Dot & DNSSEC vs Unbound?

[JohnD5000]

In the GUI WAN tab I have set:

Enable DNSSEC support
DNS-over-TLS (DOT)

In amtm, there is option to add the script Unbound Manager. I read that Unbound is a secure validating, recursive, and caching DNS server. However, I am a little confused over what all these DNS protocols do.
Since I have DoT and DNSSEC set in the GUI, does Unbound offer any additional benefit over DoT and DNSSEC?

Or, does Unbound do the same thing as Dot & DNSSEC?

In other words, Should I add Unbound? Should I delete DNSSEC and DoT? Or, run both together?

Thanks for any insight.

 

[skeal]

In the GUI WAN tab I have set:

Enable DNSSEC support
DNS-over-TLS (DOT)

In amtm, there is option to add the script Unbound Manager. I read that Unbound is a secure validating, recursive, and caching DNS server. However, I am a little confused over what all these DNS protocols do.
Since I have DoT and DNSSEC set in the GUI, does Unbound offer any additional benefit over DoT and DNSSEC?

Or, does Unbound do the same thing as Dot & DNSSEC?

In other words, Should I add Unbound? Should I delete DNSSEC and DoT? Or, run both together?

Thanks for any insight.

Unbound does DNSSEC, but for unbound to work right you would disable it (DNSSEC) and DoT in the webui and then install unbound. There are a few other requirements like NTP server enabled and a few others but you are warned and advised about these when you install.

 

[skeal]

In the GUI WAN tab I have set:

Enable DNSSEC support
DNS-over-TLS (DOT)

In amtm, there is option to add the script Unbound Manager. I read that Unbound is a secure validating, recursive, and caching DNS server. However, I am a little confused over what all these DNS protocols do.
Since I have DoT and DNSSEC set in the GUI, does Unbound offer any additional benefit over DoT and DNSSEC?

Or, does Unbound do the same thing as Dot & DNSSEC?

In other words, Should I add Unbound? Should I delete DNSSEC and DoT? Or, run both together?

Thanks for any insight.

For the most part you don't need DoT as this is a recursive server the resolution happens on the router, you are not forwarding.

 

[skeal]

In the GUI WAN tab I have set:

Enable DNSSEC support
DNS-over-TLS (DOT)

In amtm, there is option to add the script Unbound Manager. I read that Unbound is a secure validating, recursive, and caching DNS server. However, I am a little confused over what all these DNS protocols do.
Since I have DoT and DNSSEC set in the GUI, does Unbound offer any additional benefit over DoT and DNSSEC?

Or, does Unbound do the same thing as Dot & DNSSEC?

In other words, Should I add Unbound? Should I delete DNSSEC and DoT? Or, run both together?

Thanks for any insight.

Bottom line if you are hiding from your ISP don't use unbound.

 

[heysoundude]

Bottom line if you are hiding from your ISP don't use unbound.

Wouldn’t a VPN...conceal your activities?
Turn off DoT and DNSSec, host your own DNS lookups on your router so that only your router and the VPN know what you do (and the good ones don’t log that for any amount of time), everything through the tunnel to the VPN’s servers...
I thought it removed google, cloudflare (who may be just as sinister in time), your ISP, and/or whomever you use for DNS, more within your control on your end of the tunnel you pay for with the VPN.
More control over YOUR info. Right? And NTP is just a pulse to sync everything to- no data collection by the provider likely, correct?

This is rather important to clarify, I believe. Who can we trust?


Sent from my iPhone using Tapatalk

 

[skeal]

Wouldn’t a VPN...conceal your activities?
Turn off DoT and DNSSec, host your own DNS lookups on your router so that only your router and the VPN know what you do (and the good ones don’t log that for any amount of time), everything through the tunnel to the VPN’s servers...
I thought it removed google, cloudflare (who may be just as sinister in time), your ISP, and/or whomever you use for DNS, more within your control on your end of the tunnel you pay for with the VPN.
More control over YOUR info. Right? And NTP is just a pulse to sync everything to- no data collection by the provider likely, correct?

This is rather important to clarify, I believe. Who can we trust?


