What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.

and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)
 
and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.
 
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.

And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.
 
I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.
 
And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.
Another thing of note, your ISP will most likely still be able to see your history based on IP once you complete the DoT protocol. Once you get the destionation IP back from the DoT server - then its all pure IP traffic to your ISP (as usual) - and if they perform any Deep Packet Inspection, or DPI - which as actually a part of AIProtect funnily enough, can still track your history regardless of the DNS answer being encrypted in transit. The main gain is no one else could snoop on your history mid-stream, vs that possibility plaintext. And via DNSSEC required at all root DNS servers, while your queries without DoT would be visible, they would not be modifiable in any way due to the response then breaking the root's (DNSSEC) signature. It all comes down to personal preference on the philosophy of DNS and Unbound! (or if you live in a more surveillance friendly country, DoT is a helpful piece). But to be truly private VPN is the way to go!
 
You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.
Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK
 
I currently have IPV6 enabled on my router since comcast offers this feature.

Question: Unbound does not prevent IPV6 from leaking correct?

The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?

BTW I'm currently using PIA VPN.
Unbound does provide IPV6 support. But if you want to disable it you can in the config file. You can edit it by running:
Code:
unbound_manager
and:
Code:
vx
to edit Unbound's config quickly. Look for
Code:
do-ip6: yes
and change to no. The main thing to look out for is to disable the feature in the router to autodiscover IPV6 DNS servers, and leave all fields blank for manual entries.
 
Last edited:
Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK
You’re sharing all your queries with that chosen DoT public resolver, leaving that trail with them, but not snoopable by others while in transit thanks to TLS.
 
IPV6 working fine with unbound. I have been using Unbound-Stubby for two years. I have nothing to complain about. I performed all tests and routes. I have no problems with latency or router overload. I configure Stubby with experimental servers on port 443. Unbound-full can be configured as a TLS server, but in Entware compilation I couldn't. Soon we will have news. I follow the unbound of some years.


Tapatalk
 
This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.



Tapatalk
 
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.

This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.

So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?
 
So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?

In short, you can only have AsusWRT stock firmware on your router. What made you install the FW Merlin?



Tapatalk
 
Skynet, Diversion, Dnscrypt etc are solutions designed to add security to your router.


Tapatalk
 
Today, with the advancement of high-speed internet, cache logic as content storage has become a disused practice. DNS caching should be understood as dynamic, renewing itself in a short space of time. That's what I always recommend when configuring unbound: very little memory and cache life addition, more hardening layer, police and TLS.


Tapatalk
 
I noticed version 1.24 of the script is out.
 
Last edited:
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top