Dot & DNSSEC vs Unbound?

[distilled]

Thanks...so, Stubby, Dot, & dnsmasq are all the same thing? Just 3 different names?

Stubby is an implementation of DoT. It is "DoT in a Box". Dnsmasq is a DNS forwarder, but it is also a Swiss Army knife that is often rolled into all sorts of things. It can manage DHCP and other things.

I'm not clear whether this is accurate or not.

If using a VPN, I would expect that you would be using their DNS servers and as such unbound provides no benefit I believe. If anything, it's when you are not using a VPN that unbound shows it's value. I could be mistaken however.

The advantage of Unbound when using a VPN is you place less trust in your VPN provider's DNS. Those records could be sold, hacked, subpoenaed or otherwise used against you.

Thanks to everyone who has helped make the place of Unbound clear. Out of sheer curiosity and love of trivia, is the name "Unbound" to DNS what 7UP is to soda, given that named = BIND?

 

[heysoundude]

The advantage of Unbound when using a VPN is you place less trust in your VPN provider's DNS. Those records could be sold, hacked, subpoenaed or otherwise used against you.

Bam! That’s it right there.


Sent from my iPhone using Tapatalk

 

[rgnldo]

"Unbound" to DNS what 7UP is to soda, given that named = BIND?

Different proposals for DNS servers. BIND is very robust. I'm really enjoying Knot-resolver.

 

[JohnD5000]

Stubby is an implementation of DoT. It is "DoT in a Box". Dnsmasq is a DNS forwarder, but it is also a Swiss Army knife that is often rolled into all sorts of things. It can manage DHCP and other things.

Thanks, is dnsmasq built in to Merlin like Stubby/DoT? Post 27 by rgnldo referred to "Using Stubby + dnsmasq (DoT Merlin) " implying Dot was Stubby & dnsmasq.

 

[distilled]

Different proposals for DNS servers. BIND is very robust. I'm really enjoying Knot-resolver.

I just meant the moniker Unbound may be a play on BIND in the same way that the soda 7Up bills itself as "The Uncola" because it is clear and different. I do remember BIND from literally decades ago, I was working at an internet startup. DNS is incredibly simple when glanced at superficially, at the level it was important to my personal job, but it quickly becomes a rabbit hole that only true network gurus can approach. Kudos to those of you who have made the trip and come back to tell us about it

Thanks, do is dnsmasq built in to Merlin like Stubby/DoT?

I do not know what Merlin does, it is a product of a god, and I am but a pleeb, but one might point dnsmasq to Stubby, if that helps.

 

[RMerlin]

I still manage a few Bind servers, both for my company and for a customer. I love how simple it is to manage over SSH.

 

[distilled]

I still manage a few Bind servers, both for my company and for a customer. I love how simple it is to manage over SSH.

Awesome! When I was managing DNS, SSH 1 was a new product. All I remember is typing vi domain.tld and changing some things based on what needed to be done. Nowadays it is all voodoo. And I promise you that it pains me greatly to admit that, it was fascinating at the time and I hate that I only understood what I needed to know. Compared to the old Sun YP and trading flat files with UUCP, DNS really IS magic.

All of a sudden I feel:

1. Dumb
2. Angry that kids are on my lawn
3. In need of Geritol & Metamucil

 

[rgnldo]

For a long time BIND was the great DNS server. To name machines on the LAN or local domains. Unfortunately it has suffered casualties when advancing its development. It is still a rock-solid DNS server.

 

[rgnldo]

, it was fascinating at the time and I hate that I only understood what I needed to know

I agree. KISS - keep it simple, stupid!

 

[heysoundude]

Awesome! When I was managing DNS, SSH 1 was a new product. All I remember is typing vi domain.tld and changing some things based on what needed to be done. Nowadays it is all voodoo. And I promise you that it pains me greatly to admit that, it was fascinating at the time and I hate that I only understood what I needed to know. Compared to the old Sun YP and trading flat files with UUCP, DNS really IS magic.

All of a sudden I feel:

1. Dumb
2. Angry that kids are on my lawn
3. In need of Geritol & Metamucil

Look at you with no Prep H on that list. [emoji1787][emoji12][emoji41]


Sent from my iPhone using Tapatalk

 

[distilled]

Look at you with no Prep H on that list. [emoji1787][emoji12][emoji41]

That is more applicable to the people around me, because I am a PITA.

 

[heysoundude]

It’s not meant to be used as sunscreen you know. It’s an “apply directly to affected area” remedy


Sent from my iPhone using Tapatalk

 

[distilled]

I'm really enjoying Knot-resolver.

After reading this, I made a note to look into Knot-resolver, it looks slick. I can forgive myself for not being on the cutting edge with DNS technology, but what REALLY makes me feel dumb is I only just now got the pun(s) in the name.

Your Github says Knot-Resolver & Suricata - isn't Suricata an evolution of Martin Roesch's Snort? I have never used Suricata, but used to work with Snort, ACID, ISS/Xforce etc a lot. My career went in a different direction, but I still have a fascination with infosec, even though I do not have the skills necessary to discuss it on a professional level.

If pentesting is your bag, I very much envy you.

 

[rgnldo]

isn't Suricata an evolution of Martin Roesch's Snort

There was percussion in different ways. Suricata has excellent scalability. It goes from the small device to the giant infrastructure.

