Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[SomeWhereOverTheRainBow]

am I mistaken that my ISP can see what my DNS inquiries are when unbound goes looking to auth servers in the case of cache miss?
If not, I think I'd very much like to re-integrate DoT (having used stubby before unbound) as a privacy protection on my network.
Is there anyone here knowledgeable about DNS-over-TLS integration at the Auth servers unbound looks to?
is it possible to set those servers that do support DoT as "preferred" in unbound? Not cloudflare or Google/Alphabet, the Auth servers
also - if I'm setting myself up for potential network issues, I'd like to know about those as well. or whatever I'm missing or not taking into account or understanding...especially if there are other better ways to accomplish what I hope to.

Unbound cannot cache responses from its own integrated DoT. That is from my understanding why people use stubby along side it to benefit from its cache.. Its traffic is clear text otherwise. But you are not using your isp for dns lookups, they have to sniff your traffic to find out what you are doing. Unbound has security measures that minimize how much of your information gets presented in those queries and those queries contact root servers directly making them hard to trace. No one server has your information stored.

 

[gspannu]

I don't know which Diversion pre-defined list you are using, but you could simply add the appropriate Diversion source links to '/opt/share/unbound/blocklists'

Are there any recommended lists other than what unbound installs as default?

I remember in Diversion, one had the choice of using different lists ranging from small to large.
Is there something similar or an equivalent of the medium & large list in unbound?

Any way I can get the list which is equivalent of Diversion Large working in Unbound?

 

[dave14305]

am I mistaken that my ISP can see what my DNS inquiries are when unbound goes looking to auth servers in the case of cache miss?
If not, I think I'd very much like to re-integrate DoT (having used stubby before unbound) as a privacy protection on my network.
Is there anyone here knowledgeable about DNS-over-TLS integration at the Auth servers unbound looks to?
is it possible to set those servers that do support DoT as "preferred" in unbound? Not cloudflare or Google/Alphabet, the Auth servers
also - if I'm setting myself up for potential network issues, I'd like to know about those as well. or whatever I'm missing or not taking into account or understanding...especially if there are other better ways to accomplish what I hope to.

You don't really get to pick the authoritative server for a domain you want to query. The domain owner decides which server is authoritative. There's been discussions about the root servers eventually supporting DoT, but that only solves the .com, .org, .edu part of recursive lookups. Each domain owner's authoritative server would also need to support it, and that's not very practical given the state of DNS (and look how eager they are to adopt DNSSEC).

But yes, Unbound as a recursive resolver to authoritative servers sends in-the-clear and can be snooped by your ISP if they find you interesting enough to bother with.

The ideal scenario would be to setup your own Unbound in a public cloud and have your home network send queries over DoT to your Unbound server. That way it can't be snooped and from the public cloud, who would know it was you sending those recursive queries?

 

[Linux_Chemist]

Noticed a mystery last week. I don't think I've ever seen total.tcpusage in the stats at anything other than 0, but have definitely noticed tcp traffic out for dns on occasion from the router (custom iptables rules) so it is definitely happening, but it's not counting it?

On a whim I tried disabling tcp to see if how often udp wasn't enough for unbound. (set do-tcp: no and restart unbound + wipe the cache).
Sure enough, the occasional site with DNSSEC etc will timeout (SERVFAIL) with

Error: error sending query: Could not send or receive, because of network error

Turn tcp back on, restart unbound + flush cache (rs nocache) to try the site again and hey presto, it's fine.

Good reproducible one to drill or dig was careers.protonmail.com but you may need a bigger transmission from dnssec etc to reproduce - it'll depend on what you've set in the config.


The only problem is, I tried resetting the config logging settings for unbound_manager back to defaults (I normally have them much reduced) and total.tcpusage=0 still even though iptables also logged a tcp transmission for it (freshly restarted firewall, OUTPUT)

    7   337 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            multiport dports 53

tl;dr is anyone else getting actual counts for total.tcpusage (show stats in the unbound_manager menu with s, it's the last value) and if so, how does your config differ from defaults?
It's definitely doing tcp for this but it's not counting it in unbound stats.

 

[heysoundude]

You don't really get to pick the authoritative server for a domain you want to query. The domain owner decides which server is authoritative. There's been discussions about the root servers eventually supporting DoT, but that only solves the .com, .org, .edu part of recursive lookups. Each domain owner's authoritative server would also need to support it, and that's not very practical given the state of DNS (and look how eager they are to adopt DNSSEC).

But yes, Unbound as a recursive resolver to authoritative servers sends in-the-clear and can be snooped by your ISP if they find you interesting enough to bother with.

The ideal scenario would be to setup your own Unbound in a public cloud and have your home network send queries over DoT to your Unbound server. That way it can't be snooped and from the public cloud, who would know it was you sending those recursive queries?

aha, now that's clear...Thank you. (Nooooobody expects the spanish inquisitionnnn!)
I guess that means I should have a look at my ISP's logging of my lookups, then.

 

[Deleted member 62525]

Maybe someone has the same problem and is able to point me to the solution. Running Unbound + Skynet and had a requirement last week to use Unbound Views. In order to do so I had to disable dnsmasq and everything is working as expected. However, now that dnsmasq is disbled Skynet should be able to read my local devices client IP's, but when I check GUI->Firewall->Skynet "Top 10 blocked devices (outbound)" it only shows my WAN IP - I use bridge mode.
Am I missing a flag or a setting to be able to see individual client devices IP's in this Skynet screen?

 

[dave14305]

when I check GUI->Firewall->Skynet "Top 10 blocked devices (outbound)" it only shows my WAN IP - I use bridge mode.
Am I missing a flag or a setting to be able to see individual client devices IP's in this Skynet screen?

It means the router was sending traffic that was blocked. I found that it was often Unbound DNS traffic being blocked often. That’s why it shows the WAN IP. It was from the router itself, not a client.

However, now that dnsmasq is disbled Skynet should be able to read my local devices client IP's

What makes this true? I’m not saying you’re wrong, but I don’t know why this would make a difference.

 

[Deleted member 62525]

It means the router was sending traffic that was blocked. I found that it was often Unbound DNS traffic being blocked often. That’s why it shows the WAN IP. It was from the router itself, not a client.
That makes sense. I have to let it do it’s thing for few days to really find out.

What makes this true? I’m not saying you’re wrong, but I don’t know why this would make a difference.
[/QUOTE
I was making an assumption but you have a point. I think a while back there was a discussion about this somewhere on this forum. If I remember correctly if one has dnsmasq enabled with unbound Skype has no way to determine client IP since all queries come from dnsmasq. Based on that I made this statement. Don’t know how Skype logs the client IP but since I have dnsmasq disabled at the very least Unbound does see client IP correctly.