Menu
What's new
By:
Filters Better Search

Tutorial Forcing SafeSearch Tutorial

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

macster2075 said:
What I meant by a script is....
Since I have been told that running a recursive DNS server opens the door for security risks...

So the script I am referring to, is one that closes any ports it opened or whatever it is Unbound did....I am saying "opened ports" as an example.
If there is no script, what do I need to do, to make it as secure as it was before I installed Unbound?
Click to expand...
You have a miss understanding. What I mean is trying to create an "open dns" server. If you are not manually opening any ports directly to your self you should be fine. There is no script to teach proper networking and internet best practices. This is knowledge you yourself must acquire.
 
Sorry, I just got confused because I thought there was something Unbound changes on my network that would make it less secure... so I wanted to know what is it I needed to do to overcome that.
Last question...

Let's say I don't open any other ports or make any changes to my configuration...
Is my network less secure by running Unbound as a recursive DNS server or there would be no change?
 
macster2075 said:
Sorry, I just got confused because I thought there was something Unbound changes on my network that would make it less secure... so I wanted to know what is it I needed to do to overcome that.
Last question...

Let's say I don't open any other ports or make any changes to my configuration...
Is my network less secure by running Unbound as a recursive DNS server or there would be no change?
Click to expand...
It doesn't change any thing that makes you less secure than any other method on the market. Especially in regards to following proper internet usage best practices. What makes it become "truly unsecure" is to use it internet web facing with no firewall in-between. Or not using good web browsing practices. Essentially, if you don't know what you are doing or have no regard for good internet practices, you probably should just turn off your internet access because the same or similar vulnerabilities exist for all methods absent of proper regard for internet best practices.
 
Last edited:
I guess since I don't know what I am doing and apparently don't have any internet best practices, I will just turn off my internet, just to be kind of safe.
Thanks for answering my questions.
 
macster2075 said:
I guess since I don't know what I am doing and apparently don't have any internet best practices, I will just turn off my internet, just to be kind of safe.
Thanks for answering my questions.
Click to expand...
As previously mentioned internet best practices is not something that can be given in a script. Examples of such would be -"Don't click unknown links on the web." Or "Don't visit places with bad reputations." Those are just a couple of good practices. Just because you run a recursive server, or not, does not mean you will not fall victim to either if you are not using good practices. To say you are not going to use a recursice server because you might click on a bad link is like saying you just shouldn't use the internet because you might click a bad link. It all boils down to are you following good internet practices.
 
macster2075 said:
Thanks for answering my questions.
Click to expand...

Your Unbound related questions were answered already few times by different people in different threads.
 
I know I don't have much knowledge when it comes to networking, hence why I am here. Even with my limited knowledge, I am pretty good at least with those internet best practices.
But, I also read, with a recursive DNS server, if I don't have it configured correctly, I can become a victim of DNS cache poisoning among other attacks.

I understand whether I use a recursive DNS server or not, just by using the internet, I can be a target.... yes, I get that!

But a response saying..."if you don't know what you're doing.. then turn off your internet"...
To me that doesn't really help the user. I completely understand where you're coming from, I get it.

It's difficult to deal or try to help someone with very limited knowledge and I am always grateful when users try to help folks like me, so thank you.
 
Tech9 said:
Your Unbound related questions were answered already few times by different people in different threads.
Click to expand...
I don't think they were answered. I got answers, but I believe the answers did not address my questions.

Some users recommend Unbound, but when I ask questions as to what to do to mitigate the risks of using Unbound, I get for the most part..
"if you're worried about risks or security, turn off your internet"
but never really gave a solution of what I need to do to overcome those risks.

But again, I understand . Thanks all for trying to help.
 
macster2075 said:
someone with very limited knowledge
Click to expand...

Someone with very limited knowledge doesn't need Raspberry Pi with Pi-hole and Unbound.

macster2075 said:
but I believe the answers did not address my questions.
Click to expand...

This forum doesn't give you knowledge. It can give you advice only. You have to read and improve your knowledge yourself and only then you'll start understanding the answers given to your questions. You chase some "security" and "privacy" ideas without good understanding what both mean when your router is connected to Internet. From what I have seen so far in few threads - my advice to you is written above.
 
Tech9 said:
Someone with very limited knowledge doesn't need Raspberry Pi with Pi-hole and Unbound
Click to expand...
This is the type of answers I am referring to. (I don't own or use a Raspberry Pi) Thanks for your input.
 
macster2075 said:
I don't think they were answered. I got answers, but I believe the answers did not address my questions.

