks like this:

strict-order
no-resolv
server=192.168.x.x
server=45.90.28.249

I checked resolve.conf and see it only has the IPs of my WAN DNS servers.

Will this still work?

Correct me if I am wrong someone, but wont setting that on the router just effect the upstream DNS the ROUTER itself uses? This will not change anything for the clients who get the two DNS servers via DHCP, they will still decide for themselves which one to use. The only way this would help is if you point your LAN clients to the router for DNS, then configure the router WAN DNS for your Pi and NextDNS. Bad thing doing that is it looks like every query comes from the router, which is exactly why I don't do that.

If there was a way to hand out the DNS via DHCP and tell the clients which one to use Primary and which is backup that would be awesome. Right now I just have my AdGuard listed to force everything to use it. I would love to be able to set the router as a failover backup. Currently if I need to take the DNS offline I change the DHCP on the router to include the router IP beforehand which mostly helps but most devices wont pick it up unless they reconnect.

 

[New2This]

No, simply that I've been managing DNS servers as part of my job for close to 20 years, so I have a good understanding on how the DNS system works.

Would you recommend Cira dns servers? Canada here also, T.O

Free DNS Servers | CIRA

Canadian Shield is a free DNS firewall service provided by CIRA that protects your devices from malware, phishing, and other cyber threats. Learn how Canadian Shield can help keep you safe online and get started today.

www.cira.ca

 

[RMerlin]

Would you recommend Cira dns servers? Canada here also, T.O

I never tested their Canadian Shield servers (great name BTW) so I cannot comment on how efficient they are at blocking sites. I expect them to have a PoP connected directly to the Toronto IX, so latency should be good.

Someday, it might be nice for someone to actually review and evaluate these filtering services, just like they are reviewing antivirus efficiency.

 

[Tech9]

Would you recommend Cira dns servers?

Government agency. Pornography scandal around the CEO. Unclear what is protected and collected. It's like relying on CRA to help you save taxes.