Menu
What's new
By:
Filters Better Search

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
rgnldo said:
I edited the steps at the beginning of the post. See there
Click to expand...
Yes . It works well. I also use Adblocking with Unbound. Uninstalled Diversion for time being. Seems to work fast enough , will continue using this setup for several days to see that everything is fine.
Thanks. I hope RMerlin will decide someday to incorporate unbound
 
Another thing. If I can't use DoT, can I at least configure DNS servers in LAN -> DHCP Server settings or somewhere else in order not to use my ISP DNS servers?

My ISP dns servers do not support DNSSEC , so at least somehow to use Cloudflare or other dns servers without DoT and without harming this good setup
 
Last edited:
If you were to change this:
Code: 
logfile: "/opt/var/lib/unbound/unbound.log"
to this:
Code: 
logfile: "/opt/var/log/unbound.log"
would we not then be on the road to have this compatible also with scribe and uiScribe?
 
elorimer said:
If you were to change this:
Code: 
logfile: "/opt/var/lib/unbound/unbound.log"
to this:
Code: 
logfile: "/opt/var/log/unbound.log"
would we not then be on the road to have this compatible also with scribe and uiScribe?
Click to expand...
No need for the change, unbound auto logs to system log depending on what level of verbosity you set inside in unbound config file. You can then create filter files with scribe and logrotate to capture these logs. No need to attempt to change location of log file.
 
SomeWhereOverTheRainBow said:
No need for the change, unbound auto logs to system log depending on what level of verbosity you set inside in unbound config file. You can then create filter files with scribe and logrotate to capture these logs. No need to attempt to change location of log file.
Click to expand...
Maybe he wants us to show the steps
 
@Delusion Try adding this adlist format to the adblock script

Code: 
cat $finalist | grep '^0\.0\.0\.0' | awk '{ print "local-zone: \""$2"\" redirect\nlocal-data: \""$2" A 0.0.0.0\"" }' > $adlist
 
With libevent2 installed, I add these options to the unbound file

Code: 
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 10
incoming-num-tcp: 10
 
Delusion said:
Another thing. If I can't use DoT, can I at least configure DNS servers in LAN -> DHCP Server settings or somewhere else in order not to use my ISP DNS servers?

My ISP dns servers do not support DNSSEC , so at least somehow to use Cloudflare or other dns servers without DoT and without harming this good setup
Click to expand...
You want LAN DHCP DNS servers to be blank so that your router IP is advertised to clients. Then dnsmasq will forward your requests to Unbound, and Unbound will not use your ISP DNS, but rather will send your queries out to the responsible (authoritative) DNS server for the domain you are querying. So if you request 5 different domains in one session, your requests will be sent to the 5 different name servers responsible for each of those domains. This is unlike default dnsmasq behavior which forwards every request to the same DNS server out on the internet (e.g. Quad9, Cloudflare, Google DNS, ISP, etc.) and they receive all your DNS query history. Using Unbound locally as the recursive resolver (i.e. the same function as Quad9, Cloudflare, Google DNS, etc.), you entrust your DNS history to no one entity except your own router.

Since the downside is that your ISP could still be snooping your DNS traffic from Unbound, I think the ideal scenario that I might try is to setup Unbound out in the cloud on a Linux server and have my router forward to it using DoT. That way no outbound DNS traffic is in the clear, except for the router's own lookups. Will have to think about that more.
 
dave14305 said:
You want LAN DHCP DNS servers to be blank so that your router IP is advertised to clients. Then dnsmasq will forward your requests to Unbound, and Unbound will not use your ISP DNS, but rather will send your queries out to the responsible (authoritative) DNS server for the domain you are querying. So if you request 5 different domains in one session, your requests will be sent to the 5 different name servers responsible for each of those domains. This is unlike default dnsmasq behavior which forwards every request to the same DNS server out on the internet (e.g. Quad9, Cloudflare, Google DNS, ISP, etc.) and they receive all your DNS query history. Using Unbound locally as the recursive resolver (i.e. the same function as Quad9, Cloudflare, Google DNS, etc.), you entrust your DNS history to no one entity except your own router.

Since the downside is that your ISP could still be snooping your DNS traffic from Unbound, I think the ideal scenario that I might try is to setup Unbound out in the cloud on a Linux server and have my router forward to it using DoT. That way no outbound DNS traffic is in the clear, except for the router's own lookups. Will have to think about that more.
Click to expand...
Couldn't you just tell DNSMASQ to use DoT servers on the router and then forward to unbound like you are with ISP servers?
 
rgnldo said:
Very good setup organization. I tested it here.
Prefer not to enable IPV6? How about DNS-over-TLS on Unbound?
Awaiting contributions from the @SomeWhereOverTheRainBow
Click to expand...
I think it would be better if we do not use 127.0.1.1:53 for Unbound since that is technically claimed by Merlin for Stubby (I know I started this problem when I posted my test config). And 127.0.0.1:5453 is the default Stubby port on John’s fork.

For maximum compatibility, maybe use 127.0.0.1:5053 or other uncommon port for dnsmasq to Unbound forwarding without relying on the second loopback IP or collision with other known DNS services in the firmware.
 
dave14305 said:
For maximum compatibility, maybe use 127.0.0.1:5053 or other uncommon port for dnsmasq to Unbound forwarding without relying on the second loopback IP or collision with other known DNS services in the firmware.
Click to expand...
Excellent remark. Combined.
Code: 
server:
# port to answer queries from
port: 53535
interface: 127.0.0.1
Code: 
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "servers-file" $CONFIG
pc_append "server=127.0.0.1#53535" $CONFIG
 
rgnldo said:
I've been trying for a long time to adapt nginx to unbound as a reverse proxy, speeding up website loading.
Click to expand...

https://www.bentasker.co.uk/documen...unning-your-own-dns-over-https-server#unbound

This is the link for Dot portion.

https://www.bentasker.co.uk/documentation/linux/470-building-a-dns-over-tls-server

This shows a detailed description of using dnscrypt proxy, unbound and nginx to make a DoH server it goes into describing using adblockers in unbound and to using pihole along side unbound, and nginx is the proxy forwarder. It also in a round about way describes how to do it with DoT but it assumes the user has followed the process for DoH first so it skips the beginning steps. The only difference from this setup and ours is that their setup is built on debian setup, where ours is running on entware.
 
SomeWhereOverTheRainBow said:
https://www.bentasker.co.uk/documen...unning-your-own-dns-over-https-server#unbound

This is the link for Dot portion.

https://www.bentasker.co.uk/documentation/linux/470-building-a-dns-over-tls-server

This shows a detailed description of using dnscrypt proxy, unbound and nginx to make a DoH server it goes into describing using adblockers in unbound and to using pihole along side unbound, and nginx is the proxy forwarder. It also in a round about way describes how to do it with DoT but it assumes the user has followed the process for DoH first so it skips the beginning steps. The only difference from this setup and ours is that their setup is built on debian setup, where ours is running on entware.
Click to expand...
I think you can adapt.
 
Status
Not open for further replies.

Similar threads

J
Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2
23 24 25
Replies
499
Views
82K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
Similar threads
Thread starter Title Forum Replies Date
C Can't connect to DYNDNS when Unbound is enabled ! Asuswrt-Merlin 10
L "Maximum number of concurrent DNS queries" with strange lb._dns-sd._udp. ... .in-addr.arpa reverse DNS queries (has Pi running Adguard Home + Unbound) Asuswrt-Merlin 2
O PI hole + unbound + domain vpn routing Asuswrt-Merlin 10
L Unbound + Wireguard: is this combination possible at all? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 895 (members: 30, guests: 865)
Top