Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
Chris0815
Regular Contributor
rgnldo, SomeWhereOverTheRainBow, dave14305 - thank you for your comments. As fas as I understood only a minority is using unbound over VPN. So I will consider if this setup is really necessary. The only advantage of this setup would be that this can potentially hide the traffic if ISP is actively starting to sniff traffic, correct? Otherwise ISP should not see it.
SomeWhereOverTheRainBow
Part of the Furniture
SomeWhereOverTheRainBow
Part of the Furniture
Correct isp will not see traffic unless they sniff for it.
Mutzli
Very Senior Member
rgnldo
Very Senior Member
If it is useful, there are two topics on VPN and unbound.
VPN unbound
NordVPN and unbound
Due to how unbound is enabled on the FW, to cache your VPN provider, you must inform the VPN DNS in the unbound configuration file.
Without unbound, the default is to add the DNS VPN to the FW Merlin WAN. The DNS VPN will be read by the resolv.dnsmasq file by dnsmasq.
Chris0815
Regular Contributor
Thank you rgnldo!
Things getting clearer for me now.
A lot of different possibilities, depends on the aim.
These two options would make the VPN provider to resolve DNS and showing his IP in DNS-leak-test.
First solution with caching using unbound, but configured as a forwarder, not communicating directly with the name severs.
Second solution without unbound, only VPN DNS.
So first solution still preferable.
I was thinking about a possibility to use unbound as a recursive caching server - But for the DNS communication with the root-servers, unbound should use the configured (Nord-)VPN connection on the router. Idea was to hide from ISP. With defining the outgoing-interface it is generally working so far.
But you are right - the correct way using VPN is to use the DNS by VPN provider not to leak own IP (unbound configured as a recursive resolver would leak it).
But for general configuration I will use unbound as recursive caching server...
Things getting clearer for me now.
A lot of different possibilities, depends on the aim.
These two options would make the VPN provider to resolve DNS and showing his IP in DNS-leak-test.
First solution with caching using unbound, but configured as a forwarder, not communicating directly with the name severs.
Second solution without unbound, only VPN DNS.
So first solution still preferable.
I was thinking about a possibility to use unbound as a recursive caching server - But for the DNS communication with the root-servers, unbound should use the configured (Nord-)VPN connection on the router. Idea was to hide from ISP. With defining the outgoing-interface it is generally working so far.
But you are right - the correct way using VPN is to use the DNS by VPN provider not to leak own IP (unbound configured as a recursive resolver would leak it).
But for general configuration I will use unbound as recursive caching server...
dave14305
Part of the Furniture
JGrana
Very Senior Member
And he is smiling at that! ;-)@rgnldo has a real face!
BTW, great job @rgnldo and @dave14305 . I installed Unbound yesterday via Amtm. Considering the complexity of this function, the installation was very easy.
dave14305
Part of the Furniture
That credit goes to @Martineau instead of me.
rgnldo
Very Senior Member
With UPnP disabled, in my daily use, I have streaming services, samba etc. With unbound installed, it works perfect eliminating these options (bogus-priv/domain-needed) in Dnsmasq. (I may be wrong, but I need something to work.)
Another point that I considered, I omitted the access-control options and the TTL values. If the operator of a zone decides to set extremely low or high TTLs, he/she usually has a good reason to do so. A resolver should not interfere at this point.
To my surprise, it is perfect.
So, what do you think?
Another point that I considered, I omitted the access-control options and the TTL values. If the operator of a zone decides to set extremely low or high TTLs, he/she usually has a good reason to do so. A resolver should not interfere at this point.
To my surprise, it is perfect.
So, what do you think?
dave14305
Part of the Furniture
That would suggest that dnsmasq is forwarding unqualified hostnames and private IP addresses to Unbound to resolve, which it would have no way to resolve. Those options prevent local network names and IPs to be sent upstream, since no upstream DNS provider will know your local hostnames and private IPs. Only if you're populating Unbound with local-zone data for your home/local network would should this be considered a good idea.
rgnldo
Very Senior Member
You're right. The options are correct for the operation of dnsmasq. But considering that unbound is acting as a resolver, DNSSEC inspector and DNS Rebind etc, these options may not be working. Remember the doubt of PLEX and unbound? Well, the fact is that all services that require streaming and location communication work.
When I'm running unbound, I cannot resolve
https://uwz.at/
https://www.zamg.ac.at/
Is it just me?
Edit:
I think the problem is somewhere else, have to investigate...
https://uwz.at/
https://www.zamg.ac.at/
Is it just me?
Edit:
I think the problem is somewhere else, have to investigate...
rgnldo
Very Senior Member
As FW Merlin is organized, it is very simple to check if the domain resolution problem is your ISP or unbound server configuration. Logged in as SSH at FW Merlin, run:
For test ISP resolver:
Code:
dig uwz.at
Code:
dig -p 53535 @127.0.0.1 uwz.at
Treadler
Very Senior Member
I can get to them just fine here.
SomeWhereOverTheRainBow
Part of the Furniture
Me too.
Lord Lovaduck
Regular Contributor
Hello! I am a noob regarding Unbound/DNS and I am curious as if using it would provide a benefit in terms of performance. I live in Patagonia, very far "down" in South America. This is the bottom of the world... specially in terms of internet service. Getting a few Mbps is a miracle here and I am trying to squeeze as much I can from the limited bandwidth I have. My router is an AC68U.
Will installing unbound provide some relief by caching DNS queries? Does the default configuration provide that or should I modify the server and interface to match my configuration.
I was looking at this post and the basic minimal configuration it presents, which is different than what is installed by AMTM's unbound installer.
Or, am I using a cannon to kill a mosquito and a simpler solution would do for my minimalistic needs? Any comments appreciated!
Will installing unbound provide some relief by caching DNS queries? Does the default configuration provide that or should I modify the server and interface to match my configuration.
I was looking at this post and the basic minimal configuration it presents, which is different than what is installed by AMTM's unbound installer.
Or, am I using a cannon to kill a mosquito and a simpler solution would do for my minimalistic needs? Any comments appreciated!
- Status
Similar threads
Similar threads
-
Can't connect to DYNDNS when Unbound is enabled !
- Started by ComputerSteve
- Replies: 10
-
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
Latest threads
-
Help with RT-ac88u network switch issues - causing reboot
- Started by rkalinka
- Replies: 0
-
TP-Link routers are being taken over by botnet
- Started by TheLostSwede
- Replies: 0
-
RT-AX86U Pro - Merlin: can't get p2p cameras available to wan.
- Started by mightyoakbob
- Replies: 1
-
Upgrade suggestions from an RT-AC86U running merlin
- Started by routerbattles
- Replies: 8
-
DNScrypt Recurring message in the log every day, same time.
- Started by K3r1m0
- Replies: 1
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!
Staff online
-
thigginsMr. Easy