What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
I edited the steps at the beginning of the post. See there
Yes . It works well. I also use Adblocking with Unbound. Uninstalled Diversion for time being. Seems to work fast enough , will continue using this setup for several days to see that everything is fine.
Thanks. I hope RMerlin will decide someday to incorporate unbound
 
Another thing. If I can't use DoT, can I at least configure DNS servers in LAN -> DHCP Server settings or somewhere else in order not to use my ISP DNS servers?

My ISP dns servers do not support DNSSEC , so at least somehow to use Cloudflare or other dns servers without DoT and without harming this good setup
 
Last edited:
If you were to change this:
Code:
logfile: "/opt/var/lib/unbound/unbound.log"
to this:
Code:
logfile: "/opt/var/log/unbound.log"
would we not then be on the road to have this compatible also with scribe and uiScribe?
 
If you were to change this:
Code:
logfile: "/opt/var/lib/unbound/unbound.log"
to this:
Code:
logfile: "/opt/var/log/unbound.log"
would we not then be on the road to have this compatible also with scribe and uiScribe?
No need for the change, unbound auto logs to system log depending on what level of verbosity you set inside in unbound config file. You can then create filter files with scribe and logrotate to capture these logs. No need to attempt to change location of log file.
 
No need for the change, unbound auto logs to system log depending on what level of verbosity you set inside in unbound config file. You can then create filter files with scribe and logrotate to capture these logs. No need to attempt to change location of log file.
Maybe he wants us to show the steps
 
@Delusion Try adding this adlist format to the adblock script

Code:
cat $finalist | grep '^0\.0\.0\.0' | awk '{ print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\"" }' > $adlist
 
With libevent2 installed, I add these options to the unbound file

Code:
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 10
incoming-num-tcp: 10
 
Another thing. If I can't use DoT, can I at least configure DNS servers in LAN -> DHCP Server settings or somewhere else in order not to use my ISP DNS servers?

My ISP dns servers do not support DNSSEC , so at least somehow to use Cloudflare or other dns servers without DoT and without harming this good setup
You want LAN DHCP DNS servers to be blank so that your router IP is advertised to clients. Then dnsmasq will forward your requests to Unbound, and Unbound will not use your ISP DNS, but rather will send your queries out to the responsible (authoritative) DNS server for the domain you are querying. So if you request 5 different domains in one session, your requests will be sent to the 5 different name servers responsible for each of those domains. This is unlike default dnsmasq behavior which forwards every request to the same DNS server out on the internet (e.g. Quad9, Cloudflare, Google DNS, ISP, etc.) and they receive all your DNS query history. Using Unbound locally as the recursive resolver (i.e. the same function as Quad9, Cloudflare, Google DNS, etc.), you entrust your DNS history to no one entity except your own router.

Since the downside is that your ISP could still be snooping your DNS traffic from Unbound, I think the ideal scenario that I might try is to setup Unbound out in the cloud on a Linux server and have my router forward to it using DoT. That way no outbound DNS traffic is in the clear, except for the router's own lookups. Will have to think about that more.
 
You want LAN DHCP DNS servers to be blank so that your router IP is advertised to clients. Then dnsmasq will forward your requests to Unbound, and Unbound will not use your ISP DNS, but rather will send your queries out to the responsible (authoritative) DNS server for the domain you are querying. So if you request 5 different domains in one session, your requests will be sent to the 5 different name servers responsible for each of those domains. This is unlike default dnsmasq behavior which forwards every request to the same DNS server out on the internet (e.g. Quad9, Cloudflare, Google DNS, ISP, etc.) and they receive all your DNS query history. Using Unbound locally as the recursive resolver (i.e. the same function as Quad9, Cloudflare, Google DNS, etc.), you entrust your DNS history to no one entity except your own router.

Since the downside is that your ISP could still be snooping your DNS traffic from Unbound, I think the ideal scenario that I might try is to setup Unbound out in the cloud on a Linux server and have my router forward to it using DoT. That way no outbound DNS traffic is in the clear, except for the router's own lookups. Will have to think about that more.
Couldn't you just tell DNSMASQ to use DoT servers on the router and then forward to unbound like you are with ISP servers?
 
Very good setup organization. I tested it here.
Prefer not to enable IPV6? How about DNS-over-TLS on Unbound?
Awaiting contributions from the @SomeWhereOverTheRainBow
I think it would be better if we do not use 127.0.1.1:53 for Unbound since that is technically claimed by Merlin for Stubby (I know I started this problem when I posted my test config). And 127.0.0.1:5453 is the default Stubby port on John’s fork.

For maximum compatibility, maybe use 127.0.0.1:5053 or other uncommon port for dnsmasq to Unbound forwarding without relying on the second loopback IP or collision with other known DNS services in the firmware.
 
For maximum compatibility, maybe use 127.0.0.1:5053 or other uncommon port for dnsmasq to Unbound forwarding without relying on the second loopback IP or collision with other known DNS services in the firmware.
Excellent remark. Combined.
Code:
server:
# port to answer queries from
port: 53535
interface: 127.0.0.1
Code:
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "servers-file" $CONFIG
pc_append "server=127.0.0.1#53535" $CONFIG
 
I've been trying for a long time to adapt nginx to unbound as a reverse proxy, speeding up website loading.

https://www.bentasker.co.uk/documen...unning-your-own-dns-over-https-server#unbound

This is the link for Dot portion.

https://www.bentasker.co.uk/documentation/linux/470-building-a-dns-over-tls-server

This shows a detailed description of using dnscrypt proxy, unbound and nginx to make a DoH server it goes into describing using adblockers in unbound and to using pihole along side unbound, and nginx is the proxy forwarder. It also in a round about way describes how to do it with DoT but it assumes the user has followed the process for DoH first so it skips the beginning steps. The only difference from this setup and ours is that their setup is built on debian setup, where ours is running on entware.
 
https://www.bentasker.co.uk/documen...unning-your-own-dns-over-https-server#unbound

This is the link for Dot portion.

https://www.bentasker.co.uk/documentation/linux/470-building-a-dns-over-tls-server

This shows a detailed description of using dnscrypt proxy, unbound and nginx to make a DoH server it goes into describing using adblockers in unbound and to using pihole along side unbound, and nginx is the proxy forwarder. It also in a round about way describes how to do it with DoT but it assumes the user has followed the process for DoH first so it skips the beginning steps. The only difference from this setup and ours is that their setup is built on debian setup, where ours is running on entware.
I think you can adapt.
 
Status
Not open for further replies.

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top