Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

I'm just not sure why we wouldn't to implement it if it can be made to do so......thoughts??

You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.

 

[SuperDuke]

You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.

and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)

 

[dave14305]

and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)

The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.

 

[SuperDuke]

The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.

And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.

 

[Kingp1n]

I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.

 

[SolluxCaptor]

And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.

Another thing of note, your ISP will most likely still be able to see your history based on IP once you complete the DoT protocol. Once you get the destionation IP back from the DoT server - then its all pure IP traffic to your ISP (as usual) - and if they perform any Deep Packet Inspection, or DPI - which as actually a part of AIProtect funnily enough, can still track your history regardless of the DNS answer being encrypted in transit. The main gain is no one else could snoop on your history mid-stream, vs that possibility plaintext. And via DNSSEC required at all root DNS servers, while your queries without DoT would be visible, they would not be modifiable in any way due to the response then breaking the root's (DNSSEC) signature. It all comes down to personal preference on the philosophy of DNS and Unbound! (or if you live in a more surveillance friendly country, DoT is a helpful piece). But to be truly private VPN is the way to go!

 

[SolluxCaptor]

You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.

Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK

 

[SolluxCaptor]

I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.

Unbound does provide IPV6 support. But if you want to disable it you can in the config file. You can edit it by running:

unbound_manager

and:

vx

to edit Unbound's config quickly. Look for

do-ip6: yes

and change to no. The main thing to look out for is to disable the feature in the router to autodiscover IPV6 DNS servers, and leave all fields blank for manual entries.

 

[dave14305]

Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK

You’re sharing all your queries with that chosen DoT public resolver, leaving that trail with them, but not snoopable by others while in transit thanks to TLS.

 

[rgnldo]

IPV6 working fine with unbound. I have been using Unbound-Stubby for two years. I have nothing to complain about. I performed all tests and routes. I have no problems with latency or router overload. I configure Stubby with experimental servers on port 443. Unbound-full can be configured as a TLS server, but in Entware compilation I couldn't. Soon we will have news. I follow the unbound of some years.


Tapatalk

 

[rgnldo]

This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.

Tapatalk

 

[SuperDuke]

The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.

This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.

So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?

 

[rgnldo]

So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?

In short, you can only have AsusWRT stock firmware on your router. What made you install the FW Merlin?



Tapatalk

 

[rgnldo]

Skynet, Diversion, Dnscrypt etc are solutions designed to add security to your router.


Tapatalk

 

[rgnldo]

Today, with the advancement of high-speed internet, cache logic as content storage has become a disused practice. DNS caching should be understood as dynamic, renewing itself in a short space of time. That's what I always recommend when configuring unbound: very little memory and cache life addition, more hardening layer, police and TLS.


Tapatalk

 

[SomeWhereOverTheRainBow]

Skynet, Diversion, Dnscrypt etc are solutions designed to add security to your router.


Tapatalk

*Cough cough* and unbound.

unbound should have been listed first.

 

[Kingp1n]

I noticed version 1.24 of the script is out.

 

[rgnldo]

I noticed version 1.24 of the script is out.

https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-35#post-541673

 

[Kingp1n]

https://www.snbforums.com/threads/u...-caching-dns-server.58967/page-35#post-541673

yes, I saw that but I thought that installed version 1.23.

I'm installing rootzone per your instructions on previous post. Thanks for the info.

 

[rgnldo]

Update Initial POST