Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Martineau]

I installed unbound but after starting the install I decided I would just leave the DNS settings using Merlin.

Is there a way to uninstall it I can't seem to figure it out as I still haven't gone through the install process but it shows as a listed script in my amtm menu.

If you can't see menu option '3' Advanced Tools then simply type 'z'.

If that doesn't work, you should be able to issue

unbound_manager uninstall

 

[SomeWhereOverTheRainBow]

Sorry for such a basic question but is there an advantage to use unbound over the DoH settings in Merlin? I installed unbound but after starting the install I decided I would just leave the DNS settings using Merlin. Is there a way to uninstall it I can't seem to figure it out as I still haven't gone through the install process but it shows as a listed script in my amtm menu.

Dont think Merlin uses DoH

 

[SomeWhereOverTheRainBow]

Isn't the unbound 'redirect' directive the method to have unbound use pixelserv-tls direct? or is this something else?

i.e. if Diversion is installed, 'ad' command

e  = Exit Script

A:Option ==> ad type=pixelserv

Analysed Diversion file: 'blockinglist'  Type=pixelserv, (Adblock Domains=53074) would add 483 entries
Analysed Diversion file: 'blacklist'  Type=pixelserv, (Adblock Domains=53074) would add 2 entries
Analysed Diversion file: 'whitelist'  Type=URL, (Adblock URLs=19) would add 70 entries

should create a sample unbound 'include' file for the new additions (targeting the pixel-serv IP address)

/tmp/unbound-blacklist.add
e.g.

local-zone: "manifest.googlevideo.com" redirect
local-data: "manifest.googlevideo.com" A 10.88.8.2
<snip>

This would work for redirecting those queries at pixelserv-tls, alternatively you could redirect at 0.0.0.0 with unbound and alias 0.0.0.0 to pixelserv-tls IP inside dnsmasq. (think @dave14305 tested something like this with nextdns installer.)

I am not sure which would be the better (less strain on the router) method. would need some testing. it is less work for unbound to just redirect to 0.0.0.0 or pixelserv IP tho instead of serving up NXdomain IMO.

 

[juched]

This would work for redirecting those queries at pixelserv-tls, alternatively you could redirect at 0.0.0.0 with unbound and alias 0.0.0.0 to pixelserv-tls IP inside dnsmasq. (think @dave14305 tested something like this with nextdns installer.)

I am not sure which would be the better (less strain on the router) method. would need some testing. it is less work for unbound to just redirect to 0.0.0.0 or pixelserv IP tho instead of serving up NXdomain IMO.

Why would returning NXdomain be easier on the router than redirecting to pixelserv?

 

[dave14305]

I am not sure which would be the better (less strain on the router) method. would need some testing. it is less work for unbound to just redirect to 0.0.0.0 or pixelserv IP tho instead of serving up NXdomain IMO.

If Unbound returns a private IP to dnsmasq, then you have to deal with rebind in dnsmasq, which isn’t hard, but you have to remember to do it to get expected results.

When I tested Pixelserv with unbound, I didn’t use local-zones, only local-data statements. Local-zones used more memory IIRC.

awk '{for (i=2; i<=NF; i++) print "local-data: \""$i". 0 A 192.168.1.2\""}' /opt/share/diversion/list/blockinglist > /opt/var/lib/unbound/ads.conf

 

[SomeWhereOverTheRainBow]

Why would returning NXdomain be easier on the router than redirecting to pixelserv?

No redirecting to pixelserv-tls would be easier is what i mean. sorry if you miss-interpreted my statement.

 

[heysoundude]

Are you formally requesting that the HE servers be included along with the existing Cloudflare and Quad9 DoT clause that currently exists in 'unbound.conf' v1.07

unbound.conf v1.07

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
#forward-zone:                                                        # DNS-Over-TLS support
#name: "."
#forward-tls-upstream: yes
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
#forward-addr: 1.0.0.1@853#cloudflare-dns.com
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

to be ENABLED if unbound DoT is requested to be used?

maybe? why not? stack 'em up? options are good?

