Menu
What's new
By:
Filters Better Search

Dot & DNSSEC vs Unbound?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gtqiiptzfsfcppfcs said:
Assuming I don’t use a VPN, my question is, if my main objective is to hide from my ISP, is the unencrypted unbound really that bad compared to DoT?

I ask this because I read somewhere that, even with DoT, your ISP has other ways to track you and sniff you out. Is this true?
Click to expand...
Even with encrypted DNS, your ISP sees what IP addresses you visit, since it has to route your traffic to that destination. It might not know what specific site you visit if more than one site is hosted at that IP address, but it will leak enough metadata about your web habits.

If you want to hide from your ISP, you should be using a VPN and either a) their DNS servers, or b) a public DoT resolver.

Unbound as a recursive resolver doesn't hide anything in transit from being sniffed. It does prevent a single public resolver from logging and aggregating all your DNS queries, which is a different slant on privacy.
 
gtqiiptzfsfcppfcs said:
Sorry to revive an old post.

From what I understand, Dot means trusting Cloudflare, etc. And using unbound basically means being your own DNS resolver.

Assuming I don’t use a VPN, my question is, if my main objective is to hide from my ISP, is the unencrypted unbound really that bad compared to DoT?

I ask this because I read somewhere that, even with DoT, your ISP has other ways to track you and sniff you out. Is this true?

If so then the logical thing to do would be to just use unbound... sorry if I misunderstood the concepts, thank you
Click to expand...

It's always good to re-visit things to ensure that they're clear in your head.

DoT means trusting those DNS servers, yes, while concealing your traffic from your ISP.
As has been mentioned, only you can decide who you allow your data to be monitored by ;-) and how much of that data they're allowed to see...if you choose to give any more than necessary out in the first place

unbound with DNSSec within IPSec would be the ideal, I'm guessing (If I understand everything correctly!) - DNSSec verifies the site's/server's address as unbound understands it, and IPSec encrypts everything within the packets, and clients connect directly with the servers they wish to communicate with. Unless/until someone breaks these (which would be VERY bad in the case of DNS), every device on your network would in effect be within its own tunnel to the server it's talking with rather than your VPN's

this implies IPv6 (and removing the burden of encryption/decryption from the router, I think, but I could be and probably am mistaken)...you ARE full stack v6 on your network, yes? You should be; native rather than tunnelled, too.

this privacy/security stuff can be quite the rabbit hole and test of just how paranoid you are sometimes ;-)
It might help you to wrap your head around some of this if you spend some time on the wikipedia pages for IPv6 (and take the free IPv6 "certification course" offered at he.net), DNSSec, IPSec and go visit the WireGuard website...now that that's rolled into the linux kernel, I think we're almost at the "security and privacy by default" phase of the internet.
 
Thank you all for enlightening me. It's crazy how complicated it is just to be private nowadays. I do think there are advancements with the protocols but sadly the government /oppressive forces are actively blocking those protocols as well...

Right now I'm using an AC66UB1 with diversion, skynet, and unbound as a recursive resolve. I am planning to add a VPN too.

Just to be clear, with a VPN + Unbound as a recursive resolver, I would still leak my DNS queries to my ISP. Is that correct? (Or can I tunnel my Unbound DNS queries through the VPN?)
 
gtqiiptzfsfcppfcs said:
Can I tunnel my Unbound DNS queries through the VPN?
Click to expand...
Yes, unbound_manager allows you to force unbound requests through a nominated VPN

However you need to ensure that the nominated VPN is actually UP before you configure unbound to use a VPN Client,

i.e. you should use the appropriate openvpn-event UP/DOWN trigger scripts to modify 'unbound.conf', and also ensure during the boot process that unbound is able to us initially resolve DNS requests (either via the WAN or by cache-seeding etc.)
 
Sorry to bring back an old thread.

Quick question. Is there any risk in using Unbound as a DNS resolver for both VPN and non-VPN traffic using policy rules? Will my ISP be able sniff my VPN traffic?
 
You must log in or register to reply here.

Similar threads

R
Would any of this make my browsing more secure? (WAN DNS settings)
2
Replies
20
Views
1K
aru
aru
R
Google DoT DNS
Replies
6
Views
1K
sfx2000
sfx2000
B
Unbound unbound/WAN settings
2
Replies
31
Views
2K
aru
aru
0
Optimal trustless privacy configuration (DNScrypt/Unbound/Wireguard?)
Replies
0
Views
488
0BQ6pJI8L1y3azukIPft
0
P
OPNsense / Adguard / DNS & VPN questions
Replies
3
Views
991
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
T Using DOT DNS breaks ECS Asuswrt-Merlin 9
U Solved Cloudflare DoT test Asuswrt-Merlin 5
D WAN DNS Setting: Using different DoT servers Asuswrt-Merlin 19
D Can't seem to get DoT to work with Cloudflare Asuswrt-Merlin 23
RMerlin CVE 2023-50868 and CVE 2023-50387 in dnsmasq when DNSSEC is enabled Asuswrt-Merlin 30
P AdGuard DNNSEC vs router DNSSEC settings on Asuswrt-Merlin 14
L Unbound + Wireguard: is this combination possible at all? Asuswrt-Merlin 6
J DNS rewrite for internal clients to resolve hostname via adguard home and unbound Asuswrt-Merlin 12

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 588 (members: 22, guests: 566)
Top