Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[heysoundude]

Hey guys. So I'm really new to unbound. Never used it before but very interested.

Mainly I was interested in having unbound as a recursive DNS but I want it to be as a secondary DNS instead of my primary. I'd like to have cloudflare DNS over TLS as my primary DNS and unbound running in the background as my secondary if the cloudflare DNS is down (which happens quite a lot. Sometimes from cloudflare itself or sometimes it's my ISP's connection problem to cloudflare itself)

So is it possible? If it is. How would I do that? Thank you!!

PS : Currently I am running Merlin's normal DNS over TLS ..

It looks to me like you're making your own life difficult for yourself:
unbound caches your network's DNS lookups on its (your!) own private server after checking the same authoritative servers that CloudFlare, Google, Quad9 and your own ISP.
Read that again ^
I'm certain the ping to unbound is a LOT faster than cloudflare's servers.
There's no need to use DoT, unless you distrust your ISP...so if you suspect cloudflare of occasionally being an issue for you, stop using them.

As far as I'm concerned, This Is The Way. Along with some of the other scripts available for users of Merlin's firmware.

 

[Matthew Patrick]

It looks to me like you're making your own life difficult for yourself:
unbound caches your network's DNS lookups on its (your!) own private server after checking the same authoritative servers that CloudFlare, Google, Quad9 and your own ISP.
Read that again ^
I'm certain the ping to unbound is a LOT faster than cloudflare's servers.
There's no need to use DoT, unless you distrust your ISP...so if you suspect cloudflare of occasionally being an issue for you, stop using them.

As far as I'm concerned, This Is The Way. Along with some of the other scripts available for users of Merlin's firmware.

Yeah but the timing on uncached queries. Are quite slow I've heard compared to just Cloudflare etc since they already cache things

 

[gattaca]

I've been debating a similar case for weeks in my head and the overall consensus I've read is, "... if you are not going to use unbound as the authoritative, then why bother using unbound?" I had wanted to try it for a similar case with NextDNS. I wanted NextDNS for the blocking, filter and control elements, but the kind subject-matter-experts conveyed that the existing Merlin setups with dnsmsgq and Stubby already do a very good job in that use case and adding unbound just over-complicates our already great setups! So I put that thought on hold and continue to monitor this thread. Stay safe, stay alive. Peace.

 

[Matthew Patrick]

I've been debating a similar case for weeks in my head and the overall consensus I've read is, "... if you are not going to use unbound as the authoritative, then why bother using unbound?" I had wanted to try it for a similar case with NextDNS. I wanted NextDNS for the blocking, filter and control elements, but the kinds experts here conveyed that the existing Merlin setups with dnsmsgq and Stubby already do a good job in that use case and adding unbound just over-complicates our already great setups. So I put that thought on hold and continue to monitor this thread. Stay safe, stay alive. Peace.

Same . But yeah I was thinking of using unbound as a backup recursive DNS. When things doesn't work. But ye.

 

[MvW]

I've been debating a similar case for weeks in my head and the overall consensus I've read is, "... if you are not going to use unbound as the authoritative, then why bother using unbound?" I had wanted to try it for a similar case with NextDNS. I wanted NextDNS for the blocking, filter and control elements, but the kinds experts here conveyed that the existing Merlin setups with dnsmsgq and Stubby already do a good job in that use case and adding unbound just over-complicates our already great setups. So I put that thought on hold and continue to monitor this thread. Stay safe, stay alive. Peace.

If using unbound becomes basically useless when you want to stick to NextDNS, with its DoT/DoH, parental controls, adblocking, logging, mobile config-profiles for when outdoors etcetera, it's not worth the 'trouble' to me either. I couldn't get it to run in the first place, had trouble uninstalling it but found a post to manually remove all traces, restored my backup and now all is fine again. Without unbound. As you mentioned - why over-complicate things. It's just another factor to keep an eye on when things don't work as expected and though I admire the efforts put in the project, I don't see the benefits for my personal situation.

