Dot & DNSSEC vs Unbound?

[distilled]

So yes. Awesome. I’ve got the AC86u as well. I just haven’t decided on Mullvad or Azire, or wrapped my head around setting WireGuard up on the router yet. (The question though: is it as secure as we hope?)

The man himself, Linus Torvalds, referred to WG as "...a thing of beauty" and:

https://arstechnica.com/gadgets/202...ireguard-vpn-into-the-5-6-kernel-source-tree/

...so hopefully. I am certainly not an expert, but the code looks so much lighter than OpenVPN, and it sure is easier to manage. Fingers crossed that everyone's expectations are on par. WG seems no faster than OpenVPN on Linux, but it is noticeably faster on Android. I haven't bothered trying to kludge it together on an Asus box though, OpenVPN has served us just fine up to this point, and I am not ready to break a sweat over the possibility of saving a couple CPU cycles.

I have used Mullvad for about 18 months, and have nothing but praise. I pay in BTC washed through XMR and feel extra secure, even though a credit card would be just fine, because hey, the MPAA could rappel down through my chimney any minute now for watching that Joker screener, right?

 

[dave14305]

Privacy and resilience against DNS MitM attacks are solid reasons to use DoT, but it sounds like Unbound trades encryption / privacy for other benefits. What are they?

Unbound gives you the other kind of privacy: not sending all your query data to a single third-party service. You lose encryption for the benefit of not consolidating your DNS history with any one provider.

What does privacy mean to you? For the sake of discussion, you might have an encrypted DoT connection to Cloudflare DNS, so no one can snoop on your queries in transit. But now you have to trust Cloudflare with all your DNS data/history. Trust they will uphold their privacy policy and not get hacked.

With Unbound, there is no single third party entity on the other end of your DNS queries. You send your queries directly to the authoritative server for each domain you query and cache the results. It’s not encrypted, since there is not widespread support for DoT with all those possible authoritative servers.

So two kinds of privacy to choose from. You decide which is most important to you. A VPN is an option, so is hosting a private Unbound server in the cloud and connecting to it over DoT.

 

[SomeWhereOverTheRainBow]

They all do different jobs in a dns forwarding state. In a recursive dns state the encryption between your router and upstream dns server isn't required. The resolution is done right on the router. Using unbound means no man in the middle attack can happen. Unbound does not use encryption. It does have built in support for DNSSEC. Your ISP could still sniff your packets and tell where you are surfing too, where as with DoT that would be more difficult.
EDIT: No support for DoT or DoH in unbound at this time.

Unbound can do Dot just as a forwarder and not recursively.

 

[rgnldo]

Both solutions, Stubby or Unbound, do recursion.
Unbound, configured without forwarding, acquires an authoritative function.

Using Stubby + dnsmasq (DoT Merlin) you will have the necessary security that I recommend at the DNS level, organizing non-authoritative recursion.

Spoiler: Stubby topology

If you want a complete, customizable DNS server, use unbound.

Spoiler: unbound topology

There is even a configuration that I'm enjoying, Stubby + unbound-anchor, for MIPS router.

There is no need for comparisons. Security is a matter of planning in conjunction with good practices.

References:
http://bit.do/ftDK2
http://bit.do/ftDHD

 

[Ubimo]

I have used Mullvad for about 18 months, and have nothing but praise. I pay in BTC washed through XMR and feel extra secure, even though a credit card would be just fine, because hey, the MPAA could rappel down through my chimney any minute now for watching that Joker screener, right?

God, that gave me a good laugh!

Edit:
Is unbound faster than 1.1.1.1?
Does unbound cache DNS requests?
When I reboot my router, is the cache gone?
Where does unbound look for DNS resolves? It has to use some public DNS to resolve names, right?

 

[Treadler]

God, that gave me a good laugh!

Edit:
Is unbound faster than 1.1.1.1?
Does unbound cache DNS requests?
When I reboot my router, is the cache gone?
Where does unbound look for DNS resolves? It has to use some public DNS to resolve names, right?

Yes.
Yes.
Yes.
The internet’s authoritative DNS servers, cutting out the middleman/men of public DNS server/s.
No.

dave14305’s post #25 above, gives you a very helpful outline on how/why you might want to achieve freedom from public recursive resolvers.

 

[Ubimo]

Thanks for clearing that up, I think I understand now. ( I couldn't translate the word "recursive" correct to my language)
But, who is running these "authoritative DNS"? Can we trust these companies since they will see the DNS requests?

 

[dave14305]

But, who is running these "authoritative DNS"? Can we trust these companies?

