Unbound - Authoritative Recursive Caching DNS Server

[SolluxCaptor]

Understand, all servers will forward queries to root servers: Unbound, Cloudflare, Quad etc. Stubby is a complete TCP / TLS transport solution. With unbound this is completed. Just take the test. You can return to the previous easy setting.

Oh for sure, I will try it out again! Last time I tested DNS leak test though - I got those 3rd party providers listed. With Stubby off - I get myself as the sole DNS provider (and that's how I like it!) lol. I want to break free of all 3rd parties as they all make $ somewhere for their services..and also huge targets for attacks (as slim a chance as it may be for me to be affected by it).

That all said, caching worked as designed! 0ms after first query, but again - I do not wish to use anyone but myself to find DNS queries - my connection can support it, and to me, that is the primary goal of Unbound. I believe that was some other users here were trying to convey.

 

[rgnldo]

free of all 3rd parties as they all make $ somewhere for their

Use these tools to choose
https://www.privacytools.io/providers/dns/
https://www.immuniweb.com/ssl/

 

[SolluxCaptor]

Use these tools to choose
https://www.privacytools.io/providers/dns/
https://www.immuniweb.com/ssl/

This is really good info if I go that route. But really, I'm more concerned with targeted hacks / cache poisoning on their public-facing servers. It happened before, to the richest of them, it will happen again. The bot uprising has been here lol. Believe me, I know I'm being overly worried about DNS providers - I just find it amazing that we ourselves can create our very own private LAN recursive DNS server

And also, the performance has been fantastic! From a privacy point of view, DoT is the way to go with your list.

Not at all arguing that DoT isn't amazing, it definitely is! But ultimately my ISP sees my destination anyway, and I'm not in a country I have to worry too much about it...yet lol

 

[rgnldo]

If testing, report here. You can return to the previous setting.
ASUS RT-AX88U with this router you can add more memory and CPU.

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 32m

 

[SomeWhereOverTheRainBow]

Oh for sure, I will try it out again! Last time I tested DNS leak test though - I got those 3rd party providers listed. With Stubby off - I get myself as the sole DNS provider (and that's how I like it!) lol. I want to break free of all 3rd parties as they all make $ somewhere for their services..and also huge targets for attacks (as slim a chance as it may be for me to be affected by it).

That all said, caching worked as designed! 0ms after first query, but again - I do not wish to use anyone but myself to find DNS queries - my connection can support it, and to me, that is the primary goal of Unbound. I believe that was some other users here were trying to convey.

Though you are your own dns and your path of travel not directly known,your traffic will still be plaintext,which can be manipulated or read.

 

[rgnldo]

A good DNS server with configuration options helps a lot in privacy. Options such as:

hide-version: yes
qname-minimisation: yes
harden-glue: yes
minimal-responses: yes

decrease text information.

 

[SolluxCaptor]

Though you are your own dns and your path of travel not directly known,your traffic will still be plaintext,which can be manipulated or read.

Yep. That is the Achilles’ heel of standard setup. But I was wondering, in that scenario - how would the information be manipulated in transit? Would that be ISP-side, remote Man-in-middle, or a LAN attack?

In my case though, I am not a public service nor a large target, and am getting the answers straight from the root servers (and cache) just as Cloudflare / any DNS provider would do. Is it really more secure to use DoT vs your own resolution accessible only via LAN?
Thanks in advance, I really like learning about this topic.

 

[SolluxCaptor]

If testing, report here. You can return to the previous setting.
ASUS RT-AX88U with this router you can add more memory and CPU.

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 32m

Great! Thanks for this, I will let you know how it performs. Just set these a moment ago

 

[SolluxCaptor]

If testing, report here. You can return to the previous setting.
ASUS RT-AX88U with this router you can add more memory and CPU.

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

# tiny memory cache
key-cache-size: 64m
msg-cache-size: 32m
rrset-cache-size: 32m

Interesting, when I allow 2 threads - I get two different responses 1 from each thread of Unbound. It takes three tries to hit cache, dig result's DNS IP shows the router both times. I see two Unbound process IDs when running top command. The behavior immediately reverts when changing back to 1 thread. Reboot did not help when threads set to 2. Reverted with other recommended changes intact for now

 

[SomeWhereOverTheRainBow]

Yep. That is the Achilles’ heel of standard setup. But I was wondering, in that scenario - how would the information be manipulated in transit? Would that be ISP-side, remote Man-in-middle, or a LAN attack?