Sent from my iPhone using Tapatalk

Yes to all of the above. All of that used with unbound would be fine.

 

[heysoundude]

Awesome.
I guess diversion etc would also protect us from the evil Amazon empire (that’s as bad as or worse than google)? What about Netflix, Spotify, Hulu...???



Sent from my iPhone using Tapatalk

 

[skeal]

What about Netflix, Spotify, Hulu...???

As far as ad blocking nothing can be done, that includes youtube. You would need a browser addon for that.

 

[JohnD5000]

Bottom line if you are hiding from your ISP don't use unbound.

I'm still confused over what exactly DNSSEC, DoT, unbound do. I was under impression that DNSSEC and DoT protect from "Man in the Middle" activity. I.E they encrypt my data between me and DNS server. Is that correct? And, is that what unbound does? Does unbound do this better?

Is unbound better than DNSSEC & DoT in GUI? From Ralphort reply, it sounds like unbound does this too (or has option to). If so, what does unbound add?

 

[heysoundude]

Also noticed this option to add the script Unbound Manager on amtm today. Installed it after checking the following requirements 1) Enable DNSSEC support (Yes), 2) Enable DNS Rebind protection (No), 3) Enable DNS-based Filtering (Router), 4) Enable DoT, etc. It has ad blocking features but I still kept Diversion ad blocker (ON) with it. It replaces my Mullvad Wireguard VPN DNS servers (on Asus RT-AC86U router) with those of Cloudflare I used as preset DNS servers. Normally, I can only used those Cloudflare DNS if running an OpenVPN client (not Wireguard). Post install, I run a browser privacy test to check if at least TLS & DNSSEC is enabled but now it won't put out result on DNS, TLS & DNSSEC tests (just shows loading). On DNSSEC resolver test everything's OK. I'm not sure if this is good or bad.

Follow up...
Also checked the DS Algorithm. I used to only GOST & ECC-GHOST as not validated but now RSA-MD5, DSA, DSA-NSEC3-SHA1 are also added. Maybe I should uninstall this Unbound add-on.

Read that over and you should see what you need to adjust, the DNS server part. If mullvad is good enough for your VPN, why would you use cloudflare?


Sent from my iPhone using Tapatalk

 

[skeal]

I'm still confused over what exactly DNSSEC, DoT, unbound do

They all do different jobs in a dns forwarding state. In a recursive dns state the encryption between your router and upstream dns server isn't required. The resolution is done right on the router. Using unbound means no man in the middle attack can happen. Unbound does not use encryption. It does have built in support for DNSSEC. Your ISP could still sniff your packets and tell where you are surfing too, where as with DoT that would be more difficult.
EDIT: No support for DoT or DoH in unbound at this time.

 

[JohnD5000]

They all do different jobs in a dns forwarding state. In a recursive dns state the encryption between your router and upstream dns server isn't required. The resolution is done right on the router. Using unbound means no man in the middle attack can happen. Unbound does not use encryption. It does have built in support for DNSSEC. Your ISP could still sniff your packets and tell where you are surfing too, where as with DoT that would be more difficult.
EDIT: No support for DoT or DoH in unbound at this time.

Thanks...so since both have DNSSEC, it sounds like DoT on the router is better than unbound?

 

[heysoundude]

I'm still confused over what exactly DNSSEC, DoT, unbound do. I was under impression that DNSSEC and DoT protect from "Man in the Middle" activity. I.E they encrypt my data between me and DNS server. Is that correct? And, is that what unbound does? Does unbound do this better?

Is unbound better than DNSSEC & DoT in GUI? From Ralphort reply, it sounds like unbound does this too (or has option to). If so, what does unbound add?

