Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

interface 0.0.0.0

Whatever. the interface listening orientation is defined in the dnsmasq settings.

dnsmasq port=0

There is no need. Make sure there are no options in the /etc/dnsmasq file for any DNS handling options. Otherwise, you will have problems.

 

[Deleted member 67693]

Raspbian is a Debian environment. Just configure the repository in sources.list.

apt-get update
apt-get install -y unbound dnsutils

Configure as needed.

I tried it but it dont really work, it could be that I do something wrong.

When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.

Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance

 

[Deleted member 67693]

I did the simulation with VirtualBox. To work do this:

Type the steps again, to hopefully get it right
1. Install Rasbian new
2. Install PiHole
3. Install unbound and ldnsutils and stop it

apt-get install unbound ldnsutils

service unbound stop

4. Creating the file
/etc/unbound.conf.d/pi-hole.conf

server:
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1@5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
 
    root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1472

    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
 
    rrset-roundrobin: yes
    harden-algo-downgrade: yes
    hide-version: yes
    hide-identity: yes
    harden-below-nxdomain: yes

    num-threads: 1

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

5. PiHole configuration with unbound

View attachment 22019 View attachment 22020

6. Set on /etc/dnsmas.d/01-pihole.conf

cache-size=0

7. start unbound

service unbound start

8. Reboot

Work fine:

View attachment 22024

View attachment 22022

%  dig +short txt qnamemintest.internet.nl

a.b.qnamemin-test.internet.nl.

"HOORAY - QNAME minimisation is enabled on your resolver :)!"

Works fine. Thank you for help.

 

[heysoundude]

This may be germane or off-topic, but something tells me this topic/thread is the place to put it.
From Hurricane Electric's Tunnelbroker service:

[February 10, 2020]
The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.

Maybe it'll help someone, maybe I just added some noise to the discussion <shrugs>

Wash your hands!

 

[Chris0815]

Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?

 

[rgnldo]

Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?

What environment are you referring to? Is it an Asus router with Merlin firmware?

 

[Chris0815]

What environment are you referring to? Is it an Asus router with Merlin firmware?

Sorry for missing that I missed that information - Yes, its an AC86U running Merlin 384.15

 

[dave14305]

Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time.

You can probably use a script to replace the outgoing-interface: line in the unbound.conf when it changes. A VPN guru could tell you how to do it (which user script).

 

[rgnldo]

Sorry for missing that I missed that information - Yes, its an AC86U running Merlin 384.15

From the experiences I have with VPN and unbound services, there are two options for the interaction between the two services.
The first with assigning NordVPN's IP to the outgoing-interface option, suggested by Dave14305:
The other option is a forward-zone, insert NordVPN's IP.

 

[SomeWhereOverTheRainBow]

Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?

Your DNS traffic is in plain-text, but your traffic is not making contact to any major players such as your ISP's dns-servers or public servers, so all your queries are made to root-servers where the information is fresh. only the root servers will see you. unless your ISP starts sniffing your traffic, they are not going to really see what you are doing as you are going straight to the root servers and skipping the middleman servers(i.e. cloudflare, ISP-dns, quad9,google).

 

[SomeWhereOverTheRainBow]

I tried it but it dont really work, it could be that I do something wrong.
View attachment 21998
When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.
View attachment 21999

Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance

Here is mine

 

[Ubimo]

Here is mine, how can I resolve the problems/failures?

 

[SomeWhereOverTheRainBow]

Here is mine, how can I resolve the problems/failures?
View attachment 22331
View attachment 22332

Looks like you do not have all your security or ipv6 settings on.

 

[Ubimo]

I turned off IPv6 in my router.
So this is normal then? Nothing to worry?

 

[dave14305]

I turned off IPv6 in my router.
So this is normal then? Nothing to worry?

If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?

 

[Mutzli]

If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?

I also get a C on that test with unbound enabled and I do have QNAME minimization enabled.

 

[SomeWhereOverTheRainBow]

I turned off IPv6 in my router.
So this is normal then? Nothing to worry?

I also get a C on that test with unbound enabled and I do have QNAME minimization enabled.

Do you use any of these additional options

 

[Mutzli]

I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?

 

[SomeWhereOverTheRainBow]

I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?

You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.

 

[Mutzli]

You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.

Made no difference, ISP must be the cause.

Is there a way to run unbound with the DoT enabled, that might help to mitigate these resolver leaks. I saw in the config file that there are parameters for this. Is there an explanation on how to enable this?