In my case though, I am not a public service nor a large target, and am getting the answers straight from the root servers (and cache) just as Cloudflare / any DNS provider would do. Is it really more secure to use DoT vs your own resolution accessible only via LAN?
Thanks in advance, I really like learning about this topic.

Okay so with plain text you are at higher risk of manipulation or snooping from any where along the way to the root servers. With Dot or DoH the only person you have to trust is yourself and the servers you are using, though information can still be collected by your isp both ways ( unbound or DoT or doh)

 

[SolluxCaptor]

Okay so with plain text you are at higher risk of manipulation or snooping from any where along the way to the root servers. With Dot or DoH the only person you have to trust is yourself and the servers you are using, though information can still be collected by your isp both ways ( unbound or DoT or doh)

Definitely agree! Makes sense, only one other thing that puzzles me. What about when say Cloudflare goes to do the same thing on 1.1.1.1, once the cache expires for a given address. What would make that safer than doing so locally? Or are they so close that there’s less hops between A and B?

Because again, to do the lookup no NS supports DoH / DoT, only plaintext and then DoH / DoT from the resolver to you (as far as I understand).

 

[SomeWhereOverTheRainBow]

Definitely agree! Makes sense, only one other thing, what about when say Cloudflare goes to do the same thing on 1.1.1.1, once the cache expires for a given address, what would make that safer than doing so here? Because again, to do the lookup no NS supports DoH / DoT only plaintext and DoH / DoT from the public resolver to you (as far as I know).


Sent from my iPhone using Tapatalk

The big misconception about DoH and DoT versus unbound is encryption does not always equal privacy especially when it comes to ISP and servers you use. Unbound tries to make your path difficult to follow, but that information is not private 100 percent as well. So it boils down to do you want to use the cached response stored in a server that is encrypted once it starts it journey to you, or do you want a fresh response that you cache by traversing the root server path? is your browsing very repetitive in nature.

 

[dave14305]

What would make that safer than doing so locally?

There's a lot of philosophy around DNS lately, at least in my head. And it looks like @SomeWhereOverTheRainBow summed it nicely while I was thinking.

 

[Seij]

Interesting, when I allow 2 threads - I get two different responses 1 from each thread of Unbound. It takes three tries to hit cache, dig result's DNS IP shows the router both times. I see two Unbound process IDs when running top command. The behavior immediately reverts when changing back to 1 thread. Reboot did not help when threads set to 2. Reverted with other recommended changes intact for now

These observations are unnerving. Can we rally together as a community and decide if it’s optimal to configure unbound to use 2 threads and 4 slabs or keep it at the default settings and avoid the “unnecessary” hits? I’m running on an RT-AC5300

 

[rgnldo]

The big misconception about DoH and DoT versus unbound is encryption does not always equal privacy especially when it comes to ISP and servers you use. Unbound tries to make your path difficult to follow, but that information is not private 100 percent as well. So it boils down to do you want to use the cached response stored in a server that is encrypted once it starts it journey to you, or do you want a fresh response that you cache by traversing the root server path? is your browsing very repetitive in nature.

I did not understand this argument. Please use Wireshark and show the report of this. Without technical argument, it's hard to understand

 

[rgnldo]

Interesting, when I allow 2 threads - I get two different responses 1 from each thread of Unbound. It takes three tries to hit cache, dig result's DNS IP shows the router both times. I see two Unbound process IDs when running top command. The behavior immediately reverts when changing back to 1 thread. Reboot did not help when threads set to 2. Reverted with other recommended changes intact for now

I use the TCP/TLS recursion feature with stubby, I do not use multi thread. I recommend multi thread to anyone who has the above AX88U router and uses unbound exclusively.
Do not give up easy. I forgot to provide the thread distribution option.

The default outgoing range is limited by available file descriptors increase the performance of unbound dramatically by using libevent to allow for many more queries per thread and larger outgoing range. Compiled unbound required '--with-libevent'. Increase UDP performance by a non-trivial degree by enabling support for mutlti-threaded

opkg install libevent2

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4

so-reuseport: yes
outgoing-range: 4096
num-queries-per-thread: 1024

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m

I tested with the multi thread configuration above, . It's working fine for me...
My AC86U router is a dual core. The AX88U is a quad core. If you choose only Unbound, without stubby or DoT, the multi thread will deliver better UDP performance.

