Unbound - Authoritative Recursive Caching DNS Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.

USer1245

New Around Here
Raspbian is a Debian environment. Just configure the repository in sources.list.
Code:
apt-get update
apt-get install -y unbound dnsutils
Configure as needed.
I tried it but it dont really work, it could be that I do something wrong.
Screenshot (2).png

When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.
Screenshot (4).png


Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance
 

USer1245

New Around Here
I did the simulation with VirtualBox. To work do this:

Type the steps again, to hopefully get it right
1. Install Rasbian new
2. Install PiHole
3. Install unbound and ldnsutils and stop it
Code:
apt-get install unbound ldnsutils
Code:
service unbound stop
4. Creating the file
/etc/unbound.conf.d/pi-hole.conf
Code:
server:
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: [email protected]
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
 
    root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1472

    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
 
    rrset-roundrobin: yes
    harden-algo-downgrade: yes
    hide-version: yes
    hide-identity: yes
    harden-below-nxdomain: yes

    num-threads: 1

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

5. PiHole configuration with unbound

View attachment 22019 View attachment 22020

6. Set on /etc/dnsmas.d/01-pihole.conf
Code:
cache-size=0
7. start unbound
Code:
service unbound start
8. Reboot

Work fine:

View attachment 22024

View attachment 22022

Code:
%  dig +short txt qnamemintest.internet.nl

a.b.qnamemin-test.internet.nl.

"HOORAY - QNAME minimisation is enabled on your resolver :)!"

Works fine. Thank you for help.
 

heysoundude

Very Senior Member
This may be germane or off-topic, but something tells me this topic/thread is the place to put it.
From Hurricane Electric's Tunnelbroker service:

[February 10, 2020]
The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.

Maybe it'll help someone, maybe I just added some noise to the discussion <shrugs>

Wash your hands!
 

Chris0815

Regular Contributor
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
 

rgnldo

Very Senior Member
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
What environment are you referring to? Is it an Asus router with Merlin firmware?
 

dave14305

Part of the Furniture
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time.
You can probably use a script to replace the outgoing-interface: line in the unbound.conf when it changes. A VPN guru could tell you how to do it (which user script).
 

rgnldo

Very Senior Member
Sorry for missing that I missed that information - Yes, its an AC86U running Merlin 384.15
From the experiences I have with VPN and unbound services, there are two options for the interaction between the two services.
The first with assigning NordVPN's IP to the outgoing-interface option, suggested by Dave14305:
The other option is a forward-zone, insert NordVPN's IP.
 

SomeWhereOverTheRainBow

Very Senior Member
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
Your DNS traffic is in plain-text, but your traffic is not making contact to any major players such as your ISP's dns-servers or public servers, so all your queries are made to root-servers where the information is fresh. only the root servers will see you. unless your ISP starts sniffing your traffic, they are not going to really see what you are doing as you are going straight to the root servers and skipping the middleman servers(i.e. cloudflare, ISP-dns, quad9,google).
 

SomeWhereOverTheRainBow

Very Senior Member
I tried it but it dont really work, it could be that I do something wrong.
View attachment 21998
When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.
View attachment 21999

Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance
Here is mine
upload_2020-4-1_21-16-47.png

upload_2020-4-1_21-18-13.png
 

dave14305

Part of the Furniture
I turned off IPv6 in my router.
So this is normal then? Nothing to worry?
If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?
 

Mutzli

Very Senior Member
If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?
I also get a C on that test with unbound enabled and I do have QNAME minimization enabled.
 

Mutzli

Very Senior Member
I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?
 

SomeWhereOverTheRainBow

Very Senior Member
I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?
You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.
 

Mutzli

Very Senior Member
You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.
Made no difference, ISP must be the cause.
upload_2020-4-2_14-4-6.png

Is there a way to run unbound with the DoT enabled, that might help to mitigate these resolver leaks. I saw in the config file that there are parameters for this. Is there an explanation on how to enable this?
 
Status
Not open for further replies.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top