Some users recommend Unbound, but when I ask questions as to what to do to mitigate the risks of using Unbound, I get for the most part..
"if you're worried about risks or security, turn off your internet"
but never really gave a solution of what I need to do to overcome those risks.

But again, I understand . Thanks all for trying to help.
Click to expand...
I gave plenty of solutions like "don't click links you don't know or trust" and "make sure your unbound instance isn't directly web facing with no firewall between". All of these are critical tips for mitigating the risk of cache poisoning possibilities. Other risks such as the "risk of the unknown" plagues every method equally.

Here is a good read for you:

nlnetlabs.nl

Unbound - DNS Cache Poisoning

Authored April, 2008 Updated and released Jul 9, 2008 Executive Summary Dan Kaminsky of IOActive has reported a DNS cache poisoning vulnerability to developers of DNS caching software. The details of this vulnerability will be explained by Kaminsky at the upcoming Black Hat conference in August...
nlnetlabs.nl nlnetlabs.nl

And another:

www.google.com

What is cache poisoning and how does it work?

Read about cache poisoning, a cyber attack in which bad actors insert fake information into a DNS or web cache in a move to harm users. Learn prevention tips.
www.google.com www.google.com
 
Last edited:
macster2075 said:
What I meant by a script is....
Since I have been told that running a recursive DNS server opens the door for security risks...

So the script I am referring to, is one that closes any ports it opened or whatever it is Unbound did....I am saying "opened ports" as an example.
If there is no script, what do I need to do, to make it as secure as it was before I installed Unbound?
Click to expand...

You don't need to pull your internet connection to be safe. As mentioned in other posts, the security a router does is only partially liable to the security of the network as a whole. With the user being the most insecure thing about it.

Still no script that will help in your quoted scenario above.

Glad to see you're still learning (and willing to learn). Keep doing that. Maybe read some of my links, which include not using default ports for a default setup.

The internet by design is built on trust. Whether one knows it or not. Either you trust certain sites, or you don't. But nothing you can put on a router or other network device will give you free rein for surfing the internet and keep you totally safe too. You must decide the balance.

For myself (as I've stated before), I don't trust anything on my phone (Samsung/Android). No apps. No games. Nothing except phone/text use. Why? Because Google is behind everything on that platform. And I don't trust/refuse to allow Google into my activities.

On the computers, I don't randomly follow every link. I never click on any 'Ad'. I don't use Google to search for what I want. I have a handful of sites that I use and pretty much stay within them (and even that isn't 100% secure, I know). I also don't have third-party Antivirus software either for the same reason (I don't trust any third-party provider - and, when I did, that is the only time my computers would be infected... coincidence? I don't think so).

On that same note of entities I don't trust, Apple is right up there with Google. I really want another choice for a phone (iOS and Android really suck for what I use them for).

For your search, learn as much as you can about the things you want to know about. Unbound? Sure, you can be reading for a few weeks on that alone. When you've absorbed all that information, make your choice then. No script can help with that. Nor can anyone here or on any other forum answer that for you.

Start with the basics. Keep it handy (even print it out if that helps you better). But know that anything you do is a tradeoff when you're online. You either want some information from the web, or you don't. I lean towards the 'don't' side myself, and I don't feel I miss anything.

Unbound.conf
 
SomeWhereOverTheRainBow said:
make sure your unbound instance isn't directly web facing with no firewall between
Click to expand...
I understand sometimes is a bit more difficult to explain what one is asking when the correct terminology isn't used and I apologize about that.

This is an example of that I would need help with. How can I make sure this isn't the case?

Or, is this this something that unless I manually make a change to Unbound, I should have to worry about it?
Again, if this is something you don't want to get into, I can understand.

I try to read as much as I can and research, but when I don't understand or comprehend what I am reading, I ask for help.
I wish I had more knowledge and didn't have to depend on others...but the effort is greatly appreciated.
 
L&LD said:
You don't need to pull your internet connection to be safe. As mentioned in other posts, the security a router does is only partially liable to the security of the network as a whole. With the user being the most insecure thing about it.

Still no script that will help in your quoted scenario above.

Glad to see you're still learning (and willing to learn). Keep doing that. Maybe read some of my links, which include not using default ports for a default setup.

The internet by design is built on trust. Whether one knows it or not. Either you trust certain sites, or you don't. But nothing you can put on a router or other network device will give you free rein for surfing the internet and keep you totally safe too. You must decide the balance.

For myself (as I've stated before), I don't trust anything on my phone (Samsung/Android). No apps. No games. Nothing except phone/text use. Why? Because Google is behind everything on that platform. And I don't trust/refuse to allow Google into my activities.