 

[Ubimo]

Is it true, that when I'm using unbound, my ISP is able to snoop on or intercept my DNS lookups?
I mean initial lookups? Once a lookup occured, I understand, it's cached on my router.

Is is possible, that unbound is using Quad9 or Cloudflare with DoT to do the initial lookups?

 

[dave14305]

Is is true, that when I'm using unbound, my ISP is able to snoop on or intercept my DNS lookups?
I mean initial lookups? Once a lookup occured, I understand, it's cached on my router.

Is is possible, that unbound is using Quad9 or Cloudflare with DoT to do lookups?

Yes, when Unbound is the recursive resolver, your DNS traffic is sent “in the clear”.

When Unbound is merely another forwarder, it can do DoT to a public recursive resolver, but it doesn’t offer much benefit beyond dnsmasq and Stubby (in my opinion). Unbound still cannot reuse existing TCP connections for outbound DoT, while Stubby can.

 

[Ubimo]

Ah, thanks, I think I understand, except your last sentence.
But, can unbound still be a recursive resolver and do the initial lookups not on the root-servers, but instead Quad9 or Cloudflare with DoT?

 

[dave14305]

Ah, thanks, I think I understand.
But, can unbound still be a recursive resolver and do the initial lookups not on the root-servers, but instead Quad9 or Cloudflare with DoT?

No, Unbound is either a recursive resolver or a forwarder, but not both at the same time. Quad9 and Cloudflare are recursive resolvers, so Unbound will either do the same lookups they do, or forward queries to them to handle the recursive lookups.

 

[Ubimo]

Maybe I was not clear enough.
When I want to open a website, which was not cached by unbound before, unbound has to ask one of the 14 root-server. Unencrypted.
But, is it possible, that unbound can ask 1.1.1.1 with DoT instead? And still be a recursive DNS resolver.
So, unbound, as a recursive DNS resolver is asking another (1.1.1.1 or 9.9.9.9) recursive DNS resolver.

 

[dave14305]

Maybe I was not clear enough.
When I want to open a website, which was not cached by unbound before, unbound has to ask one of the 14 root-server. Unencrypted.
But, is it possible, that unbound can ask 1.1.1.1 with DoT instead? And still be a recursive DNS resolver.
So, unbound, as a recursive DNS resolver is asking another (1.1.1.1 or 9.9.9.9) recursive DNS resolver.

No. See this page if you are unclear at all on the definition of a recursive resolver: https://www.cloudflare.com/learning/dns/dns-server-types/

 

[heysoundude]

No. See this page if you are unclear at all on the definition of a recursive resolver: https://www.cloudflare.com/learning/dns/dns-server-types/

That should be called "How the Internet REALLY works"

 

[Martineau]

So assuming I'm willing to give up the optimum performance of a default unbound recursive resolver setup, given alternative configurations mandate forwarding to 3rd-party DNS recursive resolvers, does anyone have any tangible metrics to identify the magnitude of the difference in performance between

unbound+DoT+dnsmasq vs. dnsmasq+DoT+Stubby​

i.e. ensuring the No. 1 priority is for complete DNS privacy/security, which of the two choices above is recommended?

 

[dave14305]

So assuming I'm willing to give up the optimum performance of a default unbound recursive resolver setup, given alternative configurations mandate forwarding to 3rd-party DNS recursive resolvers, does anyone have any tangible metrics to identify the magnitude of the difference in performance between

unbound+DoT vs. dnsmasq+DoT+Stubby​

i.e. ensuring the No. 1 priority is for complete DNS privacy/security, which of the two choices above is recommended?

I think Stubby would win due to its ability to re-use upstream TCP connections. This was discussed recently on the Unbound-users mailing list even by a member from NLnet Labs:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-March/006753.html

Also, for equal comparison, both scenarios start with dnsmasq, unless you're going to expose Unbound directly to the clients on the LAN interface.

 

[Martineau]

Also, for equal comparison, both scenarios start with dnsmasq, unless you're going to expose Unbound directly to the clients on the LAN interface.

Thanks for keeping me honest, I have updated 'unbound+DoT' to 'unbound+DoT+dnsmasq' as that is indeed the actual configuration created by unbound_manager.