Knot-resolver

It is an excellent DNS server in strong growth.

 

[fields987]

looks like I'm a few months late to the party, please forgive my tardiness, ignorance and any duplication.

If i'm understanding correctly, since unbound acts as a resolver, losing DoT to a public resolver is a non issue since there are no requests being forwarded?

In my current setup, I've got DNSSEC enabled, and am using DoT with cleanbrowsing malware filtering ip's. I know filtered dns vs unfiltered dns is a whole different argument. I accept that 1) i have to trust clean browsing with my privacy and 2) trust them to act in good faith in terms of malware filtering vs censorship.

is using unbound as a resolver worth giving up malware filtering within DNS as part of my layered security approach? I understand that I can accomplish DoT with unbound by forwarding to Stubby, but from what I can tell there isn't much to be gained by implementing this over my current setup (dnsmasq + stubby)?

Thanks for any help!

 

[SuperDuke]

looks like I'm a few months late to the party, please forgive my tardiness, ignorance and any duplication.

If i'm understanding correctly, since unbound acts as a resolver, losing DoT to a public resolver is a non issue since there are no requests being forwarded?

In my current setup, I've got DNSSEC enabled, and am using DoT with cleanbrowsing malware filtering ip's. I know filtered dns vs unfiltered dns is a whole different argument. I accept that 1) i have to trust clean browsing with my privacy and 2) trust them to act in good faith in terms of malware filtering vs censorship.

is using unbound as a resolver worth giving up malware filtering within DNS as part of my layered security approach? I understand that I can accomplish DoT with unbound by forwarding to Stubby, but from what I can tell there isn't much to be gained by implementing this over my current setup (dnsmasq + stubby)?

Thanks for any help!

It's really up to you, however Unbound does have adblocking and now malware (albeit somewhat immature). I have Unbound installed with Skynet/Diversion and it has worked very well. I also have DNSFiltering set up for my kids and their devices usingn Cleanbrowsing Family.

Alot of awesome work is being done across all of the these scripts and really you could choose a mix of most and end up at a great spot. (Just need to make sure you're not overlaying competing ones is all).

 

[netware5]

looks like I'm a few months late to the party, please forgive my tardiness, ignorance and any duplication.

If i'm understanding correctly, since unbound acts as a resolver, losing DoT to a public resolver is a non issue since there are no requests being forwarded?

In my current setup, I've got DNSSEC enabled, and am using DoT with cleanbrowsing malware filtering ip's. I know filtered dns vs unfiltered dns is a whole different argument. I accept that 1) i have to trust clean browsing with my privacy and 2) trust them to act in good faith in terms of malware filtering vs censorship.

is using unbound as a resolver worth giving up malware filtering within DNS as part of my layered security approach? I understand that I can accomplish DoT with unbound by forwarding to Stubby, but from what I can tell there isn't much to be gained by implementing this over my current setup (dnsmasq + stubby)?

Thanks for any help!

I've just fed up by public DNS resolvers, so decided to switch to Unbound just few hours ago. In fact it has malicious domain filtering option and I do believe it will be constantly improved. The only thing that affects privacy is non-encrypted queries, so theoretically your ISP may "sniff" what queries the Unbound submits to authoritative DNS servers. But I hope the DoT will be implemented in the near future to authoritative servers (so-called ADoT) and then it would be easy to switch Unbound to DoT.

 

[Martineau]

I hope the DoT will be implemented in the near future to authoritative servers (so-called ADoT) and then it would be easy to switch Unbound to DoT.

Interesting, although I see that the ADoT draft proposal expired in January 2020, and the auxiliary proposal on how recursive DNS servers would technically be able to verify if an Authoritative DNS server supports DoT expires in May, so this may mean a significant delay in the ADoT implementation?

P.S. Not 100% clear if ADoT actually implies/expects all three entities ROOT/DNS and Authoritative servers to support DoT, otherwise explicit ADoT to only the Authoritative server is pointless?

 

[netware5]

Interesting, although I see that the ADoT draft proposal expired in January 2020, and the auxiliary proposal on how recursive DNS servers would technically be able to verify if an Authoritative DNS server supports DoT expires in May, so this may mean a significant delay in the ADoT implementation?

P.S. Not 100% clear if ADoT actually implies/expects all three entities ROOT/DNS and Authoritative servers to support DoT, otherwise explicit ADoT to only the Authoritative server is pointless?

I've read the same document and start feeling optimisitc ... But I am not very familiar with procedures how the new standart is implemented. Regarding ROOT servers I agree - it is pointless if they do not support DoT. My opinion is that ideally they should be backward compatible with standart DNS and be able to serve both type of queries for long time, may be decade.

 

[gtqiiptzfsfcppfcs]

Sorry to revive an old post.

From what I understand, Dot means trusting Cloudflare, etc. And using unbound basically means being your own DNS resolver.

Assuming I don’t use a VPN, my question is, if my main objective is to hide from my ISP, is the unencrypted unbound really that bad compared to DoT?

I ask this because I read somewhere that, even with DoT, your ISP has other ways to track you and sniff you out. Is this true?

If so then the logical thing to do would be to just use unbound... sorry if I misunderstood the concepts, thank you