Does this look right for Nord VPN Unbound setup, the extra address worked

[Jack-Sparr0w]

Link: https://nurdletech.com/linux-notes/dns/unbound.html

forward-zone:
name: "."
forward-tls-upstream: yes

# Cloudflare DNS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

# NordVPN
forward-addr: 103.86.96.100@853#dns1.nordvpn.com
forward-addr: 103.86.99.100@853#dns2.nordvpn.com

# Quad9
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

 

[Jack-Sparr0w]

My Version:

forward-zone:
name: "."
forward-tls-upstream: yes

# Cloudflare DNS
forward-addr: 2606:4700:4700::1112@853#cloudflare-dns.com
forward-addr: 1.1.1.2@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1002@853#cloudflare-dns.com
forward-addr: 1.0.0.2@853#cloudflare-dns.com

# NordVPN
forward-addr: 103.86.96.100@853#dns1.nordvpn.com
forward-addr: 103.86.99.100@853#dns2.nordvpn.com

# Quad9
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net


Changed cloudflare to have malware protection 1.1.1.2 and 1.0.0.2, Everything working nice, Just wondering if this is right? New to DoT and Unbound. Nord VPN on top of all this and still getting wicked speeds.

 

[Jack-Sparr0w]

test passed too

 

[Jack-Sparr0w]

Any thoughts?

 

[dave14305]

Why do you want to use Unbound when you just configure it as a forwarder with DoT? dnsmasq+stubby (DNS Privacy) can do the same thing with no dependency on a usb stick or Entware. If you don’t use Unbound as a recursive resolver, it doesn’t seem worth it to me.

 

[Jack-Sparr0w]

Using DNS over TLS (DoT) with Unbound DNS enhances privacy and security by encrypting DNS queries and responses between the client and the DNS server. This encryption prevents eavesdropping and tampering of DNS data, ensuring that the domain names and IP addresses being queried are not visible to third parties, including ISPs.

 

[Jack-Sparr0w]

DNS over TLS (DoT) with Unbound DNS provides several advantages over using DNS without encryption:

1. Security and Privacy: DoT encrypts DNS traffic, which helps protect against eavesdropping and man-in-the-middle (MITM) attacks. This ensures that your DNS queries and responses are not intercepted or tampered with, enhancing both security and privacy.
2. Integrity and Authentication: By validating the TLS certificates of the DNS servers, you can ensure that you are communicating with the intended DNS resolver. This prevents DNS hijacking and ensures the integrity of the DNS responses.
3. Compliance and Best Practices: Many organizations and security standards recommend or require encrypted DNS to protect sensitive information and comply with data protection regulations.
4. Separation of Traffic: Unlike DNS over HTTPS (DoH), which blends DNS traffic with other HTTPS traffic, DoT uses a dedicated port (853). This makes it easier to monitor and manage DNS traffic on your network, which can be beneficial for network administrators.
5. Performance: While DoH can provide some additional privacy by blending DNS traffic with other HTTPS traffic, DoT is generally more efficient in terms of performance because it uses UDP, which is a lighter protocol compared to the TCP used by DoH.
6. Simplicity: Configuring DoT with Unbound is relatively straightforward. It involves un-commenting a few lines in the unbound.conf file and specifying the forwarders with their TLS settings.
7. DNSSEC Support: DoT can be combined with DNSSEC validation to further enhance the security of DNS responses. This ensures that the DNS data has not been tampered with and is authentic.

By using DoT with Unbound DNS, you can significantly improve the security and privacy of your DNS infrastructure, making it a preferred choice over unencrypted DNS.

 

[Jack-Sparr0w]

Security vs more privacy I thought it was to bypass ISP algorithm

 

[Jack-Sparr0w]

Why is the option in the terminal?

 

[dave14305]

You don’t need Unbound to use DoT on Merlin. That’s my point.

 

[Jack-Sparr0w]

My real IP dose not show in a DNS leak test now.

 

[dave14305]

My real IP dose not show in a DNS leak test now.

