Menu
What's new
By:
Filters Better Search

Unbound - Authoritative Recursive Caching DNS Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.
U

USer1245

New Around Here
rgnldo said:
Raspbian is a Debian environment. Just configure the repository in sources.list.
Code: 
apt-get update
apt-get install -y unbound dnsutils
Configure as needed.
Click to expand...
I tried it but it dont really work, it could be that I do something wrong.
Screenshot (2).png

When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.
Screenshot (4).png


Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance
 
U

USer1245

New Around Here
rgnldo said:
I did the simulation with VirtualBox. To work do this:

Type the steps again, to hopefully get it right
1. Install Rasbian new
2. Install PiHole
3. Install unbound and ldnsutils and stop it
Code: 
apt-get install unbound ldnsutils
Code: 
service unbound stop
4. Creating the file
/etc/unbound.conf.d/pi-hole.conf
Code: 
server:
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: [email protected]
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
 
    root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1472

    prefetch: yes
    prefetch-key: yes
    serve-expired: yes
    serve-expired-ttl: 3600
 
    rrset-roundrobin: yes
    harden-algo-downgrade: yes
    hide-version: yes
    hide-identity: yes
    harden-below-nxdomain: yes

    num-threads: 1

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

5. PiHole configuration with unbound

View attachment 22019 View attachment 22020

6. Set on /etc/dnsmas.d/01-pihole.conf
Code: 
cache-size=0
7. start unbound
Code: 
service unbound start
8. Reboot

Work fine:

View attachment 22024

View attachment 22022

Code: 
%  dig +short txt qnamemintest.internet.nl

a.b.qnamemin-test.internet.nl.

"HOORAY - QNAME minimisation is enabled on your resolver :)!"
Click to expand...

Works fine. Thank you for help.
 
heysoundude

heysoundude

Very Senior Member
This may be germane or off-topic, but something tells me this topic/thread is the place to put it.
From Hurricane Electric's Tunnelbroker service:

[February 10, 2020]
The public recursors at 74.82.42.42 / 2001:470:20::2 / ordns.he.net now also support DNS over TLS (DoT) and DNS over HTTPS (DoH) for those who wish to use those interfaces.

Maybe it'll help someone, maybe I just added some noise to the discussion <shrugs>

Wash your hands!
 
Chris0815

Chris0815

Regular Contributor
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
 
rgnldo

rgnldo

Very Senior Member
Chris0815 said:
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
Click to expand...
What environment are you referring to? Is it an Asus router with Merlin firmware?
 
dave14305

dave14305

Part of the Furniture
Chris0815 said:
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time.
Click to expand...
You can probably use a script to replace the outgoing-interface: line in the unbound.conf when it changes. A VPN guru could tell you how to do it (which user script).
 
rgnldo

rgnldo

Very Senior Member
Chris0815 said:
Sorry for missing that I missed that information - Yes, its an AC86U running Merlin 384.15
Click to expand...
From the experiences I have with VPN and unbound services, there are two options for the interaction between the two services.
The first with assigning NordVPN's IP to the outgoing-interface option, suggested by Dave14305:
The other option is a forward-zone, insert NordVPN's IP.
 
S

SomeWhereOverTheRainBow

Very Senior Member
Chris0815 said:
Hey,
this is my first post so I take the chance to say thank you to all of you that this forum exits!
During the last weeks I have spent tons of hours reading interesting stuff here - my wife does not understand why I do so, but I learned a lot of things I really was not aware of before. So thanks again...!

