Unbound DNS resolver

[zombo]

Hlo to all.

First a bit of background info. My router is a Linksys WRT1900ACS v2 running openwrt firmware. I have one tower pc connected via one of my available ethernet ports. My pc is running the latest, most up to date Linux Mint 20.1 (based on Ubuntu 20.04). I guess you could say I have a small network. The only other devices in my home are 3 laptops and 2 cell phones. It's rare that they are all connected to the network at the same time because they are in and out of here as I'm sure most homes are.

Sorry, this is my first post so I hope this question is in the proper forum. I have been using unbound on my pc for a month or 2 now and I am pleased with the results. Actually, installed pihole with unbound so I could have ad blocking and dns resolution together. So I have 2 questions. First, would it be better to install pihole/unbound on my openwrt linksys router or leave it as is on my tower pc?

Second question, I am very interested to learn, is it possible to somehow configure unbound to resolve my dynamic ip address? I only have a residential account not a business account so my ip is dynamic. It does not change very often. Mostly only on power down but it would be nice to know that on the rare occasions it does change, I could have unbound configured to resolve it so that I would not need to use an outside source such as DYNDNS or NO-IP. Thank you all.

 

[airgap]

Hi,

could you elaborate why you're using unbound? I wan't to know a bit more about your setup to see if I am able to help.
I wouldn't use unbound/bind9 "simple" DNS task. But may be you have a good reason for that so I would like to hear

Regarding resolving your dynamic ip:
Are you trying to make your unbound accessable from outside (internet)?

In general there are a lot of ways in the unix universe but it depends on your skill and most important: WHAT is your goal?

 

[zombo]

Hi,

could you elaborate why you're using unbound? I wan't to know a bit more about your setup to see if I am able to help.
I wouldn't use unbound/bind9 "simple" DNS task. But may be you have a good reason for that so I would like to hear

Regarding resolving your dynamic ip:
Are you trying to make your unbound accessable from outside (internet)?

In general there are a lot of ways in the unix universe but it depends on your skill and most important: WHAT is your goal?

Hi airgap,

Thank you for replying. Why am I using unbound? Well, I wanted more control LOL. I read that instead of relying on cloudflare, google, etc, I could install unbound as a recursive, caching and to some extent an authoritative resolver. One of the blogs I read said eventually after using unbound for awhile that you can just use unbound and stop using outside sources. As I was reading on how to install unbound I noticed many sources recommending to install pihole with unbound for local network wide ad blocking. I really liked that idea so I installed them both and pihole seems to work great (no ads) and unbound seems to work great too. When I do a web search it seems to get faster the more I use it. Originally I was under the impression that unbound would also resolve my dynamic ip so that I could access my linux machine from anywhere via internet.

If it were just for my own private use, I could just access my pc through team viewer or some comparable program but I have hopes of being able to host a public instance of Searx for just my family members to be able to access and do web searches. I'm not thinking of trying to advertise it to the general public because my upload speed probably would not support a large number of people.

Also, I'm very particular about using outside services. I would rather be able to host my own web server on my own hardware instead of relying on digital ocean or some other virtual private server host. I would rather implement my own DNS resolver rather than use cloudflare and if possible, I would rather resolve my dynamic ip without having to rely on mythic beast or freedns.

Lastly, I'm not extremely skilled in the world of linux and terminal but am eager to learn. I made the switch from Windows to Linux Mint over the last couple of years and I have not regretted it. Even though I'm not an expert in terminal, I have been able to do anything I've tried through online tutorials and/or nearly all questions/problems I have encountered, someone has already asked it on ask ubuntu or stack exchange, super user, etc.

Thank you airgap

 

[airgap]

Hi zombo,

thank you for the comprehensive explanation.

Correct me if I am wrong but it seems that you just use unbound for your internal network name resolving which means that only clients within your network have the ability to ask your DNS for name resolving is this correct? If so that might be an overkill for a small family network at home. DNS-Masq (on a raspi) would satisfy your needs anyway. Hell even etc-hosts would do it hahahahaha but ok I will stick to your setup and try my best to help.

I don't know how good and deep your knowledge about networking is but let me explain in very short and simplified way some fundamentals:
But if you like to dig deeper learn more about routing and switiching and all the necessary fundamentals of the used protocols - fun for a many months / years.

You (exactly your modem connected) will get an IP from your ISP which helps any packet from the internet to reach you if it's destinated to you.
A domain name is nothing which you automaticaly receive - you can buy it from your ISP or some domain registrary organization.
So your domain must be propagated to the internet by someone - right? And it's not you! Because you are not a authority for that otherwise the internet would be flooded with any kind of domains from any body without paying a cent for that. Could you imagine that? Which sound great at first will end up in a total mess in the end.

So do you have you own domain name? And if so - is it hosted by your ISP or 3rd party hoster?