It would not have shown up if you hadn’t installed Unbound originally. All I’m trying to unsuccessfully convey is that you can put those same 10 DoT addresses on the WAN / DNS Privacy section of the router and get the same results. Unbound isn’t needed in this scenario. You may eventually reach that same conclusion after you tinker some more and satisfy your curiosity.

 

[Gary_Dexter]

There’s no point using Unbound if you’re forwarding to a third-party DNS resolver when the router can do this already.

Unbound is meant to be used recursively and by going to the root dns servers to resolve queries.

There’s also no need to post AI generated replies

 

[Tech9]

Security vs more privacy I thought it was to bypass ISP algorithm

Not sure what you call "ISP algorithm", but your ISP sees all resolved IP addresses anyway.

 

[Jack-Sparr0w]

At the end of the day I am surprised this address worked
# NordVPN
forward-addr: 103.86.96.100@853#dns1.nordvpn.com
forward-addr: 103.86.99.100@853#dns2.nordvpn.com

 

[Jack-Sparr0w]

Also what is it used for if the option is in the script? Why on earth is that option there? No one seems to be able to answer that. What about the VPN option, what do you think about binding unbound to a VPN. I'm still sending data somewhere else with that. Cloudflare and quad don't log anything anyways. this just stops dns leaks from nord
forward-addr: 103.86.96.100@853#dns1.nordvpn.com
forward-addr: 103.86.99.100@853#dns2.nordvpn.com
I was told when this program was first made it was just to bypass ISP, Nord requires an upstream service to block leaks. You should look into it. It's just an extra layer of security

 

[Jack-Sparr0w]

I have a way older account on this forum. I've seen this program from the start. This is kind of old debate. What I've seen so far is everyone has a different opinion on this subject. never have I got that same answer from this question. All I can do is trust the AI answers from all setups with different routers. Main reason why I use it, It turns off hardware acceleration on new routers. now all data has to go through cpu. (there is no option for hw acceleration on new routers)

 

[Gary_Dexter]

Also what is it used for if the option is in the script? Why on earth is that option there? No one seems to be able to answer that. What about the VPN option, what do you think about binding unbound to a VPN. I'm still sending data somewhere else with that. Cloudflare and quad don't log anything anyways. this just stops dns leaks from nord
forward-addr: 103.86.96.100@853#dns1.nordvpn.com
forward-addr: 103.86.99.100@853#dns2.nordvpn.com
I was told when this program was first made it was just to bypass ISP, Nord requires an upstream service to block leaks. You should look into it. It's just an extra layer of security

The option is there for routers/devices/etc. that don’t support DoT out of the box or in their settings.

Unbound has been around for 18 years and I believe TLS forwarding has been around for at least 14/15 of those years.

Cloudflare and Quad9 actually do collect anonymised data, but claim to not log PII.

I don’t need to look into it either - I use unbound already on my RPi going straight out to the root DNS resolvers.

 

[Viktor Jaep]

I have a way older account on this forum. I've seen this program from the start.

Then why aren't you using your original account? Why use this one? Why even say this? This is what's called an "appeal to authority fallacy".

All I can do is trust the AI answers from all setups with different routers.

Trusting AI to give you correct information is certainly NOT recommended. Huge mistake. <sigh>

As @dave14305 and others are saying... what you're doing with Unbound has zero benefit since your router already has built-in DoT capabilities. It literally does the same exact thing as Unbound. All you're doing is making it more complex, inefficient, and sets you up for another add-on component that has the potential of failing. And unless you completely trust whoever you're using for DNS purposes, they can see everything you're doing.

 

[Tech9]

What I've seen so far is everyone has a different opinion on this subject.

You just replace the built into Asuswrt Dnsmasq (forwarder) with DoT option with Unbound (used as forwarder) with DoT option. Both do exactly the same thing. One requires few clicks in GUI, the other custom firmware, custom script, Entware, USB stick. It's not about opinion. You can go to your living room from inside the house or you can also exit from the main door, go around the house and enter from the back yard door. It's your choice of doing things - you prefer to go around the house and it's okay.