I began using unbound configured as recursive server (not forwarding). And I use VPN by NordVPN configured as Client-VPN on the router without accepting DNS from NordVPN, so unbound is doing the job. DNS-leak-test shows a NordVPN IP and my WAN IP for DNS, so it seems to work so far.
So my IP is hidden, but sites still can extract my DNS-IP, and that is directly linked to my ISP. DNS over unbound is not encrypted. So am I right that this DNS traffic can be monitored by my ISP?
Would it be possible that unbound does not communicate with the name servers over WAN, but over VPN - so that my ISP is not able to see anything?
I tried to ad "outgoing-interface: 10.8.1.32" in the config of unbound. This IP is the client IP of the VPN connection of NordVPN on the router. DNS resolving still works with this setup, but is this the right way to send DNS traffic over the VPN? Is it really doing as I expect? Or should I see NordVPN IP for DNS? I still see my on WAN IP during DNS-leak-test...
Every time I reconnect to NordVPN (i.e router reboot), the VPN-Client IP given by NordVPN changes, so I have to change unbound config file each time. Is there any other possibility to send DNS-traffic over VPN to hide from ISP?
Click to expand...
Your DNS traffic is in plain-text, but your traffic is not making contact to any major players such as your ISP's dns-servers or public servers, so all your queries are made to root-servers where the information is fresh. only the root servers will see you. unless your ISP starts sniffing your traffic, they are not going to really see what you are doing as you are going straight to the root servers and skipping the middleman servers(i.e. cloudflare, ISP-dns, quad9,google).
 
S

SomeWhereOverTheRainBow

Very Senior Member
USer1245 said:
I tried it but it dont really work, it could be that I do something wrong.
View attachment 21998
When i test it this was shown, no qname-minimisation or IPv6, wether I have a conf with these parameters (do-ip6= yes,qname-minimisation: yes).

But when I use a Virtual Machine it works well, I dont know why. Maybe someone can explain it to me.
View attachment 21999

Here it works fine after installing unbound dnsutils qname minimisation works well. The other work also before I download unbound. But why?
( https://cmdns.dev.dns-oarc.net/ )

Many Thanks in advance
Click to expand...
Here is mine
upload_2020-4-1_21-16-47.png

upload_2020-4-1_21-18-13.png
 
dave14305

dave14305

Part of the Furniture
Ubimo said:
I turned off IPv6 in my router.
So this is normal then? Nothing to worry?
Click to expand...
If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?
 
Mutzli

Mutzli

Very Senior Member
dave14305 said:
If you are using Unbound configured per the "SNB standards" you should have QNAME minimization enabled. Are you sure this test was run using Unbound as your DNS server?
Click to expand...
I also get a C on that test with unbound enabled and I do have QNAME minimization enabled.
 
Mutzli

Mutzli

Very Senior Member
I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?
 
S

SomeWhereOverTheRainBow

Very Senior Member
Mutzli said:
I only have the following options active under gentle on recursion:
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

should I add what you have in this list?
Click to expand...
You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.
 
Mutzli

Mutzli

Very Senior Member
SomeWhereOverTheRainBow said:
You can try it to see if it makes a difference , but if it doesn't then it is probably associated with capabilities associated with your isp.
Click to expand...
Made no difference, ISP must be the cause.
upload_2020-4-2_14-4-6.png

Is there a way to run unbound with the DoT enabled, that might help to mitigate these resolver leaks. I saw in the config file that there are parameters for this. Is there an explanation on how to enable this?
 
Status
Not open for further replies.
Similar threads
Thread starter Title Forum Replies Date
S Pi-Hole or Diversion or Unbound? Asuswrt-Merlin 12
M Unbound and client latency question Asuswrt-Merlin 5
J unbound/entware keeps breaking and corrupting new usb disks on RT-AC86U Asuswrt-Merlin 11
kernol Unbound : Security vulnerability ??? Asuswrt-Merlin 18
New2This Pi-Hole and running Unbound Asuswrt-Merlin 16
Yanik unbound vs VPN DNS Asuswrt-Merlin 3
M How to do Split DNS with Unbound – sort of Asuswrt-Merlin 12
gspannu What are you running? DNSCrypt or Unbound? Asuswrt-Merlin 14
R Unbound wrecked after entware update Asuswrt-Merlin 5
O OpenVPN recursive routing detecting Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 459 (members: 31, guests: 428)
Top