But besides that all you can write a script which runs with cron to a specific scheduled time and asks a 3rd party tool website for your actual IP adress. With that information now you are able to do a lot of stuff if you like or what is needed. The script could be very stupid simple basic shell-script. Almost a oneliner command.

If you need help for a script let me know.

 

[zombo]

@airgap , thank you for the fast reply and guidance. Yes, I am only using unbound on my small home network. Nobody on the internet can ask my DNS For name resolving. LOL, so you can see my inexperience with things like these. I thought that by using unbound it would not be necessary for me to use cloudflare or some other DNS that I have no control over. When I installed pihole/unbound one of my sources was a tech guy on youtube and he explained it like this: "When you ask google for example for name resolution it's like sneaky little b-----ds peeping over your shoulder and constantly prying into your business but when you use unbound you eliminate them from the mix"

I guess Linux,pihole,unbound,searx,etc., is just my way of attempting to have some measure of control. Honestly, I've always enjoyed finding alternate ways to do things. instead of taking the easy way, the gift that's already wrapped and makes it convenient for you to browse the internet usually comes with plenty of things you may not want. For instance, windows 10 and telemetry.

Oh and yes I have my own domain name. Leased it from gandi.net. As I was reading on openwrt forums I noticed a lot of members talking about cron jobs. I have not researched it yet though but now that you mentioned it sounds like exactly what I need. I guess it's better to run the script on my openwrt? or my Linux Mint?

Also, one other thing, I found this while researching Searx: https://github.com/searx/searx-docker. According to their readme you can create a new searx instance in 5 minutes with docker. I followed the steps and the installation went well. You can watch as it's starting up in terminal and there were no errors. Only problem was, I guess I was supposed to edit the env file but I did not know what I was supposed to change in it. I suppose I needed to enter my ip address. Even though the installation went good, I could not access my docker searx instance on the web. Again, thank you airgap

 

[airgap]

OK now I fully understand what your are trying to achieve and I can tell you that you're fighting a fight which you can't win in the long run but this would be offtopic and political but this is a forum for technical related stuff and I would need to write pages like an essay to explain it - but of course you can (and should) try to make your digital footprint as small as possible if you are a privacy concerned user.

I never heard of or used "searx" so I can't say anything about but if you stick exactly to the installation guide it should normaly work. May be I will try it one day but I don't use docker - I will install it an normal way. I am sorry but I can't help docker related stuff.

But why are you giving yourself such a hard time and "wasting" preciouse life time for such complicated way? and remember you have to maintain it all the time. If there will be an update which breaks your config you have to troubleshoot etc. all the time. Using PI-hole is very good choice for ad blocking and if you ask me you could just use openDNS for name resolving and other search engines like duckduckgo, qwant etc. instead of creating your own nameserver.

If you really are a privacy concerned then you should install your own mail server instead of using 3rd party mail providers right? Are you using your own mail server?

Another approach without setting your own DNS: You could improve your privacy by using dnsCrypt or dns-over-https in your clients browser and may be combining it all with a good VPN - but don't think that free VPN provider are willing to protect you correctly for free. Someone has to pay those servers right? Yeah and that's you! In one or another way you have to pay for that and it might be your data for selling or meta-data for ads. So at least pay with real money for a good VPN provider which has a solid protection settings - but please don't think that you're invisible or stealthy on the internet - it helps to minimize your footprint to the smallest possible degree.

But if you desire to this all work then you should have a system which is always on and active or at least when you are online and need it. For your task and setup another computer or small mini computer (like raspberry pi) which you can use as an server (DNS, searx, Pi-hole, bla bla bla) instead of your own computer and is connected to your router and has a static ip on your local network. You can of course install scripts directly on your router but I would recommend you to do it first on a computer to improve your overall skills and knowledge. Please learn to protect your server if it you wan't to make it accessable from the outer world - no matter what service.

 

[Tech9]

So I have 2 questions. First, would it be better to install pihole/unbound on my openwrt linksys router or leave it as is on my tower pc?

Unbound package is available for OpenWRT, but not Pi-hole. Better run both on dedicated Raspberry Pi.

is it possible to somehow configure unbound to resolve my dynamic ip address?

No, Unbound is DNS resolver/forwarder for your LAN. You have to use DDNS service to track your external IP changes.

One of the blogs I read said eventually after using unbound for awhile that you can just use unbound and stop using outside sources.

No. You can use Unbound as Resolver - it needs access to root DNS servers. You can use it as Forwarder - it needs access to public DNS servers. Over time most of your queries will be cached. The advantage of Resolver is in spreading your DNS queries over many servers and no single one has your entire query history. Unbound can be configured to use DNS-over-TLS to root DNS servers as extra security. You can do ad-blocking directly with Unbound, but Pi-hole has nicer UI with statistics and can be used as DHCP server for your LAN. Everything you need to know is available in Unbound and Pi-hole documentation.