On the computers, I don't randomly follow every link. I never click on any 'Ad'. I don't use Google to search for what I want. I have a handful of sites that I use and pretty much stay within them (and even that isn't 100% secure, I know). I also don't have third-party Antivirus software either for the same reason (I don't trust any third-party provider - and, when I did, that is the only time my computers would be infected... coincidence? I don't think so).

On that same note of entities I don't trust, Apple is right up there with Google. I really want another choice for a phone (iOS and Android really suck for what I use them for).

For your search, learn as much as you can about the things you want to know about. Unbound? Sure, you can be reading for a few weeks on that alone. When you've absorbed all that information, make your choice then. No script can help with that. Nor can anyone here or on any other forum answer that for you.

Start with the basics. Keep it handy (even print it out if that helps you better). But know that anything you do is a tradeoff when you're online. You either want some information from the web, or you don't. I lean towards the 'don't' side myself, and I don't feel I miss anything.

Unbound.conf
Click to expand...
Thanks @L&LD, I said script just because that is terminology I am familiar with...but it doesn't have to be a script. I think I made my question more difficult because I used the wrong terminology haha.
 
macster2075 said:
I understand sometimes is a bit more difficult to explain what one is asking when the correct terminology isn't used and I apologize about that.

This is an example of that I would need help with. How can I make sure this isn't the case?

Or, is this this something that unless I manually make a change to Unbound, I should have to worry about it?
Again, if this is something you don't want to get into, I can understand.

I try to read as much as I can and research, but when I don't understand or comprehend what I am reading, I ask for help.
I wish I had more knowledge and didn't have to depend on others...but the effort is greatly appreciated.
Click to expand...
Well my point is as long as you are not doing any of my previously mentioned "don't do's" your risk of cache poisoning is as equal as it would be with any other dns method since most dns cache poisoning protection mechanisms are built within the server.
 
macster2075 said:
Thanks @L&LD, I said script just because that is terminology I am familiar with...but it doesn't have to be a script. I think I made my question more difficult because I used the wrong terminology haha.
Click to expand...

That is one of the benefits of learning/researching the 'language' of the area you're interested in too. Because it is important and specific.

Happy reading! Keep great notes. Review them occasionally and update your notes as your knowledge increases too.

I'll quote the most important part of my reply to you below. Because that's how important it is.

When you've absorbed all that information, make your choice then. No script can help with that. Nor can anyone here or on any other forum answer that for you.
Click to expand...
 
macster2075 said:
I wish I had more knowledge and didn't have to depend on others...
Click to expand...

You never answered the question what's the idea behind your Pi-hole and Unbound adventures. What's your router not doing enough for you?
 
Thank you @SomeWhereOverTheRainBow. All of you have been very helpful in the past with all my other nonsense haha.
I guess I was expecting an answer like ....

for example... When I asked about how to mitigate the risks of using Unbound, I was expecting something like...

To attempt to mitigate those risks, you need to make sure THIS and THAT is setup properly.
to do that, you need to do THIS.... "whatever THIS is".. close ports, add some firewall rules and what not.

This is what I was referring to when I mentioned scripts, but it doesn't have to be.
But, if you're saying as long as I don't click on unknown links and follow the "don't do's", then I should be fine..

Please understand, I am aware that it won't matter what firewall rules I have in place, If I am not careful then it doesn't matter.... I get that.

I just wanted to make sure my question was understood of what I was asking for.
I know I have a lot to learn, but, sometimes you read and don't understand or comprehend what you're reading.

But this has gone long enough haha.
 
You must log in or register to reply here.

Similar threads

ExtremeFiretop
  • Locked
Seeking Feedback & Contributions: Merlin Auto Update Solutions
14 15 16
Replies
315
Views
17K
ExtremeFiretop
ExtremeFiretop
ExtremeFiretop
MerlinAU MerlinAU v1.1.1 - The Ultimate Firmware Auto-Updater (Now available in AMTM)
15 16 17
Replies
329
Views
31K
Diablo99
Diablo99
M
Solved Unable to bypass router DNS settings
Replies
5
Views
2K
MvW
M
A
Tutorial IPv6 DDNS (noip.com) and VPN server for CG-NAT IPv4
Replies
10
Views
5K
juanantonio
J
RMerlin
  • Locked
Release Asuswrt-Merlin 386.2 is now available
36 37 38
Replies
757
Views
195K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
gatorback Immediately forcing DDNS update Asuswrt-Merlin 3
deefour Forcing device-specific port-range through VPN Asuswrt-Merlin 9

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 993 (members: 34, guests: 959)
Top