Unbound - Authoritative Recursive Caching DNS Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.

SuperDuke

Regular Contributor
As a FYI for the gang, I setup my VPN natively and disabled DNS service (allowing Unbound to still act as my resolver).

Speed went down by an order of magnitude....(I have 500Mbit, speed topping out at 50ish on the lone device I configured for the tunnel)......

iPad using the VPN app stays closer to full bandwidth.....

Anybody else configured this way as seen the same reduction? (knowing full well a reduction is expected....Express is my service)
 

L&LD

Part of the Furniture
@SuperDuke that is within the expected VPN speeds of your router (and its 1.4GHz dual-core CPU).

If you had an RT-AC86U or RT-AX88U then you would be seeing closer to 250Mbps over the VPN (note the dual/quad-core 1.8GHz CPU's are not the reason for the speed increase; it is the built-in hardware accelerator those models have instead). :)
 

rgnldo

Very Senior Member
As a FYI for the gang, I setup my VPN natively and disabled DNS service (allowing Unbound to still act as my resolver).

Speed went down by an order of magnitude....(I have 500Mbit, speed topping out at 50ish on the lone device I configured for the tunnel)......

iPad using the VPN app stays closer to full bandwidth.....

Anybody else configured this way as seen the same reduction? (knowing full well a reduction is expected....Express is my service)
As a rule of thumb, when you enable VPN, your DNS resolver is your VPN service.
 

SuperDuke

Regular Contributor
@SuperDuke that is within the expected VPN speeds of your router (and its 1.4GHz dual-core CPU).

If you had an RT-AC86U or RT-AX88U then you would be seeing closer to 250Mbps over the VPN (note the dual/quad-core 1.8GHz CPU's are not the reason for the speed increase; it is the built-in hardware accelerator those models have instead). :)

Thanks @L&LD
 

USer1245

New Around Here
Hello,
I am not really an advanced user but like to have more privacy. Recently I installed Unbound with this instruction https://docs.pi-hole.net/guides/unbound/ . But some privacy settings miss.
Can maybe someone give me a perfect settings with Pihole instructions. I read some of the post but not really now what to write in the .conf when I used the pre configured from pihole. @rgnldo
 

rgnldo

Very Senior Member
Hello,
I am not really an advanced user but like to have more privacy. Recently I installed Unbound with this instruction https://docs.pi-hole.net/guides/unbound/ . But some privacy settings miss.
Can maybe someone give me a perfect settings with Pihole instructions. I read some of the post but not really now what to write in the .conf when I used the pre configured from pihole. @rgnldo
Look closely at the initial post of this thread. Follow the steps and preferably use only the unbound native adblock. My post requires some knowledge in linux. There is a script that automates the installation process, recommended for you. The link and other support guidelines can also be found on the initial post.
 
Last edited:

SuperDuke

Regular Contributor
Hi all.....i was picking around on a testing website and it made mention of adding some added benefit due to restricting address case (either upper or lower but not mix)

I went to the calomel website and apparently it's inherent....any thoughts on benefit?

'
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes'
 

rgnldo

Very Senior Member
use-caps-for-id: yes'
I do not recommend this option for configuration with DNSSEC, It may result in false positives. If with the DoT option configured, without DNSSEC, yes you can activate. This option will activate the Unbound police option against false domain traps.
 
Last edited:

SomeWhereOverTheRainBow

Very Senior Member
Calling all IPV6 Users
First off I wanted to provide IPV6 Users with some feed back on DNS64 options

Wanted to provide you with a little feed back about a feature implemented for IPV6 inside the unbound.conf for unbound manager script,

Code:
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01
I noticed with this feature enabled several devices on my network stopped being able to resolve anything. Naturally my network tends to pull from IPV6 before IPV4, so what was happening was say for example my alexa or my network camera would dial out to the cloud as these devices usually do, and the AAAA traffic via PTR was getting hit with a null/blocked response. This caused the devices to halt all name-resolution efforts and in effect not respond properly, note - once i removed these lines from the .conf and restarted unbound the issue in its entirety went away.

With this In Mind

Should dns64 options be removed?
 

rgnldo

Very Senior Member
AAAA traffic via PTR
This module was created to correct this problem, which in general is generated by the poor infrastructure provided by some ISPs. This module is not mandatory. For my reality, it is necessary. Yes, not all ISPs have the correct infrastructure with IPV6.
Most likely, your ISP will provide edge correction.
With this In Mind

Should dns64 options be removed?
As you have knowledge in networks, you should check if there is a need for the module. From what I notice, there is no need.
 

USer1245

New Around Here
Look closely at the initial post of this thread. Follow the steps and preferably use only the unbound native adblock. My post requires some knowledge in linux. There is a script that automates the installation process, recommended for you. The link and other support guidelines can also be found on the initial post.

I tried it. The only think is how can I add the Entware-NG repository on my rasberry pi, I dont find any helpful things on the internet. I use at the moment Pi Hole and OpenVPN.The script installer dont work as well, maybe you can help me.
 
Last edited:
Status
Not open for further replies.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top