 

[Tech9]

and remember you have to maintain it all the time

No maintenance required. Unbound is basically set and forget solution. Root DNS servers never go down. Initial queries are slower than public DNS servers, but once cached are lightning fast. Overall user experience with Unbound Resolver is better compared to dnsmasq Forwarder. This is the reason many folks around run Unbound on Asuswrt-Merlin supported routers.

You could improve your privacy by using dnsCrypt or dns-over-https in your clients browser

Not a good advice. You lose the ability to filter/control DNS queries.

 

[airgap]

No maintenance required. Unbound is basically set and forget solution. Root DNS servers never go down. Initial queries are slower than public DNS servers, but once cached are lightning fast. Overall user experience with Unbound Resolver is better compared to dnsmasq Forwarder. This is the reason many folks around run Unbound on Asuswrt-Merlin supported routers.



Not a good advice. You lose the ability to filter/control DNS queries.

If there are patches/updates you have to do maintenace and check if everything works. Even my used sentence "maintain it all the time" might be exaggerated you have to work on it from time to time and of course if needed for troubleshooting - e.g. if client can't access the internet. And no the reasons why unbound is being used on routers is the small memory usage of it. Even on biger levels like companies some use unbound because it is fast and consumes less memory. If you would try to setup BIND9 on a small home router it would be overkill and if you read my entire post you should get that I was not refering to not install pi-hole nor unbound on a router but instead on a small computer.

And your statement about my "not a good advice" filter/contorol DNS queries: As far as I read and understand zombo: He just want's to protect his privacy from google (and may be others) regarding name resolving queries and "searching". So just to ease him a lot of headache and prevent "wasting" lifetime I advised (and still do for regular user) to set dns-over-https in his client for openDNS and more so he can use openDNS as a NS in generall with dnsCrypt and for search just use other search-engines and if he wan't to get rid of the stupid ads he can use pi-hole and overall use a good paid(!!!) VPN provider. That's all. This is imho a very good advice for "normal" user who cares about privacy.

There is always a ways to implement and combine tools with another but sometimes it's easier and sometimes it's pain in the nose

There is nothing wrong with using unbound - don't get me wrong but I spend a lot of precious time of my life with that all and I came to the conclusion that there are some other ways which might not be the best/perfect way but at least less time consuming and less headache to do what I want to do. That's all.

In generall though I agree with you.

 

[Tech9]

If there are patches/updates you have to do maintenace and check if everything works.

No different than any new firmware/software update. Applies to all devices on the network, not specific to Unbound.

And no the reasons why unbound is being used on routers is the small memory usage of it.

Asuswrt uses dnsmasq. Asuswrt-Merlin users install Unbound on top not because of memory footprint. More details here.

dns-over-https in his client for openDNS; use a good paid(!!!) VPN provider

Now Cisco has his browsing history instead of Google or someone else. Why is OpenDNS offering free services? The only good VPN is when you control both ends of the tunnel. Otherwise you have to trust and pay someone registered in Panama or British Virgin Islands. DoH and VPN may result in shooting yourself in the foot. It will drill through blockers and firewalls making them useless. It's a sysadmin nightmare in corporate networks; same for home users.

 

[zombo]

@Tech9 and @airgap, Thank you both for your guidance. You gave me so much advice, some that I will need to study more to fully understand but basically I realize that we can never be truly invisible with our presence on the internet. So as airgap pointed out previously, the best we can hope for is to make our footprint as small as possible and I am always attempting to do that.

For instance, although 90% of my family cares nothing for privacy nor security, I started rooting my phones years ago and with my latest phone, although it's an android (basically google) my phone is 100% google free. Just like my linux OS, I only use open source software.

As far as search engines are concerned, I only recently started using Searx when I learned you can get google, yahoo and any other major search provider results without them knowing who is requesting.

So basically I know I will need to compromise some, for instance, I may have to query a DDNS provider but if I can host my own web server, run my own recursive DNS (which will still have to query cloudflare, etc) and host my own search engine, at least that's something.

So guys, I have a domain name, so if I were going to use the searx docker method or apache/nginex, how do I point it to my domain name? The searx documentation is thorough but not detailed enough for me to get it working. I easily set up my own private instance but the public one was harder and have failed so far.

 

[Tech9]

You only limit yourself, @zombo. There is always someone who knows what you search for, what sites you access and what your physicals location is with accuracy in meters. The more complex your system is, the more failure points and maintenance. Even simple Pi-hole may turn into a pain for your family. All your "privacy" measures will turn into family members' complaints sooner or later.

 

[zombo]

Yessir I guess you are right. I just don't like making it easy for those who wish to gather information about my family and myself. I would rather make them have to work for it.

 

[Tech9]

Post again when your wife reduces significantly your bedroom footprint and you are forced to do some things in privacy.