RT-AX88U distributes itself as a DNS when set up otherwise

[SomeWhereOverTheRainBow]

Unbound is just switching the DNS resolution task from someone else (your ISP, Google, CloudFlare, etc.) to your own router. The requests are still sent in the clear, the meta data just aren't captured by a third party resolver (like Google DNS for example, if you use them, they have some info on you). That takes care of the privacy part, not the security part.

In short, if you are going to use an authoritative resolver such as cloudflare, Google, or quads (etc), it is better to do so encrypted with doh or dot. Keep in mind the traffic between the authoritative servers and root servers is not encrypted, in short it can still be manipulated. The encryption is only between you and the authoritative server. In short, there is no real difference between this and using unbound. With unbound you are the authoritative resolver reaching out to root servers without encryption between you and root servers or you are using an already cached response within unbound. With using dot or doh, your request are sent encryptedly to an external authoritative resolver. The resolver then receives the response and request answers from their cache or send out an unencrypted request from the root servers for the request you sent. The response is then sent back to you encrypted. With dot and doh you have to trust your authoritative resolver. With unbound you are your authoritative resolver. With dot and doh, the resolver may have faster responses from their already cached information. Unbound can also be fast with cached responses. It all boils down to a question of trust and who do you feel delivers the best performance.

 

[gil80]

In short, if you are going to use an authoritative resolver such as cloudflare, Google, or quads (etc), it is better to do so encrypted with doh or dot. Keep in mind the traffic between the authoritative servers and root servers is not encrypted, in short it can still be manipulated. The encryption is only between you and the authoritative server. In short, there is no real difference between this and using unbound. With unbound you are the authoritative resolver reaching out to root servers without encryption between you and root servers or you are using an already cached response within unbound. With using dot or doh, your request are sent encryptedly to an external authoritative resolver. The resolver then receives the response and request answers from their cache or send out an unencrypted request from the root servers for the request you sent. The response is then sent back to you encrypted. With dot and doh you have to trust your authoritative resolver. With unbound you are your authoritative resolver. With dot and doh, the resolver may have faster responses from their already cached information. Unbound can also be fast with cached responses. It all boils down to a question of trust and who do you feel delivers the best performance.

Well isn't the benefit of using unbound is to get an extra layer of privacy? - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.

 

[SomeWhereOverTheRainBow]

Well isn't the benefit of using unbound is to get an extra layer of privacy? - as you're directly contacting the responsive servers, no server can fully log the exact paths you're going, as e.g. the Google DNS servers will only be asked if you want to visit a Google website, but not if you visit the website of your favorite newspaper, etc.

The security benefits of unbound include built in dnssec, and information minimization features that reduce your footprint. Your traffic with unbound goes through many pathways travels the path of the domain receiving request from root servers. While the pathway may be hard to track, this traffic is plaintext as would any traffic from any authoritative server to the root servers would be. Doh and Dot is just for encryption if the user decides to use a public authoritative resolver such as Google or cloudflare so the traffic between the user and the server is encrypted.

 

[donnikhan]

Hijacking this thread, did OP end up setting this up for IPv6 or did you disable it?

 

[gil80]

I disabled IPv6. My ISP is running IPv6 in beta mode at the moment and I couldn't be bothered with it.

 

[Cornish]

Late to the game but you can absolutely change the router ip from being the secondary dns via NVRAM. I do just that so I can use two piholes. If you only have 1 pihole set both to the same ip.

##Show DHCP Settings##
nvram show | grep dhcp_dns

##Set DHCP Settings To Pi-Hole##
nvram set dhcp_dns1_x=192.168.1.37; nvram set dhcp_dns2_x=192.168.1.38; nvram commit; service restart_net;

##Set DHCP Settings Back##
nvram set dhcp_dns1_x=192.168.1.1; nvram set dhcp_dns2_x=; nvram commit; service restart_net;

 

[gil80]

Late to the game but you can absolutely change the router ip from being the secondary dns via NVRAM. I do just that so I can use two piholes. If you only have 1 pihole set both to the same ip.

##Show DHCP Settings##
nvram show | grep dhcp_dns

##Set DHCP Settings To Pi-Hole##
nvram set dhcp_dns1_x=192.168.1.37; nvram set dhcp_dns2_x=192.168.1.38; nvram commit; service restart_net;

##Set DHCP Settings Back##
nvram set dhcp_dns1_x=192.168.1.1; nvram set dhcp_dns2_x=; nvram commit; service restart_net;

Thanks.
I ended up flashing Merlin and bypassing this issue afterall.