Unbound Understanding Unbound...

[Viktor Jaep]

Hey everyone... I thought it would be fun to give Unbound a try today, and see how this worked compared to using my standard DoT setup with Quad9 under the WAN configuration... This setup has worked great for years, so lets break it and try something new!

After getting Unbound installed and running, I hit the https://dnscheck.tools site, and it apparently is doing everything right by design... that is, my WAN IP is now considered my DNS resolver...

I ran the DNSMON tool that Eibgrad created, and it shows this:

So there's a TON of plaintext DNS query traffic happening on port 53 that could easily be intercepted by the ISP (or others).

What's the best practice to ensure that your DNS queries to the root servers are also encrypted? I noticed that Unbound also has a DoT function, but starts getting confusing as it still somehow uses your WAN DNS configuration somehow that then uses Quad9... so then what's the purpose of running Unbound?

I thought perhaps it would be a good idea to obfuscate root DNS lookups by using the Unbound feature to "Bind Unbound to VPN"... but will need to build some automation in VPNMON-R2 to make this happen when VPN slots change up, and would need to catch Unbound up after the switch. Is this a good way to go?

After installing Unbound, my WAN DNS setup never really changed... and I'm guessing even though everything is still filled out, Unbound doesn't really use this... right? So I'm wondering if there's a good easy way to check if Unbound is actually doing its job and making connections with the root servers?

 

[Tech9]

Unbound makes unencrypted requests to root servers, but broken in pieces. Your ISP can reassemble the puzzle, but they don't need to because your clients after the DNS resolution request connections to IPs from your ISP. Your ISP knows what are you doing regardless of Unbound or encrypted DNS to upstream resolver. Encrypted DNS prevents MITM or ISP redirection of port 53 traffic. If you can use Unbound and it works - your ISP doesn't redirect port 53 traffic. If you use large ISP - they log and analyze traffic + eventually monetize the results. If your country has ISP logging requirements - the ISP logs the traffic no matter big or small. What Unbound does is skipping another company logging your traffic - Google, Quad9, Cloudflare, etc.

You may have to wait for some time until Unbound builds the cache. Your first DNS requests will be slow, but you may not notice if you don't measure. After the cache is healthy it will respond with under 1ms. The debate what is better goes forever. It comes down to your personal preferences. In my experience nothing can beat Google, Cloudflare, OpenDNS... large players. Quad9 is spotty in my area and slower than others. I'm also not sure who's paying the bills. For the others we know - they have a business feeding free DNS public servers. About Privacy - your phones leak much more information including your quite accurate current location and historical movements. You have to disconnect completely in order to avoid Google, Apple, Microsoft.

I'm using Unbound as resolver in case you ask. I also capture port 53, block port 853 and known DoH servers.

 

[Viktor Jaep]

Unbound makes unencrypted requests to root servers, but broken in pieces. Your ISP can reassemble the puzzle, but they don't need to because your clients after the DNS resolution request connections to IPs from your ISP. Your ISP knows what are you doing regardless of Unbound or encrypted DNS to upstream resolver. Encrypted DNS prevents MITM or ISP redirection of port 53 traffic. If you can use Unbound and it works - your ISP doesn't redirect port 53 traffic. If you use large ISP - they log and analyze traffic + eventually monetize the results. If your country has ISP logging requirements - the ISP logs the traffic no matter big or small. What Unbound does is skipping another company logging your traffic - Google, Quad9, Cloudflare, etc.

You may have to wait for some time until Unbound builds the cache. Your first DNS requests will be slow, but you may not notice if you don't measure. After the cache is healthy it will respond with under 1ms. The debate what is better goes forever. It comes down to your personal preferences. In my experience nothing can beat Google, Cloudflare, OpenDNS... large players. Quad9 is spotty in my area and slower than others. I'm also not sure who's paying the bills. For the others we know - they have a business feeding free DNS public servers. About Privacy - your phones leak much more information including your quite accurate current location and historical movements. You have to disconnect completely in order to avoid Google, Apple, Microsoft.

I'm using Unbound as resolver in case you ask. I also capture port 53, block port 853 and known DoH servers.

