Dot & DNSSEC vs Unbound?

[dave14305]

Assuming I don’t use a VPN, my question is, if my main objective is to hide from my ISP, is the unencrypted unbound really that bad compared to DoT?

I ask this because I read somewhere that, even with DoT, your ISP has other ways to track you and sniff you out. Is this true?

Even with encrypted DNS, your ISP sees what IP addresses you visit, since it has to route your traffic to that destination. It might not know what specific site you visit if more than one site is hosted at that IP address, but it will leak enough metadata about your web habits.

If you want to hide from your ISP, you should be using a VPN and either a) their DNS servers, or b) a public DoT resolver.

Unbound as a recursive resolver doesn't hide anything in transit from being sniffed. It does prevent a single public resolver from logging and aggregating all your DNS queries, which is a different slant on privacy.

 

[heysoundude]

Sorry to revive an old post.

From what I understand, Dot means trusting Cloudflare, etc. And using unbound basically means being your own DNS resolver.

Assuming I don’t use a VPN, my question is, if my main objective is to hide from my ISP, is the unencrypted unbound really that bad compared to DoT?

I ask this because I read somewhere that, even with DoT, your ISP has other ways to track you and sniff you out. Is this true?

If so then the logical thing to do would be to just use unbound... sorry if I misunderstood the concepts, thank you

It's always good to re-visit things to ensure that they're clear in your head.

DoT means trusting those DNS servers, yes, while concealing your traffic from your ISP.
As has been mentioned, only you can decide who you allow your data to be monitored by ;-) and how much of that data they're allowed to see...if you choose to give any more than necessary out in the first place

unbound with DNSSec within IPSec would be the ideal, I'm guessing (If I understand everything correctly!) - DNSSec verifies the site's/server's address as unbound understands it, and IPSec encrypts everything within the packets, and clients connect directly with the servers they wish to communicate with. Unless/until someone breaks these (which would be VERY bad in the case of DNS), every device on your network would in effect be within its own tunnel to the server it's talking with rather than your VPN's

this implies IPv6 (and removing the burden of encryption/decryption from the router, I think, but I could be and probably am mistaken)...you ARE full stack v6 on your network, yes? You should be; native rather than tunnelled, too.

this privacy/security stuff can be quite the rabbit hole and test of just how paranoid you are sometimes ;-)
It might help you to wrap your head around some of this if you spend some time on the wikipedia pages for IPv6 (and take the free IPv6 "certification course" offered at he.net), DNSSec, IPSec and go visit the WireGuard website...now that that's rolled into the linux kernel, I think we're almost at the "security and privacy by default" phase of the internet.

 

[gtqiiptzfsfcppfcs]

Thank you all for enlightening me. It's crazy how complicated it is just to be private nowadays. I do think there are advancements with the protocols but sadly the government /oppressive forces are actively blocking those protocols as well...

Right now I'm using an AC66UB1 with diversion, skynet, and unbound as a recursive resolve. I am planning to add a VPN too.

Just to be clear, with a VPN + Unbound as a recursive resolver, I would still leak my DNS queries to my ISP. Is that correct? (Or can I tunnel my Unbound DNS queries through the VPN?)

 

[Martineau]

Can I tunnel my Unbound DNS queries through the VPN?

Yes, unbound_manager allows you to force unbound requests through a nominated VPN

However you need to ensure that the nominated VPN is actually UP before you configure unbound to use a VPN Client,

i.e. you should use the appropriate openvpn-event UP/DOWN trigger scripts to modify 'unbound.conf', and also ensure during the boot process that unbound is able to us initially resolve DNS requests (either via the WAN or by cache-seeding etc.)

 

[Vertron]

Sorry to bring back an old thread.

Quick question. Is there any risk in using Unbound as a DNS resolver for both VPN and non-VPN traffic using policy rules? Will my ISP be able sniff my VPN traffic?