These would be the same servers that public DNS resolvers are asking to resolve your queries. They must be trusted for the global DNS infrastructure to work.

 

[distilled]

Unbound gives you the other kind of privacy: not sending all your query data to a single third-party service.

Thank you, your post was illuminating. By querying authoritative servers directly, Unbound is in a very real sense distributing your DNS resolutions, as opposed to allowing the demigods of data hoarding - Google, Cloudflare etc - to log every resolution.

 

[distilled]

But, who is running these "authoritative DNS"? Can we trust these companies since they will see the DNS requests?

I think what matters most is that no individual one of them is logging your every move, so it becomes much more difficult to pidgenhole a given user's habits.

I think the mantra here is Know thy Enemy.

 

[rgnldo]

The point is: no DNS solution will provide support for not storing browsing LOGs. Regardless of whether your resolver is VPN, cloudflare or ICANN (aka Verisign) they will all make audit logging possible on the EDGE.
DNS servers only organize the path.
Yes, it is possible to organize Stubby/GetDNS for independent servers, recognized as being audited as safe, and also on port 443, avoiding firewall problems.
If you want real privacy, use Tor for some browsing.

 

[distilled]

If you want real privacy, use Tor for some browsing.

I quite frequently do. I also support the Invisible Internet Project. Freenet had promise, but has less obvious application.

A VPN is not a route to anonymity, a degree of discretion is merely a byproduct. Tor & I2P offer the only real privacy that involves trusting technology over humans. And I think that we know how much we can trust THAT lot...

 

[Chris_J]

Imagine TOR was a government conspiracy to get the most paranoid, security & privacy conscious people onto one network and see what they are connecting to by installing software on the user's computer and redirect all their traffic through a very specific route?

 

[distilled]

Imagine TOR was a government conspiracy to get the most paranoid, security & privacy conscious people onto one network and see what they are connecting to by installing software on the user's computer and redirect all their traffic through a very specific route?

The DoD *did* develop Tor, the US Naval Research Lab to be specific.

Depending upon your intended usage of the word "route", what you describe may be impossible, as Tor doesn't use a single specific route. In a sense, its topology is entropic.

The open source nature of the Tor project precludes this paranoia anyway.

But it is healthy that you are thinking that way.

 

[JohnD5000]

Both solutions, Stubby or Unbound, do recursion.
Unbound, configured without forwarding, acquires an authoritative function.

Using Stubby + dnsmasq (DoT Merlin) you will have the necessary security that I recommend at the DNS level, organizing non-authoritative recursion.

There is even a configuration that I'm enjoying, Stubby + unbound-anchor, for MIPS router.

There is no need for comparisons. Security is a matter of planning in conjunction with good practices.

References:
http://bit.do/ftDK2
http://bit.do/ftDHD

Is Stubby built in to Merlin or do you need to add it?

 

[heysoundude]

Is Stubby built in to Merlin or do you need to add it?

Merlin included Stubby a number of versions ago: Stubby = DoT.
Awesome, right?
Now he and (most of) the rest of the script devs are solidifying their relationship as a working group with the script-specific changes in 384.15. I think that’s kind of a landmark or historical event that we’re going to look back on in the not too distant future, happy we were around to have seen it.


Sent from my iPhone using Tapatalk

 

[JohnD5000]

Merlin included Stubby a number of versions ago: Stubby = DoT.
Awesome, right?
Now he and (most of) the rest of the script devs are solidifying their relationship as a working group with the script-specific changes in 384.15. I think that’s kind of a landmark or historical event that we’re going to look back on in the not too distant future, happy we were around to have seen it.


Sent from my iPhone using Tapatalk

Thanks...so, Stubby, Dot, & dnsmasq are all the same thing? Just 3 different names?

 

[SuperDuke]

That’s my understanding at the moment. (Why wouldn’t you need VPN on all the time?)


Sent from my iPhone using Tapatalk

I'm not clear whether this is accurate or not.

If using a VPN, I would expect that you would be using their DNS servers and as such unbound provides no benefit I believe. If anything, it's when you are not using a VPN that unbound shows it's value. I could be mistaken however.

 

[Chris_J]

Some VPN providers don't force you to use their DNS servers, so you can set 'Accept DNS Config' to disabled and use Unbound.

 

[heysoundude]

Thanks...so, Stubby, Dot, & dnsmasq are all the same thing? Just 3 different names?

Stubby it the cool nickname for DoT, which is the acronym for “DNS over TLS;” Dnsmasq is something else entirely.
I think you need to do some research in merlins’s wiki.


Sent from my iPhone using Tapatalk