Thanks for that background, @Tech9 ... I would think directing plain port 53 DNS lookups to root servers over a VPN connection would definitely help throw a wrench into ISPs looking to capitalize on that info... You can't help what apps/browsers eventually leak more info after you exit that tunnel... but it would seem that this would be a step up between just plain port 53 traffic that's clearly visible and interceptable and having an extremely secure solution in place (which doesn't seem to exist) where you'd be able to encrypt DNS lookup traffic between Unbound and the root servers. Unless I'm mistaken?

 

[bennor]

The Pihole documentation may have some additional useful information when it comes to understanding Unbound.
https://docs.pi-hole.net/guides/dns/unbound/

 

[Viktor Jaep]

The Pihole documentation may have some additional useful information when it comes to understanding Unbound.
https://docs.pi-hole.net/guides/dns/unbound/

I just read through this, tried some of the validation commands and whatnot... I'm just wondering if I'm missing anything? I really can't find a heck of a lot of documentation on the setup for Unbound on our routers.

Can you tell me if I need to change my DNS settings, or are these settings still fine?

According to that pihole site, they want you to do something like this:

 

[Tech9]

encrypt DNS lookup traffic between Unbound and the root servers

All this privacy chasing is mostly hurting yourself. Unbound has protection mechanisms in place explained in documentation. If you use distant VPN server it will slow down your DNS resolution and screw up the routing. If you have good reliable ISP their own DNS server is the fastest, sends you to local resources and some may be hosted by the ISP itself. This excludes other companies logging as well. The ISP is logging anyway and in any case except all traffic through VPN. Then the VPN provider becomes your 2nd ISP. What they do with your Privacy may be different than what they promise.

 

[johndoe85]

My ISP says that they are working on a project to implement adblocking, malicious website blocking, family filter and so forth, DoH/DoT and you name it. As a option ofource.

 

[SomeWhereOverTheRainBow]

My ISP says that they are working on a project to implement adblocking, malicious website blocking, family filter and so forth, DoH/DoT and you name it. As a option ofource.

While I am not refuting your claim, I find it hard to believe that your ISP is being truthful to you 100 percent about that. Maybe the malicious website, and family filter parts, but they will never be a full ad-blocking implementation because they wouldn't want to hurt stakeholders or business partners. The adblocking would most likely be very limited.

 

[SomeWhereOverTheRainBow]

Hey everyone... I thought it would be fun to give Unbound a try today, and see how this worked compared to using my standard DoT setup with Quad9 under the WAN configuration... This setup has worked great for years, so lets break it and try something new!

After getting Unbound installed and running, I hit the https://dnscheck.tools site, and it apparently is doing everything right by design... that is, my WAN IP is now considered my DNS resolver...

View attachment 49771

I ran the DNSMON tool that Eibgrad created, and it shows this:

View attachment 49769

So there's a TON of plaintext DNS query traffic happening on port 53 that could easily be intercepted by the ISP (or others).

What's the best practice to ensure that your DNS queries to the root servers are also encrypted? I noticed that Unbound also has a DoT function, but starts getting confusing as it still somehow uses your WAN DNS configuration somehow that then uses Quad9... so then what's the purpose of running Unbound?

I thought perhaps it would be a good idea to obfuscate root DNS lookups by using the Unbound feature to "Bind Unbound to VPN"... but will need to build some automation in VPNMON-R2 to make this happen when VPN slots change up, and would need to catch Unbound up after the switch. Is this a good way to go?

After installing Unbound, my WAN DNS setup never really changed... and I'm guessing even though everything is still filled out, Unbound doesn't really use this... right? So I'm wondering if there's a good easy way to check if Unbound is actually doing its job and making connections with the root servers?

View attachment 49772

I have liked my time using unbound so far. I am not limited to relying on the big box availability of squad9, cloudflair, goggles, or cleanbowsing. I have yet to have a reliability issue with unbound. As mentioned by @Tech9 , the reliability of the big box DNS services can sometimes be questionable, and unbound only suffers from the initial cache build up time. One thing that may be concerning to Unbound users is the amount of ports that may be being open per query. As apart of unbounds randomization, it opens numerous ports when making its broken up bits of queries to the root servers. Part of its privacy enhancements, may strain port availability for other outbound traffic trying to use the same port number. Unbound has a way to mitigate this by reducing the range of ports it is allowed to use, but this limits the randomization.

 

[bennor]

I just read through this, tried some of the validation commands and whatnot... I'm just wondering if I'm missing anything? I really can't find a heck of a lot of documentation on the setup for Unbound on our routers.

