Unbound Harden Unbound

[Jack-Sparr0w]

No problem using this in config file with vpn atm

use-caps-for-id: yes (don't use if you are using pi-hole)
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes

 

[amplatfus]

Please, using this options the Unbound will be applied to vpn too?
Thank you!

 

[Jack-Sparr0w]

Make sure to unbind VPN before telling it to use this. Unbound had issues in the past when I did it with VPN bound to unbound

 

[Jack-Sparr0w]

Anything that is done to unbound from my understanding has to be done without VPN, that includes installing all its features. Gotta do order of operations method to get it to work nice

 

[New2This]

Have you looked into VPNMON thru the amtm you can route your Unbound traffic through your VPN- working great here

 

[Net Noob]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

 

[jacklul]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped or use-caps-for-id, but not both.

harden-large-queries: yes

Doesn't make sense to set it if you're running unbound in your LAN, that option is only useful when hosting public resolver.

harden-short-bufsize: yes
val-clean-additional: yes

Are set to yes by default, according to unbound docs.

 

[Gary_Dexter]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped or use-caps-for-id, but not both.

Where is this documented please ?

I have both enabled and have no issue with returning DNSSEC lookups

 

[Viktor Jaep]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

At the moment, VPNMON can only use Unbound over VPN. The way it was implemented seems extremely complex, but I'm going to try to reverse engineer it to see if I can get it working on Wireguard as well.

Right now, I'm using Wireguard for my main internet connection(s), but using a standalone VPN connection handling Unbound DNS lookups. So it's a best of both worlds for now.