RX-AX88U + Adguard Home + Unbound - DNS Leak Test Result...

[breathless]

Quick question...

What should a DNS leak test from the following sites look like assuming I have a proper configuration of Adguard Home + Unbound?

From dnsleaktest.com extended test I get 1 server result, and its my IP Address but my ISP is the hostname. The hostname I don't recognize. The location is a rough estimation of my location, and not the headquarters of my ISP.

From browserleaks.com I get the same thing.... 1 server, 1 ISP, 1 location, and its my ISP. The IP address is my IP.... Same thing with location. It's very close to my location and not the headquarters of my ISP.

Is this a DNS Leak?




Thanks

 

[dave14305]

Is this a DNS Leak?

No, that’s Unbound at work. You router’s WAN IP is the DNS server being correctly detected by the tests. The DNS name is just how your ISP decided to name their public IP address assigned to you.

 

[breathless]

No, that’s Unbound at work. You router’s WAN IP is the DNS server being correctly detected by the tests. The DNS name is just how your ISP decided to name their public IP address assigned to you.

That's what I needed to know! Thank you!

 

[Tech9]

This is 180 turn to what you have asked here:

Adguard Home - "disable" bootstrap DNS Servers for 100% encrypted DNS via 443 / 853

I have Adguard Home setup on my Asus RT-AX88U. Here is my upstream server config: [/router.asus.com/][::]:553 [/www.asusnetwork.net/][::]:553 [/www.asusrouter.com/][::]:553 [/use-application-dns.net/][::]:553 [/dns.resolver.arpa/][::]:553 [/lan/][::]:553 [//][::]:553 #DoT...

www.snbforums.com

Your Unbound is in resolver mode and uses port 53 to communicate to root servers. This setup has pros and cons.

 

[breathless]

That is correct, I figured I would just bypass that whole question / issue by installing unbound. I've removed the SDNS entries completely from the upstream.

I have some reading to do I guess as to the cons of using unbound. Seems like cutting out the middleman, as long as my router doesn't get overwhelmed, is the "best" thing to do for overall speed / privacy...?

 

[Tech9]

Seems like cutting out the middleman, as long as my router doesn't get overwhelmed, is the "best" thing to do for overall speed / privacy...?

No. It's only one of the available options.

 

[Kingp1n]

No. It only one of the available options.

What would be the pros/cons for resolver mode? You recommend using the ISP DNS (default) setup versus Unbound?

 

[Tech9]

What would be the pros/cons for resolver mode?

Very slow first resolution up to hundreds ms, less cache than popular public DNS providers, may reveal public IP, communication with root servers is not encrypted, takes resources on a limited hardware home router, less reliable when USB stick is used.

You recommend using the ISP DNS (default) setup versus Unbound?

This is another option. Most of the time ISP DNS is the fastest around. No matter if you encrypt DNS traffic and how many root servers you spread your "privacy" to - the ISP knows what servers you connect to by IP address. They have a pretty god idea what are you doing online.

 

[Kingp1n]

Very slow first resolution up to hundreds ms, less cache than popular public DNS providers, may reveal public IP, communication with root servers is not encrypted, takes resources on a limited hardware home router, less reliable when USB stick is used.



This is another option. Most of the time ISP DNS is the fastest around. No matter if you encrypt DNS traffic and to how many root servers you spread your "privacy" - the ISP knows what servers you connect to by IP address. They have a pretty god idea what are you doing online.

Whats your take on 3rd party DNS i.e. Quad9 or Cloudflare? So many options but it seems like goingwith ISP resolvers seems like the safer route...

Also,.Would you recommend the built-in DoT within rmerlin fw?

 

[Tech9]

Whats your take on 3rd party DNS i.e. Quad9 or Cloudflare?

I can tell what I liked recently and why - AdGuard Home with DoH to Cloudflare with AdGuard standard ads and security blocklists only. It's light enough for router use (1GB RAM models at least), the WebUI is nice and informative, the blocklists are fail-safe, there are services blocking options (I was blocking iCloud Private Relay and it works), Cloudflare can provide additional filtering (1.1.1.2/1.0.0.2 servers) and is fast in many locations, DNS traffic is mixed with common https on port 443, 1.1.1.1/help is showing the encryption method correctly. Instead of USB stick I would use a small SSD in USB enclosure. USB 2.0 mode is enough and may prevent eventual 2.4GHz radio interference (may be an issue on some router models). One complication - it doesn't deal well with IPv6 enabled and I managed to go around in default configuration. Keep IPv6 disabled for guaranteed DNS filtering, DNS Filter/Director set as per instructions. You can keep AiProtection enabled on top, if you want to. You can use Skynet in case there are open ports or you want to limit your own access to something (IPv4 only), but it's not really necessary - the built-in firewall is good enough.

 

[breathless]

Your Unbound is in resolver mode and uses port 53 to communicate to root servers. This setup has pros and cons.

Can't TLS encryption be enabled in the unbound config file so that requests made to the root servers will be encrypted as well?

Maybe something like the below video except I would point the certificate path to the same place that I pointed Adguard Home certificate path to.... which is the free LetsEncrypt certificate in the router:

 

[Tech9]

Can't TLS encryption be enabled in the unbound config file so that requests made to the root servers will be encrypted as well?

No, root servers don't support encryption unless something has changed very recently.