Can you tell me if I need to change my DNS settings, or are these settings still fine?

The link I posted deals with setting up Unbound on a Raspberry Pi. The steps for setting up Unbound to run on an Asus router are (likely) very different. I was posting that Unbound link just to provide some additional context about what Unbound is and what it does. If you haven't seen the Unbound thread in the Merlin Add-On's subforum, here is the link for it:

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes Easy mode Advanced Mode 'Easy' mode - you have limited Install options: i.e. Advanced Options Stubby Integration DoT installs are not available...

www.snbforums.com

I use Unbound on several Raspberry Pi's that also run Pi-Hole. I have not tried to setup Unbound on the router itself so cannot comment on your settings specific to using Unbound on the router.

 

[Viktor Jaep]

The link I posted deals with setting up Unbound on a Raspberry Pi. The steps for setting up Unbound to run on an Asus router are (likely) very different. I was posting that Unbound link just to provide some additional context about what Unbound is and what it does. If you haven't seen the Unbound thread in the Merlin Add-On's subforum, here is the link for it:

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes Easy mode Advanced Mode 'Easy' mode - you have limited Install options: i.e. Advanced Options Stubby Integration DoT installs are not available...

www.snbforums.com

I use Unbound on several Raspberry Pi's that also run Pi-Hole. I have not tried to setup Unbound on the router itself so cannot comment on your settings specific to using Unbound on the router.

Thanks @bennor... I appreciate the extra detail. Yeah, I had gone that addon page as well, but it just doesn't touch much on the specific router configurations needed. Which is why I'm questioning whether or not I've set everything up right. Just looking for that extra information/documentation on what the proper practice is when setting Unbound up on our routers.

 

[Viktor Jaep]

I have liked my time using unbound so far. I am not limited to relying on the big box availability of squad9, cloudflair, goggles, or cleanbowsing. I have yet to have a reliability issue with unbound. As mentioned by @Tech9 , the reliability of the big box DNS services can sometimes be questionable, and unbound only suffers from the initial cache build up time. One thing that may be concerning to Unbound users is the amount of ports that may be being open per query. As apart of unbounds randomization, it opens numerous ports when making its broken up bits of queries to the root servers. Part of its privacy enhancements, may strain port availability for other outbound traffic trying to use the same port number. Unbound has a way to mitigate this by reducing the range of ports it is allowed to use, but this limits the randomization.

Thanks for the add'l info, @SomeWhereOverTheRainBow! Was wondering if you've had to make any tweaks to your WAN/DNS config on the router? Like changing your custom local DNS to 127.0.0.1#53535? As I had posted above, I just am not quite sure if I've set everything up correctly, as there doesn't seem to be any corresponding documentation about this?

The other thing that is confounding me is where @Martineau mentioned that it's possible to make your externally facing VPN WAN IP show up as your DNS resolver, but thusfar I can only make my ISP's WAN IP show as the resolver (which by default is how this is supposed to look)... but since I'm Binding Unbound to the VPN, it should be the other way. Can't figure out this piece of the puzzle yet.

 

[SomeWhereOverTheRainBow]

Thanks for the add'l info, @SomeWhereOverTheRainBow! Was wondering if you've had to make any tweaks to your WAN/DNS config on the router? Like changing your custom local DNS to 127.0.0.1#53535? As I had posted above, I just am not quite sure if I've set everything up correctly, as there doesn't seem to be any corresponding documentation about this?

The other thing that is confounding me is where @Martineau mentioned that it's possible to make your externally facing VPN WAN IP show up as your DNS resolver, but thusfar I can only make my ISP's WAN IP show as the resolver (which by default is how this is supposed to look)... but since I'm Binding Unbound to the VPN, it should be the other way. Can't figure out this piece of the puzzle yet.

While i did help pioneer the unbound- manager experience with @Martineau @rgnldo and @dave14305 , i did not stick with the spirit of running unbound directly on the router, the primary reason why is because I wanted mine compiled with more options. So instead I compile my unbound on my RPI and use it in conjunction with my pihole.

 

[SomeWhereOverTheRainBow]

Thanks for the add'l info, @SomeWhereOverTheRainBow! Was wondering if you've had to make any tweaks to your WAN/DNS config on the router? Like changing your custom local DNS to 127.0.0.1#53535? As I had posted above, I just am not quite sure if I've set everything up correctly, as there doesn't seem to be any corresponding documentation about this?