NS supports DoH / DoT, only plaintext and then DoH / DoT

Query NS

MBP@rgnldo ~ % dig gov. +dnssec NS

; <<>> DiG 9.10.6 <<>> gov. +dnssec NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41783
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                IN    NS

;; ANSWER SECTION:
gov.            86400    IN    NS    c.gov-servers.net.
gov.            86400    IN    NS    d.gov-servers.net.
gov.            86400    IN    NS    a.gov-servers.net.
gov.            86400    IN    NS    b.gov-servers.net.
gov.            86400    IN    RRSIG    NS 8 1 172800 20200114041007 20200107041007 14320 gov. lEUKJV6R7vIjZWsE0dtcwb7HoB3GOK7hjBaydAk7KEtV7LjWdjXODWi8 2ACAeSsevCfrc+yTgSNEeSgorax9b7IUvsbnM/p5O0M5dMvFvIlxibM+ XY8wNBz1BhRrmZXQk2OPIbEMr9LBfXianPCon1xkS6n/pDNULquC9/+5 vF/o6kWlrMrIBSH30qNTARcXFhaekcpBOhipj9/hJWRoVw==

;; Query time: 874 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 07:43:19 -03 2020
;; MSG SIZE  rcvd: 306

Return NS

MBP@rgnldo ~ % dig gov. +dnssec NS

; <<>> DiG 9.10.6 <<>> gov. +dnssec NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53349
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                IN    NS

;; ANSWER SECTION:
gov.            86395    IN    NS    c.gov-servers.net.
gov.            86395    IN    NS    d.gov-servers.net.
gov.            86395    IN    NS    a.gov-servers.net.
gov.            86395    IN    NS    b.gov-servers.net.
gov.            86395    IN    RRSIG    NS 8 1 172800 20200114041007 20200107041007 14320 gov. lEUKJV6R7vIjZWsE0dtcwb7HoB3GOK7hjBaydAk7KEtV7LjWdjXODWi8 2ACAeSsevCfrc+yTgSNEeSgorax9b7IUvsbnM/p5O0M5dMvFvIlxibM+ XY8wNBz1BhRrmZXQk2OPIbEMr9LBfXianPCon1xkS6n/pDNULquC9/+5 vF/o6kWlrMrIBSH30qNTARcXFhaekcpBOhipj9/hJWRoVw==

;; Query time: 2 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 07:43:24 -03 2020
;; MSG SIZE  rcvd: 306

DS

MBP@rgnldo ~ % dig gov. +dnssec DS

; <<>> DiG 9.10.6 <<>> gov. +dnssec DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11535
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                IN    DS

;; ANSWER SECTION:
gov.            3600    IN    DS    7698 8 1 6F109B46A80CEA9613DC86D5A3E065520505AAFE
gov.            3600    IN    DS    7698 8 2 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
gov.            3600    IN    RRSIG    DS 8 1 86400 20200120050000 20200107040000 33853 . m+aWv9I6JXjnMRMqLm5GTVI7Ym3T5KStkfWV3a76YlHez1yPuyC++EcB 0Bn26iFnRsXuOgsBdvz1lL9q2KJFXKEVpIOsJNl+eZyG17wOidkkfB4o O9kR+d+hRpV2g61RmSFq0nWHdV3G/AY3jYj1eH8oVykBypl81ldkMMBL nX++GY1tnf4r29KrrCti//WAmHdLWBtE7rNnRs9FyvxF0yb/ArytWc9e XpMwS2vvdzocYOecKgSAonCaYfB4sqrhJZRTb5fgU4epGpe1Mmf4BKay mCQVew1ih231JcG4/IV4zHm5i8n9BUVTXP7cScZuo/mVn0BrnjGR/hpg uU/6gA==

;; Query time: 929 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 07:56:57 -03 2020
;; MSG SIZE  rcvd: 403

Return DS

MBP@rgnldo ~ % dig gov. +dnssec DS

; <<>> DiG 9.10.6 <<>> gov. +dnssec DS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56055
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gov.                IN    DS

;; ANSWER SECTION:
gov.            6266    IN    DS    7698 8 1 6F109B46A80CEA9613DC86D5A3E065520505AAFE
gov.            6266    IN    DS    7698 8 2 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
gov.            6266    IN    RRSIG    DS 8 1 86400 20200120050000 20200107040000 33853 . m+aWv9I6JXjnMRMqLm5GTVI7Ym3T5KStkfWV3a76YlHez1yPuyC++EcB 0Bn26iFnRsXuOgsBdvz1lL9q2KJFXKEVpIOsJNl+eZyG17wOidkkfB4o O9kR+d+hRpV2g61RmSFq0nWHdV3G/AY3jYj1eH8oVykBypl81ldkMMBL nX++GY1tnf4r29KrrCti//WAmHdLWBtE7rNnRs9FyvxF0yb/ArytWc9e XpMwS2vvdzocYOecKgSAonCaYfB4sqrhJZRTb5fgU4epGpe1Mmf4BKay mCQVew1ih231JcG4/IV4zHm5i8n9BUVTXP7cScZuo/mVn0BrnjGR/hpg uU/6gA==

