What's new

Unbound - Authoritative Recursive Caching DNS Server

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
As a FYI for the gang, I setup my VPN natively and disabled DNS service (allowing Unbound to still act as my resolver).

Speed went down by an order of magnitude....(I have 500Mbit, speed topping out at 50ish on the lone device I configured for the tunnel)......

iPad using the VPN app stays closer to full bandwidth.....

Anybody else configured this way as seen the same reduction? (knowing full well a reduction is expected....Express is my service)
 
@SuperDuke that is within the expected VPN speeds of your router (and its 1.4GHz dual-core CPU).

If you had an RT-AC86U or RT-AX88U then you would be seeing closer to 250Mbps over the VPN (note the dual/quad-core 1.8GHz CPU's are not the reason for the speed increase; it is the built-in hardware accelerator those models have instead). :)
 
As a FYI for the gang, I setup my VPN natively and disabled DNS service (allowing Unbound to still act as my resolver).

Speed went down by an order of magnitude....(I have 500Mbit, speed topping out at 50ish on the lone device I configured for the tunnel)......

iPad using the VPN app stays closer to full bandwidth.....

Anybody else configured this way as seen the same reduction? (knowing full well a reduction is expected....Express is my service)
As a rule of thumb, when you enable VPN, your DNS resolver is your VPN service.
 
@SuperDuke that is within the expected VPN speeds of your router (and its 1.4GHz dual-core CPU).

If you had an RT-AC86U or RT-AX88U then you would be seeing closer to 250Mbps over the VPN (note the dual/quad-core 1.8GHz CPU's are not the reason for the speed increase; it is the built-in hardware accelerator those models have instead). :)

Thanks @L&LD
 
Hello,
I am not really an advanced user but like to have more privacy. Recently I installed Unbound with this instruction https://docs.pi-hole.net/guides/unbound/ . But some privacy settings miss.
Can maybe someone give me a perfect settings with Pihole instructions. I read some of the post but not really now what to write in the .conf when I used the pre configured from pihole. @rgnldo
 
Hello,
I am not really an advanced user but like to have more privacy. Recently I installed Unbound with this instruction https://docs.pi-hole.net/guides/unbound/ . But some privacy settings miss.
Can maybe someone give me a perfect settings with Pihole instructions. I read some of the post but not really now what to write in the .conf when I used the pre configured from pihole. @rgnldo
Look closely at the initial post of this thread. Follow the steps and preferably use only the unbound native adblock. My post requires some knowledge in linux. There is a script that automates the installation process, recommended for you. The link and other support guidelines can also be found on the initial post.
 
Last edited:
Hi all.....i was picking around on a testing website and it made mention of adding some added benefit due to restricting address case (either upper or lower but not mix)

I went to the calomel website and apparently it's inherent....any thoughts on benefit?

'
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes'
 
use-caps-for-id: yes'
I do not recommend this option for configuration with DNSSEC, It may result in false positives. If with the DoT option configured, without DNSSEC, yes you can activate. This option will activate the Unbound police option against false domain traps.
 
Last edited:
Apparently unbound wants an IPv6 for its IPv6 queries to the stub-zone. Since IPv6 is not always working I solved that using the local interface. Anyone interested in IPV6 can test.

Code:
    stub-zone:
        name: 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
        stub-addr: 127.0.0.1@53535
 
Apparently unbound wants an IPv6 for its IPv6 queries to the stub-zone. Since IPv6 is not always working I solved that using the local interface. Anyone interested in IPV6 can test.

Code:
    stub-zone:
        name: 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
        stub-addr: 127.0.0.1@53535
will this reverse .arpa work for any ipv6 or is it specific to your ip6 block? @rgnldo
 
Calling all IPV6 Users
First off I wanted to provide IPV6 Users with some feed back on DNS64 options

Wanted to provide you with a little feed back about a feature implemented for IPV6 inside the unbound.conf for unbound manager script,

Code:
#module-config: "dns64 validator iterator"      # v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                     # v1.03 v1.01
I noticed with this feature enabled several devices on my network stopped being able to resolve anything. Naturally my network tends to pull from IPV6 before IPV4, so what was happening was say for example my alexa or my network camera would dial out to the cloud as these devices usually do, and the AAAA traffic via PTR was getting hit with a null/blocked response. This caused the devices to halt all name-resolution efforts and in effect not respond properly, note - once i removed these lines from the .conf and restarted unbound the issue in its entirety went away.

With this In Mind

Should dns64 options be removed?
 
AAAA traffic via PTR
This module was created to correct this problem, which in general is generated by the poor infrastructure provided by some ISPs. This module is not mandatory. For my reality, it is necessary. Yes, not all ISPs have the correct infrastructure with IPV6.
Most likely, your ISP will provide edge correction.
With this In Mind

Should dns64 options be removed?
As you have knowledge in networks, you should check if there is a need for the module. From what I notice, there is no need.
 
Look closely at the initial post of this thread. Follow the steps and preferably use only the unbound native adblock. My post requires some knowledge in linux. There is a script that automates the installation process, recommended for you. The link and other support guidelines can also be found on the initial post.

I tried it. The only think is how can I add the Entware-NG repository on my rasberry pi, I dont find any helpful things on the internet. I use at the moment Pi Hole and OpenVPN.The script installer dont work as well, maybe you can help me.
 
Last edited by a moderator:
Status
Not open for further replies.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top