Menu
What's new
By:
Filters Better Search

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
dave14305 said:
You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.
Click to expand...

and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)
 
SuperDuke said:
and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)
Click to expand...
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.
 
dave14305 said:
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.
Click to expand...

And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.
 
I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.
 
SuperDuke said:
And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.
Click to expand...
Another thing of note, your ISP will most likely still be able to see your history based on IP once you complete the DoT protocol. Once you get the destionation IP back from the DoT server - then its all pure IP traffic to your ISP (as usual) - and if they perform any Deep Packet Inspection, or DPI - which as actually a part of AIProtect funnily enough, can still track your history regardless of the DNS answer being encrypted in transit. The main gain is no one else could snoop on your history mid-stream, vs that possibility plaintext. And via DNSSEC required at all root DNS servers, while your queries without DoT would be visible, they would not be modifiable in any way due to the response then breaking the root's (DNSSEC) signature. It all comes down to personal preference on the philosophy of DNS and Unbound! (or if you live in a more surveillance friendly country, DoT is a helpful piece). But to be truly private VPN is the way to go!
 
dave14305 said:
You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.
Click to expand...
Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK
 
Kingp1n said:
I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.
Click to expand...
Unbound does provide IPV6 support. But if you want to disable it you can in the config file. You can edit it by running:
Code: 
unbound_manager
and:
Code: 
vx
to edit Unbound's config quickly. Look for
Code: 
do-ip6: yes
and change to no. The main thing to look out for is to disable the feature in the router to autodiscover IPV6 DNS servers, and leave all fields blank for manual entries.
 
Last edited:
SolluxCaptor said:
Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK
Click to expand...
You’re sharing all your queries with that chosen DoT public resolver, leaving that trail with them, but not snoopable by others while in transit thanks to TLS.
 
IPV6 working fine with unbound. I have been using Unbound-Stubby for two years. I have nothing to complain about. I performed all tests and routes. I have no problems with latency or router overload. I configure Stubby with experimental servers on port 443. Unbound-full can be configured as a TLS server, but in Entware compilation I couldn't. Soon we will have news. I follow the unbound of some years.


Tapatalk
 
This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.



Tapatalk
 
dave14305 said:
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.
Click to expand...

rgnldo said:
This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.
Click to expand...

So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?
 
SuperDuke said:
So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?
Click to expand...

In short, you can only have AsusWRT stock firmware on your router. What made you install the FW Merlin?



Tapatalk
 
Skynet, Diversion, Dnscrypt etc are solutions designed to add security to your router.


Tapatalk
 
Today, with the advancement of high-speed internet, cache logic as content storage has become a disused practice. DNS caching should be understood as dynamic, renewing itself in a short space of time. That's what I always recommend when configuring unbound: very little memory and cache life addition, more hardening layer, police and TLS.


Tapatalk
 
I noticed version 1.24 of the script is out.
 
Last edited:
Status
Not open for further replies.

Similar threads

J
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2
23 24 25
Replies
499
Views
82K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Similar threads
Thread starter Title Forum Replies Date
C Can't connect to DYNDNS when Unbound is enabled ! Asuswrt-Merlin 10
L "Maximum number of concurrent DNS queries" with strange lb._dns-sd._udp. ... .in-addr.arpa reverse DNS queries (has Pi running Adguard Home + Unbound) Asuswrt-Merlin 2
O PI hole + unbound + domain vpn routing Asuswrt-Merlin 10
L Unbound + Wireguard: is this combination possible at all? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 876 (members: 23, guests: 853)
Top