The other thing that is confounding me is where @Martineau mentioned that it's possible to make your externally facing VPN WAN IP show up as your DNS resolver, but thusfar I can only make my ISP's WAN IP show as the resolver (which by default is how this is supposed to look)... but since I'm Binding Unbound to the VPN, it should be the other way. Can't figure out this piece of the puzzle yet.

Check out this post and backtrack the threads until you see more info about using VPN.

https://www.snbforums.com/threads/u...nbound-recursive-dns-server.61669/post-575274

and these ones

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

I can update to 3.21b successfully, but once I try to install 'unbound.conf v1.11' using A:Option ==> i dev Then I get Retrieving Custom unbound configuration unbound.conf downloaded successfully Github 'dev/development' branch doc/example.conf.in downloaded successfully...

www.snbforums.com

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

I find that my cache responses are always fresh, my pages load quickly and ad free. The only downside to using unbound as dnsmasq replacement is i am curious if it is compatible with aimesh. It seems you have provided an answer to a different thread... or quoted my post by mistake. Can you...

www.snbforums.com

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

This there a way I can more blocklist to the Ad and tracker blocking? Use menu option 'ecb' to edit/add Ad Block lists

www.snbforums.com

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

I did quickly post the solution (as identified by others) here, but I can't be held responsible for the Entware fiasco through your use of amtm. :( Well thanks for this overwhelmingly disappointing expression of support for my efforts :rolleyes: ;.... yet another reason to throw in the towel...

www.snbforums.com

 

[Viktor Jaep]

Thank you @SomeWhereOverTheRainBow! I finally found an answer on page 141 of 155 in this thread... some elusive post about changing your VPN settings from:

Accept DNS Configuration: DISABLED (This will show your WAN IP as the DNS Resolver ever after binding Unbound to VPN)

-to-

Accept DNS Configuration: EXCLUSIVE (This will now show your Public VPN IP as the DNS Resolver after binding Unbound to VPN)

Knew it had to be something simple.

 

[Tech9]

All this is nice to play with, but you may find down the road all of the above is only introducing more points of failure and takes more time of your life. On a home network with your family members as users the issues start when they lose Internet and you're not around to diagnose and fix what failed.

 

[Viktor Jaep]

All this is nice to play with, but you may find down the road all of the above is only introducing more points of failure and takes more time of your life. On a home network with your family members as users the issues start when they lose Internet and you're not around to diagnose and fix what failed.

I love to learn, @Tech9! You are absolutely correct -- this does make things more complex, there's definitely more points of failure, but I'm willing to give it a go and see how it behaves... I've always wanted to try this method of querying the root servers directly, and just want to learn more/understand the impacts from a stability, performance and security aspect.

 

[Tech9]

Yes, I've tried all available options too - Asuswrt, Ubuntu, Unbound, Diversion, Pi-Hole, AdGuard Home... local on router and on external device, with or without VPN, with or without IPv6 enabled, with or without external DHCP. They all have limitations and issues - performance, functionality or both.

 

[Tech9]

You know what worked really well here? I have a DIY NAS running Windows on HP mini PC with i5 CPU. AdGuard Home has Windows version. Upstream to my local OpenDNS server with DoH, about 8x blocklists from default AdGuard options listed in Security category. After AdGuard Home cache was built the DNS resolution was instant. The average processing time was about 17ms on my Cable ISP with 10-12ms default latency. This beats my pfSense with Unbound as resolver big time. Not really noticeable in Internet user experience, but measurable difference and nicer than pfBlockerNG UI.

 

[Viktor Jaep]

You know what worked really well here? I have a DIY NAS running Windows on HP mini PC with i5 CPU. AdGuard Home has Windows version. Upstream to my local OpenDNS server with DoH, about 8x blocklists from default AdGuard options listed in Security category. After AdGuard Home cache was built the DNS resolution was instant. The average processing time was about 17ms on my Cable ISP with 10-12ms default latency. This beats my pfSense with Unbound as resolver big time. Not really noticeable in Internet user experience, but measurable difference and nicer than pfBlockerNG UI.

Sounds wunderbar! I'm sure there was a lot of trial & error before landing on this setup! That's what it's all about... a journey/learning experience to bring you that understanding what works best for each of us.