What's new

Tutorial Forcing SafeSearch Tutorial

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

You never answered the question what's the idea behind your Pi-hole and Unbound adventures. What's your router not doing enough for you?
Nothing, it's working as I want. I just wanted to try out Unbound as I read and have seen others recommend and they say it's a better DNS server to run....
But, then I read about the so called, risks, and in all honesty.. scared me... and the questions started popping in my head as to what would I need to do to secure my network when using Unbound.

That's about it haha. It's OK, I know you are trying to help and have helped me in the past. I just need to try to gather more knowledge to prevent this type of back and forth in the future.
Keep up the great work.
 
I read and have seen others recommend

The fact someone is using something on their network doesn't necessarily mean you need it as well. You wanted to keep using OpenDNS with the free filtering categories. That means you have to forward your queries upstream to OpenDNS. This is what dnsmasq is doing already - forwarding upstream. It was explained to you already you don't need another software to do the same thing. It was simple enough to understand. The annoying part is you selectively ignore the answers and continue asking the same questions in another thread. People trying to help you see no results from trying to help you.
 
Thank you @SomeWhereOverTheRainBow. All of you have been very helpful in the past with all my other nonsense haha.
I guess I was expecting an answer like ....

for example... When I asked about how to mitigate the risks of using Unbound, I was expecting something like...

To attempt to mitigate those risks, you need to make sure THIS and THAT is setup properly.
to do that, you need to do THIS.... "whatever THIS is".. close ports, add some firewall rules and what not.

This is what I was referring to when I mentioned scripts, but it doesn't have to be.
But, if you're saying as long as I don't click on unknown links and follow the "don't do's", then I should be fine..

Please understand, I am aware that it won't matter what firewall rules I have in place, If I am not careful then it doesn't matter.... I get that.

I just wanted to make sure my question was understood of what I was asking for.
I know I have a lot to learn, but, sometimes you read and don't understand or comprehend what you're reading.

But this has gone long enough haha.
There is no secret sauce or special formula. Typically the dns poisoning protection mechanisms are built within the server. One thing that might make unbound more vulnerable to dns cache poisoning is by running the server directly web facing with no firewall between. Another method would be limiting the amount of random ports unbound can traverse. yes unbound can limit the udp port range for networks in favor of having more ports available for other applications using udp. This is a bad practice since one of unbound security mechanisms is its ability to randomize ports. Another bad security practice would be to disable dnssec hardening which is something Unbound does to minimize cache poisoning.
 
Another bad security practice would be to disable dnssec hardening which is something Unbound does to minimize cache poisoning
This is something I keep reading about.. DNSSEC.. according to what I read, it is used/configured to help prevent DNS cache poisoning.
The Cloudfare article says DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks.

So, I was going to ask how I would setup DNSSEC, but based on your last post, it seems DNSSEC is already implemented/included in Unbound and no configuration is necessary in that aspect?
 
Does the same rule apply when running a WireGuard server?

I don't know about the port. What I know is limited all-network WAN-LAN throughput rule applies when using WireGuard.
 
@Tech9 You actually made me realize something on your last post about OpenDns...(Thanks)

I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!
I mean, I could, but wouldn't that just make Unbound act more like a proxy...right?

Anyway, I think this puts an end to my Unbound endeavors haha.
I really appreciate the help from all and specially for your patience!
 
@Tech9 You actually made me realize something on your last post about OpenDns...(Thanks)

I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!
I mean, I could, but wouldn't that just make Unbound act more like a proxy...right?

Anyway, I think this puts an end to my Unbound endeavors haha.
I really appreciate the help from all and specially for your patience!
how will you prevent dns cache poisoning with an Open Dns ?
 
No no.. haha.. I meant, there is no benefit of me using Unbound if I will be using OpenDns (DNS Server...content filter) as the Upstream DNS server.
Meaning I won't use Ubound's full benefits... I know the day I won't be using any content filtering, I will set up Unbound.
 
Last edited:
I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!

I told you already 6 days ago:


I know the day I won't be using any content filtering, I will set up Unbound.

Then I will reply to you this is what Pi-hole can be used for with or without OpenDNS and wait for 6 days. :)
 
I told you already 6 days ago:




Then I will reply to you this is what Pi-hole can be used for with or without OpenDNS and wait for 6 days. :)
Yea I imagine Pihole runs better as an Open DNS forwarder. It even has security features like rate-limiting.
 
Right. in all the Unbound setups I've seen in pihole, they say to use 127.0.0.1#5335 as the loopback dns to Unbound, but this means, I won't be able to use content filtering network wise since the OpenDns Upstream will not be used... this is why I said.. "the day I won't be needing content filtering".. I will setup Unbound as a recursive DNS server.

Thank you all.. Sorry it took me a while.
 
Right. in all the Unbound setups I've seen in pihole, they say to use 127.0.0.1#5335 as the loopback dns to Unbound, but this means, I won't be able to use content filtering network wise since the OpenDns Upstream will not be used... this is why I said.. "the day I won't be needing content filtering".. I will setup Unbound as a recursive DNS server.

Thank you all.. Sorry it took me a while.
Yea from my understanding, you are right. It is best to use an Open DNS on port 53.
 
I won't be able to use content filtering network wise since the OpenDns Upstream will not be used...

You can use category blocklists on your Pi-hole, but okay - I can wait for 6 more days...


What is this Pi-hole doing on your network is still not very clear. It's a DNS-based blocker.
 
What is this Pi-hole doing on your network is still not very clear. It's a DNS-based blocker.
It is being use to Administer the Open DNS. With Pihole, we can observe the connections coming and going. Plus it acts as a blocker to block content before it reaches Upstream. The Upstream blocks whatever Pihole Misses.
 
What if Diversion runs on the router with the same blocklists and OpenDNS is set in WAN? Way too advanced? I believe Pi-hole is used for two reasons:

- someone else recommended it
- it has nicer graphs in the WebUI
 
I've seen AdGuard options as well, but can't remember the developer's name. It was something very long.
 
Similar threads
Thread starter Title Forum Replies Date
gatorback Immediately forcing DDNS update Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top