dave14305
Part of the Furniture
You can configure DoT only with a forwarder like Cloudflare, Google, Quad9 etc., but you’re back to sending them your dossier, albeit secretly.
Unbound - Authoritative Recursive Caching DNS Server
- Thread starter rgnldo
- Start date
- Status
SuperDuke
Regular Contributor
and now showing my supreme stupidity (if I haven't already), is there not a way to encrypt the request to the authoritative nameserver? (or is there even a reason to do so?)
dave14305
Part of the Furniture
The rub is that there are many many many authoritative nameservers you might need to query based on your web activity and they would all need to support DoT. Maybe one day but not yet.
SuperDuke
Regular Contributor
And so ends another highly insightful tutorial from the wise one @dave14305 ….thanks as always, your help is invaluable.
I currently have IPV6 enabled on my router since comcast offers this feature.
Question: Unbound does not prevent IPV6 from leaking correct?
The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?
BTW I'm currently using PIA VPN.
Question: Unbound does not prevent IPV6 from leaking correct?
The only way for IPV6 not too leak would be to disable this feature off in the router (or devices) correct?
BTW I'm currently using PIA VPN.
SolluxCaptor
Regular Contributor
Another thing of note, your ISP will most likely still be able to see your history based on IP once you complete the DoT protocol. Once you get the destionation IP back from the DoT server - then its all pure IP traffic to your ISP (as usual) - and if they perform any Deep Packet Inspection, or DPI - which as actually a part of AIProtect funnily enough, can still track your history regardless of the DNS answer being encrypted in transit. The main gain is no one else could snoop on your history mid-stream, vs that possibility plaintext. And via DNSSEC required at all root DNS servers, while your queries without DoT would be visible, they would not be modifiable in any way due to the response then breaking the root's (DNSSEC) signature. It all comes down to personal preference on the philosophy of DNS and Unbound! (or if you live in a more surveillance friendly country, DoT is a helpful piece). But to be truly private VPN is the way to go!
SolluxCaptor
Regular Contributor
Correct me if I'm wrong, but doesn't using DoT actually leave its own form of trail behind on those DNS servers? If I recall it was due to the nature of TLS. The connection is more secure, but it leaves a bit of a paper trail on the DoT server, I think due to handshakes. Granted, it is only visible by that DNS provider. AFAIK
SolluxCaptor
Regular Contributor
Unbound does provide IPV6 support. But if you want to disable it you can in the config file. You can edit it by running:
Code:
unbound_manager
Code:
vx
Code:
do-ip6: yes
Last edited:
dave14305
Part of the Furniture
You’re sharing all your queries with that chosen DoT public resolver, leaving that trail with them, but not snoopable by others while in transit thanks to TLS.
rgnldo
Very Senior Member
IPV6 working fine with unbound. I have been using Unbound-Stubby for two years. I have nothing to complain about. I performed all tests and routes. I have no problems with latency or router overload. I configure Stubby with experimental servers on port 443. Unbound-full can be configured as a TLS server, but in Entware compilation I couldn't. Soon we will have news. I follow the unbound of some years.
Tapatalk
Tapatalk
rgnldo
Very Senior Member
This is a didactic video that demonstrates the importance of a TLS proxy layer to the root server. With the advancement of java scripts and remote servers, DNS poisoning has become increasingly common today. The unbound project has been striving to provide a modern and secure DNS server.
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.
Tapatalk
Your code is simple and capable of high scalability. Originally focused on caching, recursive and authoritative, today extends its work with TLS solutions.
Tapatalk
SuperDuke
Regular Contributor
So as @dave14305 mentions, unless the nameservers all accept TLS, how does Unbound having that capability make it better?
rgnldo
Very Senior Member
In short, you can only have AsusWRT stock firmware on your router. What made you install the FW Merlin?
Tapatalk
rgnldo
Very Senior Member
Today, with the advancement of high-speed internet, cache logic as content storage has become a disused practice. DNS caching should be understood as dynamic, renewing itself in a short space of time. That's what I always recommend when configuring unbound: very little memory and cache life addition, more hardening layer, police and TLS.
Tapatalk
Tapatalk
SomeWhereOverTheRainBow
Part of the Furniture
yes, I saw that but I thought that installed version 1.23.
I'm installing rootzone per your instructions on previous post. Thanks for the info.
Last edited:
rgnldo
Very Senior Member
Update Initial POST
- Status
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| L | Unbound + Wireguard: is this combination possible at all? | Asuswrt-Merlin | 6 | |
| J | DNS rewrite for internal clients to resolve hostname via adguard home and unbound | Asuswrt-Merlin | 12 |
Similar threads
-
Unbound + Wireguard: is this combination possible at all?
- Started by louisschneider
- Replies: 6
-
DNS rewrite for internal clients to resolve hostname via adguard home and unbound
- Started by jata
- Replies: 12
Latest threads
-
-
How to use the XT8 logs to troubleshoot?
- Started by rudedog71
- Replies: 0
-
-
-
ASUS AX-11000 Pro - 5GB Fiber
- Started by Tricky111
- Replies: 1
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!