I think Stubby would win due to its ability to re-use upstream TCP connections. This was discussed recently on the Unbound-users mailing list even by a member from NLnet Labs:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-March/006753.html

Interesting admission by the NLnet Labs guy, and I'm assuming the article is referring to (the as-yet unavailable on ASUS routers via Entware) v1.10.x unbound?

So whilst TCP upstream re-use is slated a future release, TCP downstream re-use is currently available - most strange unless (as is usually the case) the suits (i.e. marketing guys) probably forced the release of v1.10.x, rather than delay the formal release and let the programmers do the job properly?

So thanks for the vote for option 2.

P.S. Given that I may get around to writing v3.0 of unbound_manager, with the revamped default 'Easy' menu interface, wasn't sure if DoT should be now formally advertised as an option in the same way Stubby Integration always has.



​

 

[Deleted member 62525]

So assuming I'm willing to give up the optimum performance of a default unbound recursive resolver setup, given alternative configurations mandate forwarding to 3rd-party DNS recursive resolvers, does anyone have any tangible metrics to identify the magnitude of the difference in performance between

unbound+DoT+dnsmasq vs. dnsmasq+DoT+Stubby​

i.e. ensuring the No. 1 priority is for complete DNS privacy/security, which of the two choices above is recommended?

Until we have end-to-end security it is impossible to speak of complete DNS security. With Unbound as recursive resolver all traffic to root servers is in clear text but still using DNSSEC to verify the root host. Since we have Unbound running locally on or routers does DoT matters?
DoT does matter if I were to have DNS outside my network boundaries. In my opinion I don't see big advantage having Unbound as forwarder using Stubby and may as well not run Unbound for a small home network and opt to have firmware DNSSEC and DoT with Quad or Google external DNS servers. From the performance view Unbound would not be the first choice if you do random web access bypassing the cache. But if you constantly use the same set of pages it is very quick.

I opted for Unbound because it is a recursive and caching DNS server, runs on my local network and provides DDNSSEC. The bonus is adBlock that we get with Unbound. I don't particularly worry about my ISP logging my queries. The reason is that I don't really know if they do or not, even if its written that they don't. I also run vpn client but this is a different thing. I am sure that quad and google DNS servers also must run something like Unbound or Bind servers that take our queries and run it against DNS root hosts. You cannot guarantee that any of that traffic is logged or not. All queries from your local Unbound or from external DNS to root DNS servers is always in clear text. This is something people forget and this is the weakest link.

 

[dave14305]

Until we have end-to-end security it is impossible to speak of complete DNS security. With Unbound as recursive resolver all traffic to root servers is in clear text but still using DNSSEC to verify the root host. Since we have Unbound running locally on or routers does DoT matters?
DoT does matter if I were to have DNS outside my network boundaries. In my opinion I don't see big advantage having Unbound as forwarder using Stubby and may as well not run Unbound for a small home network and opt to have firmware DNSSEC and DoT with Quad or Google external DNS servers. From the performance view Unbound would not be the first choice if you do random web access bypassing the cache. But if you constantly use the same set of pages it is very quick.

I opted for Unbound because it is a recursive and caching DNS server, runs on my local network and provides DDNSSEC. The bonus is adBlock that we get with Unbound. I don't particularly worry about my ISP logging my queries. The reason is that I don't really know if they do or not, even if its written that they don't. I also run vpn client but this is a different thing. I am sure that quad and google DNS servers also must run something like Unbound or Bind servers that take our queries and run it against DNS root hosts. You cannot guarantee that any of that traffic is logged or not. All queries from your local Unbound or from external DNS to root DNS servers is always in clear text. This is something people forget and this is the weakest link.

If I wanted security and privacy, I would build an Unbound server in AWS and use Stubby on my router to connect to it. My traffic to my Unbound server would be encrypted, and traffic from my Unbound server to the rest of the DNS servers wouldn't be directly identifiable as belonging to my home IP. I'm sure it's not 100% bulletproof, but it'd be good enough for a boring guy like me.

 

[L&LD]

@dave14305, assuming you had to pay for that AWS server, 'they' would still know whom it belonged to.

Just give me fast. I'll try to behave as best I can.