Menu
What's new
By:
Filters Better Search

Tutorial Forcing SafeSearch Tutorial

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Tech9 said:
You never answered the question what's the idea behind your Pi-hole and Unbound adventures. What's your router not doing enough for you?
Click to expand...
Nothing, it's working as I want. I just wanted to try out Unbound as I read and have seen others recommend and they say it's a better DNS server to run....
But, then I read about the so called, risks, and in all honesty.. scared me... and the questions started popping in my head as to what would I need to do to secure my network when using Unbound.

That's about it haha. It's OK, I know you are trying to help and have helped me in the past. I just need to try to gather more knowledge to prevent this type of back and forth in the future.
Keep up the great work.
 
macster2075 said:
I read and have seen others recommend
Click to expand...

The fact someone is using something on their network doesn't necessarily mean you need it as well. You wanted to keep using OpenDNS with the free filtering categories. That means you have to forward your queries upstream to OpenDNS. This is what dnsmasq is doing already - forwarding upstream. It was explained to you already you don't need another software to do the same thing. It was simple enough to understand. The annoying part is you selectively ignore the answers and continue asking the same questions in another thread. People trying to help you see no results from trying to help you.
 
macster2075 said:
Thank you @SomeWhereOverTheRainBow. All of you have been very helpful in the past with all my other nonsense haha.
I guess I was expecting an answer like ....

for example... When I asked about how to mitigate the risks of using Unbound, I was expecting something like...

To attempt to mitigate those risks, you need to make sure THIS and THAT is setup properly.
to do that, you need to do THIS.... "whatever THIS is".. close ports, add some firewall rules and what not.

This is what I was referring to when I mentioned scripts, but it doesn't have to be.
But, if you're saying as long as I don't click on unknown links and follow the "don't do's", then I should be fine..

Please understand, I am aware that it won't matter what firewall rules I have in place, If I am not careful then it doesn't matter.... I get that.

I just wanted to make sure my question was understood of what I was asking for.
I know I have a lot to learn, but, sometimes you read and don't understand or comprehend what you're reading.

But this has gone long enough haha.
Click to expand...
There is no secret sauce or special formula. Typically the dns poisoning protection mechanisms are built within the server. One thing that might make unbound more vulnerable to dns cache poisoning is by running the server directly web facing with no firewall between. Another method would be limiting the amount of random ports unbound can traverse. yes unbound can limit the udp port range for networks in favor of having more ports available for other applications using udp. This is a bad practice since one of unbound security mechanisms is its ability to randomize ports. Another bad security practice would be to disable dnssec hardening which is something Unbound does to minimize cache poisoning.
 
SomeWhereOverTheRainBow said:
Another bad security practice would be to disable dnssec hardening which is something Unbound does to minimize cache poisoning
Click to expand...
This is something I keep reading about.. DNSSEC.. according to what I read, it is used/configured to help prevent DNS cache poisoning.
The Cloudfare article says DNSSEC is not yet mainstream, leaving DNS still vulnerable to attacks.

So, I was going to ask how I would setup DNSSEC, but based on your last post, it seems DNSSEC is already implemented/included in Unbound and no configuration is necessary in that aspect?
 
wbennett77 said:
Does the same rule apply when running a WireGuard server?
Click to expand...

I don't know about the port. What I know is limited all-network WAN-LAN throughput rule applies when using WireGuard.
 
@Tech9 You actually made me realize something on your last post about OpenDns...(Thanks)

I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!
I mean, I could, but wouldn't that just make Unbound act more like a proxy...right?

Anyway, I think this puts an end to my Unbound endeavors haha.
I really appreciate the help from all and specially for your patience!
 
macster2075 said:
@Tech9 You actually made me realize something on your last post about OpenDns...(Thanks)

I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!
I mean, I could, but wouldn't that just make Unbound act more like a proxy...right?

Anyway, I think this puts an end to my Unbound endeavors haha.
I really appreciate the help from all and specially for your patience!
Click to expand...
how will you prevent dns cache poisoning with an Open Dns ?
 
No no.. haha.. I meant, there is no benefit of me using Unbound if I will be using OpenDns (DNS Server...content filter) as the Upstream DNS server.
Meaning I won't use Ubound's full benefits... I know the day I won't be using any content filtering, I will set up Unbound.
 