TL ; DR: +1

 

[SomeWhereOverTheRainBow]

If using unbound becomes basically useless when you want to stick to NextDNS, with its DoT/DoH, parental controls, adblocking, logging, mobile config-profiles for when outdoors etcetera, it's not worth the 'trouble' to me either. I couldn't get it to run in the first place, had trouble uninstalling it but found a post to manually remove all traces, restored my backup and now all is fine again. Without unbound. As you mentioned - why over-complicate things. It's just another factor to keep an eye on when things don't work as expected and though I admire the efforts put in the project, I don't see the benefits for my personal situation.

TL ; DR: +1

I agree, unbound is only relevant for those who wish for privacy from using upstream dns servers such as cloudflare, nextdns, Google, or any other dns server. When using one of the above servers, all request get forwarded to the server. If you use unbound without the forwarding options, then you become your upstream. You are more private because you get your information straight from root servers, Skipping the middle man dns servers(a.k.a Google, cloudflare, and nextdns).

 

[heysoundude]

Yeah but the timing on uncached queries. Are quite slow I've heard compared to just Cloudflare etc since they already cache things

a small price to pay (one time), from where I sit. anytime you hit Cloudflare, they mine data just like google, facebook...bypassing them takes you to the Auth servers everyone (including those data miners I mentioned) references, and takes probably just as long as your ping to them.

Also note @Martineau 's WireGuard implementation - set it up on a supported router and have your mobile devices connect to the router when you're off-LAN and you get the benefit of the power of the scripts you're running at home when you're not.

 

[New2This]

I agree, unbound is only relevant for those who wish for privacy from using upstream dns servers such as cloudflare, nextdns, Google, or any other dns server. When using one of the above servers, all request get forwarded to the server. If you use unbound without the forwarding options, then you become your upstream. You are more private because you get your information straight from root servers, Skipping the middle man dns servers(a.k.a Google, cloudflare, and nextdns).

Have been running RPi4 with Pihole and unbound for awhile now, set it up and forget it, haven't had any issues for over 4 months now

 

[heysoundude]

I agree, unbound is only relevant for those who wish for privacy from using upstream dns servers such as cloudflare, nextdns, Google, or any other dns server. When using one of the above servers, all request get forwarded to the server. If you use unbound without the forwarding options, then you become your upstream. You are more private because you get your information straight from root servers, Skipping the middle man dns servers(a.k.a Google, cloudflare, and nextdns).

CloudFlare, Google, NextDNS (whoever they are), Quad9 (a consortium that includes Microsoft, one of the OG's of data mining) should be avoided if you are at all privacy conscious, and unbound on your router protects the privacy of all (well, most: there are certain Android devices who refuse to use anything but their maker's DNS) devices/machines on your network. Unbound handles ad-blocking too, skynet is a great firewall, and if you need VPN, roll your own with WireGuard so you can control both endpoints, the server and the clients. it's a no-brainer to me, using these, and the fact that it's free except for your own sweat equity and whatever donations you wish to make to Merlin and the scriptwriters, make it amazeballs in awesomesauce.

 

[Kingp1n]

CloudFlare, Google, NextDNS (whoever they are), Quad9 (a consortium that includes Microsoft, one of the OG's of data mining) should be avoided if you are at all privacy conscious, and unbound on your router protects the privacy of all (well, most: there are certain Android devices who refuse to use anything but their maker's DNS) devices/machines on your network. Unbound handles ad-blocking too, skynet is a great firewall, and if you need VPN, roll your own with WireGuard so you can control both endpoints, the server and the clients. it's a no-brainer to me, using these, and the fact that it's free except for your own sweat equity and whatever donations you wish to make to Merlin and the scriptwriters, make it amazeballs in awesomesauce.

If you're not using Cloudflare, Quad9 or Google DNS servers (or the others mentioned) , do you recommend using your ISP DNS servers with unbound for privacy? I currently use a VPN with Quad9 servers. I also use unbound as well.

