Unbound Harden Unbound

[Jack-Sparr0w]

No problem using this in config file with vpn atm

use-caps-for-id: yes (don't use if you are using pi-hole)
harden-referral-path: yes
harden-algo-downgrade: yes
harden-large-queries: yes
harden-short-bufsize: yes
val-clean-additional: yes
harden-dnssec-stripped: yes

 

[amplatfus]

Please, using this options the Unbound will be applied to vpn too?
Thank you!

 

[Jack-Sparr0w]

Make sure to unbind VPN before telling it to use this. Unbound had issues in the past when I did it with VPN bound to unbound

 

[Jack-Sparr0w]

Anything that is done to unbound from my understanding has to be done without VPN, that includes installing all its features. Gotta do order of operations method to get it to work nice

 

[New2This]

Have you looked into VPNMON thru the amtm you can route your Unbound traffic through your VPN- working great here

 

[Net Noob]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

 

[jacklul]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped or use-caps-for-id, but not both.

harden-large-queries: yes

Doesn't make sense to set it if you're running unbound in your LAN, that option is only useful when hosting public resolver.

harden-short-bufsize: yes
val-clean-additional: yes

Are set to yes by default, according to unbound docs.

 

[Gary_Dexter]

use-caps-for-id: yes

Clarification: do not set this to yes if you want to use DNSSEC - according to unbound devs.
So either use harden-dnssec-stripped or use-caps-for-id, but not both.

Where is this documented please ?

I have both enabled and have no issue with returning DNSSEC lookups

 

[Viktor Jaep]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

At the moment, VPNMON can only use Unbound over VPN. The way it was implemented seems extremely complex, but I'm going to try to reverse engineer it to see if I can get it working on Wireguard as well.

Right now, I'm using Wireguard for my main internet connection(s), but using a standalone VPN connection handling Unbound DNS lookups. So it's a best of both worlds for now.

Since you're using Mullvad, it doesn't take much to get 1 additional VPN slot working (in addition to your Wireguard slot) with a new Mullvad VPN connection to duplicate this setup.

 

[jacklul]

Where is this documented please ?

I have both enabled and have no issue with returning DNSSEC lookups

According to the reports on Pi-hole's Discourse and Unbound's Github - this does not affect all DNSSEC lookups as it is caused by how the authoritative server handles the query, so you might've never encountered this.
In my Unbound config, I have a note about this, so I assume that when I made it, it was justified. I do not have the the source I based this on, probably a mailing list.
I personally still had problems with both these options set together so the issue is still there, for some people, at least.

Edit:
Looks like it is mentioned in the documentation indeed: https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/patch-announce102.html#randomisation

This method currently has to be turned on by the operator manually, as it may result in maybe 0.4% of domains getting no answers due to no support on the authoritative server side.

So, depending what sites you visit you may or may never encounter this.

 

[Jack-Sparr0w]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

unbound_manager advanced the use option 3 and look for bind to vpn

 

[Jack-Sparr0w]

Hi all,

Thank you for this. I've always been confused as to how to get dns lookups via unbound to work over my wireguard vpn server (mullvad). I've tried a few times and dns lookups stop working completely. is there any chance you can point me in right direction as to which method works? VPNMON won't work with unbound i dont think because it has no capacity for monitoring wireguard iirc.

I'm on the latest Asus merlin for the AX86U router.

Thank you for any and all help.

use open vpn if possible, it has a better cipher