Last edited:
macster2075 said:
I realized that there is no point of me even using Unbound if I want to use OpenDns to filter content!
Click to expand...

I told you already 6 days ago:

www.snbforums.com

ad blocking

Previously using Pi-Hole, I migrated to AdguardHome :-) Primary DNS - AdguardHome via Docker on NAS Secondary DNS - AdguardHome via Addon on AX86u
www.snbforums.com www.snbforums.com

macster2075 said:
I know the day I won't be using any content filtering, I will set up Unbound.
Click to expand...

Then I will reply to you this is what Pi-hole can be used for with or without OpenDNS and wait for 6 days. :)
 
Tech9 said:
I told you already 6 days ago:

www.snbforums.com

ad blocking

Previously using Pi-Hole, I migrated to AdguardHome :-) Primary DNS - AdguardHome via Docker on NAS Secondary DNS - AdguardHome via Addon on AX86u
www.snbforums.com www.snbforums.com



Then I will reply to you this is what Pi-hole can be used for with or without OpenDNS and wait for 6 days. :)
Click to expand...
Yea I imagine Pihole runs better as an Open DNS forwarder. It even has security features like rate-limiting.
 
Right. in all the Unbound setups I've seen in pihole, they say to use 127.0.0.1#5335 as the loopback dns to Unbound, but this means, I won't be able to use content filtering network wise since the OpenDns Upstream will not be used... this is why I said.. "the day I won't be needing content filtering".. I will setup Unbound as a recursive DNS server.

Thank you all.. Sorry it took me a while.
 
macster2075 said:
Right. in all the Unbound setups I've seen in pihole, they say to use 127.0.0.1#5335 as the loopback dns to Unbound, but this means, I won't be able to use content filtering network wise since the OpenDns Upstream will not be used... this is why I said.. "the day I won't be needing content filtering".. I will setup Unbound as a recursive DNS server.

Thank you all.. Sorry it took me a while.
Click to expand...
Yea from my understanding, you are right. It is best to use an Open DNS on port 53.
 
macster2075 said:
I won't be able to use content filtering network wise since the OpenDns Upstream will not be used...
Click to expand...

You can use category blocklists on your Pi-hole, but okay - I can wait for 6 more days...

FilterLists | Subscriptions for uBlock Origin, Adblock Plus, AdGuard, ...

FilterLists is the independent, comprehensive directory of filter and host lists for advertisements, trackers, malware, and annoyances. By Collin M. Barrett.
filterlists.com filterlists.com

What is this Pi-hole doing on your network is still not very clear. It's a DNS-based blocker.
 
Tech9 said:
What is this Pi-hole doing on your network is still not very clear. It's a DNS-based blocker.
Click to expand...
It is being use to Administer the Open DNS. With Pihole, we can observe the connections coming and going. Plus it acts as a blocker to block content before it reaches Upstream. The Upstream blocks whatever Pihole Misses.
 
What if Diversion runs on the router with the same blocklists and OpenDNS is set in WAN? Way too advanced? I believe Pi-hole is used for two reasons:

- someone else recommended it
- it has nicer graphs in the WebUI
 
I've seen AdGuard options as well, but can't remember the developer's name. It was something very long.
 
You must log in or register to reply here.

Similar threads

ExtremeFiretop
  • Locked
Seeking Feedback & Contributions: Merlin Auto Update Solutions
14 15 16
Replies
315
Views
17K
ExtremeFiretop
ExtremeFiretop
ExtremeFiretop
MerlinAU MerlinAU v1.1.1 - The Ultimate Firmware Auto-Updater (Now available in AMTM)
15 16 17
Replies
322
Views
31K
ExtremeFiretop
ExtremeFiretop
M
Solved Unable to bypass router DNS settings
Replies
5
Views
2K
MvW
M
A
Tutorial IPv6 DDNS (noip.com) and VPN server for CG-NAT IPv4
Replies
10
Views
5K
juanantonio
J
RMerlin
  • Locked
Release Asuswrt-Merlin 386.2 is now available
36 37 38
Replies
757
Views
195K
RMerlin
RMerlin
Similar threads
Thread starter Title Forum Replies Date
gatorback Immediately forcing DDNS update Asuswrt-Merlin 3
deefour Forcing device-specific port-range through VPN Asuswrt-Merlin 9

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 864 (members: 26, guests: 838)
Top