 

[New2This]

I will at times tunnel my unbound through my VPN server.

 

[Treadler]

CloudFlare, Google, NextDNS (whoever they are), Quad9 (a consortium that includes Microsoft, one of the OG's of data mining) should be avoided if you are at all privacy conscious, and unbound on your router protects the privacy of all (well, most: there are certain Android devices who refuse to use anything but their maker's DNS) devices/machines on your network. Unbound handles ad-blocking too, skynet is a great firewall, and if you need VPN, roll your own with WireGuard so you can control both endpoints, the server and the clients. it's a no-brainer to me, using these, and the fact that it's free except for your own sweat equity and whatever donations you wish to make to Merlin and the scriptwriters, make it amazeballs in awesomesauce.

Quad9 | A public and free DNS service for a better security and privacy

A public and free DNS service for a better security and privacy

www.quad9.net

 

[SomeWhereOverTheRainBow]

Quad9 | A public and free DNS service for a better security and privacy

A public and free DNS service for a better security and privacy

www.quad9.net

The most concerning aspect is

Quad9 is a not-for-profit organization, relying on grants and partnerships with commercial and non-commercial sources and from individuals.

Quad9 is fine if you have no concerns with regards to trust and the fact that you don't have control over what quad9 blocks. If you use unbound as a recursive server , you don't necessarily need to have these concerns because your information stays local.

 

[John Fitzgerald]

Quad9 is fine if you have no concerns with regards to trust and the fact that you don't have control over what quad9 blocks. If you use unbound as a recursive server , you don't necessarily need to have these concerns because your information stays local.

Are you saying that you should leave this field undefined and let your ISP take care of it?

 

[New2This]

I would. Then you delete the middle man from seeing your dns request

 

[SomeWhereOverTheRainBow]

Are you saying that you should leave this field undefined and let your ISP take care of it?

View attachment 33420

That depends on if you trust your isp more. I would just use unbound and leave the rest blank. My problem with quad 9 and the rest of dns server conglomerates is the whole fake physaud interpretation of privacy.

 

[John Fitzgerald]

Have been running RPi4 with Pihole and unbound for awhile now, set it up and forget it, haven't had any issues for over 4 months now

That depends on if you trust your isp more. I would just use unbound and leave the rest blank. My problem with quad 9 and the rest of dns server conglomerates is the whole fake physaud interpretation of privacy.

So who would you trust more with your personal info and governmental (over)reach (you both have me rethinking this, and I know we don't live in a static world, so today's answer my not apply tomorrow) :

Spectrum
Quad9

 

[SomeWhereOverTheRainBow]

So who would you trust more with your personal info and governmental (over)reach (you both have me rethinking this, and I know we don't live in a static world, so today's answer my not apply tomorrow) :

Spectrum
Quad9

Here is some food for thought

https://www.google.com/amp/s/www.washingtonpost.com/technology/2021/04/24/pentagon-internet-address-mystery/%3foutputType=amp

 

[heysoundude]

If you're not using Cloudflare, Quad9 or Google DNS servers (or the others mentioned) , do you recommend using your ISP DNS servers with unbound for privacy? I currently use a VPN with Quad9 servers. I also use unbound as well.

Unbound, meaning my router, is my DNS, and if it can't serve the IP that's queried, it goes to the Auth servers maintained by iCANN (just like CF, Google etc).
that's assuming unbound is up and running - if for some reason it hasn't launched in a reboot or otherwise fails, I've pointed my router to Canadian Shield (i'm within that jurisdiction), with CF as a backup in case they're down. surely at some point my ISP sees some of this (CF may be under the same roof as my ISP's servers), but for the hopefully brief moments of time that this might be the case, I'm surely not transmitting/receiving anything on my network's end that could be compromising.

 

[heysoundude]

@Martineau - I see you're busy WireGuard-ing, but have you seen this ?
Are we good?