DoT encrypts your DNS traffic to the resolver. By essentially being your own DNS resolver, with the occasional reference to an outside source that you trust, and hopefully with whom you share an encrypted connection, you’re basically doing the same thing with much less potential for your data to be tracked/sold/mined. Your ISP can’t throttle you because they can’t see what’s being passed over the connection you pay for, and your VPN (the trusted entity you share an encrypted tunnel with) doesn’t keep logs of your activity with/through them for longer than 24 hrs. Google does. Cloudflare might decide to. But a VPN provider headquartered in privacy respecting jurisdictions will not beyond a timeframe that makes any legal entanglements based on copyright infringement claims moot...because that’s what you pay THEM for. (Not that I’m suggesting anyone would do such a thing)

Unbound and a VPN is truly for people who wish to leave as few tracks in the snow on the forest floor as possible. Diversion/pixelserv and skynet do an awesome job of protecting you from your info leaking out through ads/pop ups on websites and malicious actors looking to bust in on your network/connection.

Yes, while you may not have anything to hide, why not make sure that nobody’s spying on you? Good fences make for good neighbours.


Sent from my iPhone using Tapatalk

 

[distilled]

Could someone describe a scenario where configuring Unbound is a better option than DoT, or give examples of situations where one outshines the other, and why?

Privacy and resilience against DNS MitM attacks are solid reasons to use DoT, but it sounds like Unbound trades encryption / privacy for other benefits. What are they?

 

[heysoundude]

TLS test result on Mullvad shows (Disabled) on browser privacy check. Not sure if its the Chrome browser. I used to use Firefox Nightly before to pass everything on browser experience security check. I'm not a networking expert so I'm not sure if I should just stick with Mullvad DNS servers.

If they’re good enough for your VPN, they should be good enough for the DNS stuff.

Does WireGuard have you connecting to Mullvad above the speeds you pay for from your ISP?


Sent from my iPhone using Tapatalk

 

[distilled]

Does WireGuard have you connecting to Mullvad above the speeds you pay for from your ISP?

At one location, I pay Spectrum for 100 megs down, and typically get ~180 for some reason, and get the same through Mullvad. The VPN is configured on a AC86U. I was genuinely shocked by the speed. I use DoT on my network, and have the ParrotOS workstation manually configured to use Mullvad's RFC 1918 DNS IPv4.

 

[heysoundude]

Could someone describe a scenario where configuring Unbound is a better option than DoT, or give examples of situations where one outshines the other, and why?

Privacy and resilience against DNS MitM attacks are solid reasons to use DoT, but it sounds like Unbound trades encryption / privacy for other benefits. What are they?

As I understand it, unbound helps you better/further obfuscate your dns traffic within a VPN connection rather than having a fast dns resolver other than your ISP. You are basically your own dns, with reference to the DNS you choose to trust (and I wouldn’t trust google, my jury is still out on cloudflare, my ISP could threaten me with legal action for streaming a copyrighted source from a provider who doesn’t pay the copyright holder...).


Sent from my iPhone using Tapatalk

 

[heysoundude]

At one location, I pay Spectrum for 100 megs down, and typically get ~180 for some reason, and get the same through Mullvad. The VPN is configured on a AC86U. I was genuinely shocked by the speed. I use DoT on my network, and have the ParrotOS workstation manually configured to use Mullvad's RFC 1918 DNS IPv4.

So yes. Awesome. I’ve got the AC86u as well. I just haven’t decided on Mullvad or Azire, or wrapped my head around setting WireGuard up on the router yet. (The question though: is it as secure as we hope?)


Sent from my iPhone using Tapatalk

 

[JohnD5000]

As I understand it, unbound helps you better/further obfuscate your dns traffic within a VPN connection rather than having a fast dns resolver other than your ISP. You are basically your own dns, with reference to the DNS you choose to trust (and I wouldn’t trust google, my jury is still out on cloudflare, my ISP could threaten me with legal action for streaming a copyrighted source from a provider who doesn’t pay the copyright holder...).


Sent from my iPhone using Tapatalk

So, if you run a VPN fulltime , unbound is better, but if you don't run a vpn fulltime (I just turn a VPN ON on my PC when I need it) DoT is better?

 

[heysoundude]

So, if you run a VPN fulltime , unbound is better, but if you don't run a vpn fulltime (I just turn a VPN ON on my PC when I need it) DoT is better?

That’s my understanding at the moment. (Why wouldn’t you need VPN on all the time?)


Sent from my iPhone using Tapatalk