;; Query time: 4 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 07:59:51 -03 2020
;; MSG SIZE  rcvd: 403

• Unbound does not have this record in its cache, so it contact the nameserver in charge of gov
• USAGOV returns a full answer contaning a RRSIG record (see appendix)
• Unbound validate the signature using the public keys chain it knows about and return the answer to Dig
• Dig receives a valid answer and thus display it to the user and add a ad flag. This flag means.

When querying a root such as “nl.”, the root name server will return the DNSSEC signature of the record.

MBP@rgnldo ~ % dig nl. SOA +dnssec

; <<>> DiG 9.10.6 <<>> nl. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27956
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nl.                IN    SOA

;; ANSWER SECTION:
nl.            3600    IN    SOA    ns1.dns.nl. hostmaster.domain-registry.nl. 2020010723 3600 600 2419200 600
nl.            3600    IN    RRSIG    SOA 8 1 3600 20200120225712 20200107083802 63744 nl. wirWAdSu7StgKTqO+E/Et46Vv6fKyMPu4tT4jz5p/dkidukGO1b0NO0H v+bnqbWRv7KMnDM/sFO6WcSI2W/uHf7Y5NF6i7qyPu/4wXwDrbT0MSME d1DCH+1wuTyc9nHTAN93OS7eLYdZUsmiQ/u7aA5Q+YXxMFkjGrxlCoTv oFE=

;; Query time: 377 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 08:08:50 -03 2020
;; MSG SIZE  rcvd: 264

Return

MBP@rgnldo ~ % dig nl. SOA +dnssec

; <<>> DiG 9.10.6 <<>> nl. SOA +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 200
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nl.                IN    SOA

;; ANSWER SECTION:
nl.            3594    IN    SOA    ns1.dns.nl. hostmaster.domain-registry.nl. 2020010723 3600 600 2419200 600
nl.            3594    IN    RRSIG    SOA 8 1 3600 20200120225712 20200107083802 63744 nl. wirWAdSu7StgKTqO+E/Et46Vv6fKyMPu4tT4jz5p/dkidukGO1b0NO0H v+bnqbWRv7KMnDM/sFO6WcSI2W/uHf7Y5NF6i7qyPu/4wXwDrbT0MSME d1DCH+1wuTyc9nHTAN93OS7eLYdZUsmiQ/u7aA5Q+YXxMFkjGrxlCoTv oFE=

;; Query time: 4 msec
;; SERVER: 2804:4474:206:6300::1#53(2804:4474:206:6300::1)
;; WHEN: Tue Jan 07 08:08:55 -03 2020
;; MSG SIZE  rcvd: 264

 

[rgnldo]

Honestly, using unbound for cache only is a waste of resources. Native dnsmasq+Getdns+stubby on fw Merlin does it very well. The more dnsmasq dependent software is used in conjunction with unbound, the less we will work. This was the reason for adding a native adblock on unbound.

 

[SomeWhereOverTheRainBow]

I did not understand this argument. Please use Wireshark and show the report of this. Without technical argument, it's hard to understand

I love your response and to be honest I wrote a guide on how a user can do this if they like not so long ago via a cru command and tcpdump on their router. The user will obviously need to adapt it per their use. I leave this to user end to decide because every setup is different. https://www.snbforums.com/threads/dot-study-mbm-dot-study.57725/

Maybe you can use this guide to show transactions exchange with unbound on port 53 so users can trust what they are doing is secure and private. ( talking about with out stubby involvement)

 

[rgnldo]

You confusing everything. There is no proposal for the inclusion of unbound in FW Merlin. I believe this inclusion is difficult because of the size of the binaries. It is not the purpose of this post to include stubby in unbound.

 

[SomeWhereOverTheRainBow]

You confusing everything. There is no proposal for the inclusion of unbound in FW Merlin. I believe this inclusion is difficult because of the size of the binaries. It is not the purpose of this post to include stubby in unbound.

I was saying you can use the same Wireshark guide to observe unbound transactions. Just have to adjust port. You said you wanted to see Wireshark to understand.