^Tripper^
Senior Member
... "SNB standards”...
That needs to be codified!
... "SNB standards”...
From the experiences I have with VPN and unbound services, there are two options for the interaction between the two services.
The first with assigning NordVPN's IP to the outgoing-interface option, suggested by Dave14305:
The other option is a forward-zone, insert NordVPN's IP.
Do you haveMade no difference, ISP must be the cause.
View attachment 22340
Is there a way to run unbound with the DoT enabled, that might help to mitigate these resolver leaks. I saw in the config file that there are parameters for this. Is there an explanation on how to enable this?
rgnldo, SomeWhereOverTheRainBow, dave14305 - thank you for your comments. As fas as I understood only a minority is using unbound over VPN. So I will consider if this setup is really necessary. The only advantage of this setup would be that this can potentially hide the traffic if ISP is actively starting to sniff traffic, correct? Otherwise ISP should not see it.
yes:Do you have
do-tcp=yes
In your .conf?
If it is useful, there are two topics on VPN and unbound.rgnldo, SomeWhereOverTheRainBow, dave14305 - thank you for your comments. As fas as I understood only a minority is using unbound over VPN. So I will consider if this setup is really necessary. The only advantage of this setup would be that this can potentially hide the traffic if ISP is actively starting to sniff traffic, correct? Otherwise ISP should not see it.
Due to how unbound is enabled on the FW, to cache your VPN provider, you must inform the VPN DNS in the unbound configuration file.
Without unbound, the default is to add the DNS VPN to the FW Merlin WAN. The DNS VPN will be read by the resolv.dnsmasq file by dnsmasq.
@rgnldo has a real face!I've been afraid of your scary clown avatar since the beginning.
And he is smiling at that! ;-)@rgnldo has a real face!
That credit goes to @Martineau instead of me.And he is smiling at that! ;-)
BTW, great job @rgnldo and @dave14305 . I installed Unbound yesterday via Amtm. Considering the complexity of this function, the installation was very easy.
That would suggest that dnsmasq is forwarding unqualified hostnames and private IP addresses to Unbound to resolve, which it would have no way to resolve. Those options prevent local network names and IPs to be sent upstream, since no upstream DNS provider will know your local hostnames and private IPs. Only if you're populating Unbound with local-zone data for your home/local network would should this be considered a good idea.With unbound installed, it works perfect eliminating these options (bogus-priv/domain-needed) in Dnsmasq. (I may be wrong, but I need something to work.)
bogus-priv
Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc-hosts or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6.
domain-needed
Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from /etc-hosts or DHCP then a "not found" answer is returned.
You're right. The options are correct for the operation of dnsmasq. But considering that unbound is acting as a resolver, DNSSEC inspector and DNS Rebind etc, these options may not be working. Remember the doubt of PLEX and unbound? Well, the fact is that all services that require streaming and location communication work.That would suggest that dnsmasq is forwarding unqualified hostnames and private IP addresses to Unbound to resolve, which it would have no way to resolve. Those options prevent local network names and IPs to be sent upstream, since no upstream DNS provider will know your local hostnames and private IPs. Only if you're populating Unbound with local-zone data for your home/local network would should this be considered a good idea.
As FW Merlin is organized, it is very simple to check if the domain resolution problem is your ISP or unbound server configuration. Logged in as SSH at FW Merlin, run:When I'm running unbound, I cannot resolve
https://uwz.at/
https://www.zamg.ac.at/
Is it just me?
Edit:
I think the problem is somewhere else, have to investigate...
dig uwz.at
dig -p 53535 @127.0.0.1 uwz.at
When I'm running unbound, I cannot resolve
https://uwz.at/
https://www.zamg.ac.at/
Is it just me?
Edit:
I think the problem is somewhere else, have to investigate...
Me too.I can get to them just fine here.
...
Example 1 - minimal configuration for caching-only DNS
# unbound.conf for a local subnet.
server:
interface: 192.168.1.10
interface: FD00:2216:9203:2::4
access-control: 192.168.0.0/16 allow
access-control: ::1 allow
verbosity: 1
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!