Unbound unbound/WAN settings

[BeachGuy]

I used to have Cloudfare set in WAN DNS Setting along with DNS over TLS. But now I installed "unbound" thinking I'd rather have local DNS and it had me disable some settings. I'm not sure how to configure WAN now, do I just set it to ISP? When I try to enter Cloudfare or any other it just defaults to ISP. How do I test if router is using unbound? I've tried "Advanced Settings" ("unbound_manager advanced") but there is no DoT option? BTW, I also have Diversion (excellent) and Skynet (excellent) so I disabled ad-blocking in unbound. I also installed the GUI but most of it is blank, the only thing showing is below. Also, on the help tab it redirects to 404.
Router is using ISP for DNS as noted on Internet Status page and no DNS Privacy.
DNS (Spectrum)
209.18.47.61
209.18.47.62

DNS Director is enabled - anything configured there to something other than No Redirection or Router will bypass DNS Privacy servers.


Standard Statistics
--------------------------------------------------------

Number of DNS queries: 3239
Number of queries that were successfully answered using cache lookup (ie. cache hit): 2576
Number of queries that needed recursive lookup (ie. cache miss): 663
Number of queries dropped because request list was full: 0
Average number of requests in list for recursive processing: 1.50717

Extended Statistics
--------------------------------------------------------

RRset cache usage in bytes: 1838618
Message cache usage in bytes: 908286

Adblock Statistics
--------------------------------------------------------
Number of adblocked (ads/malware/tracker) and blacklisted hosts: 168790
Last updated: Tue Mar 5 08:57:18 2024

Cache hit success percent: 79.53

 

[Mogsy]

But now I installed "unbound" thinking I'd rather have local DNS and it had me disable some settings.

You are now your own DNS resolver. If DNS Check Tools match your IP and DNS resolver IP, then Unbound is working. For WAN setting you need to select any DNS server for when the router booting up etc. And I have Nextdns as DoT for fail safe or when Unbound isnt running for some reason.

With the Unbound GUI, I have the same statistic. You can enable the rest if you like for example

Top Reply Domains (click to expand/collapse) - requires log-replies enabled

which you can enable with

unbound_manager advanced
ox log-replies yes

 

[BeachGuy]

Thank you for your response.

 

[aru]

Based on my limited understanding, please correct me if I'm wrong.

DNS settings:

Unbound is a DNS resolver that provides DNSSEC (DNS Security Extensions) support and is designed to be a secure and privacy-focused solution for DNS resolution. When you use Unbound locally on your router, it handles DNS requests directly and, in many cases, encrypts these requests by default.

DNS over TLS (DoT) is a separate protocol that adds an additional layer of encryption to DNS queries. It ensures that the communication between your device and the DNS resolver is encrypted, providing an extra level of privacy and security. However, when you are already using Unbound, which often includes its own encryption mechanisms, enabling DoT at the router level may be redundant.

 

[Tech9]

which often includes its own encryption mechanisms

What encryption mechanisms upstream to root servers uses Unbound as resolver?

 

[aru]

I've only installed the Unbound plugin without any additional configuration. Upon checking with https://dnscheck.tools/, the result shows: 'Great! Your DNS responses are authenticated with DNSSEC.' This indicates that DNS responses are successfully verified using DNSSEC, suggesting that the installed Unbound plugin provides the corresponding encryption protection.

Additionally, it is mentioned in the official documentation. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust.

Unbound - About

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In...

www.nlnetlabs.nl

Uncertain if this understanding is correct?

 

[Tech9]

Unbound supports DNS-over-TLS and DNS-over-HTTPS

Only as Forwarder to upstream DNS servers with DoT/DoH support. Not as Resolver to root servers.

Unless something was changed recently:

https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf

Unbound as Forwarder does the same what built-in Dnsmasq does. No many reasons of replacing it.

verified using DNSSEC, suggesting that the installed Unbound plugin provides the corresponding encryption protection

Information on DNSSEC here:

DNSSEC – What Is It and Why Is It Important? - ICANN

www.icann.org

 

[BeachGuy]

When I went to "Advanced Options" I was going to enable DoT but unbound said "Warning: This will DISABLE being able to be your own trusted Recursive DNS Resolver". So I guess DoT is not supported along with recursive DNS resolver?

 

[BeachGuy]

Only as Forwarder to upstream DNS servers with DoT/DoH support. Not as Resolver to root servers.

Unless something was changed recently:

https://root-servers.org/media/news/Statement_on_DNS_Encryption.pdf

Unbound as Forwarder does the same what built-in Dnsmasq does. No many reasons of replacing it.



Information on DNSSEC here:

DNSSEC – What Is It and Why Is It Important? - ICANN

www.icann.org

You have answered a lot of my questions with good information. Do you use unbound? If not, why not and what DNS server do you use? Thanks

 

[Tech9]

So I guess DoT is not supported along with recursive DNS resolver?

Correct.

Do you use unbound?

I do, but on my pfSense appliance. Unbound is the default DNS server in pfSense. I run it as resolver. Unbound uses different queries masking techniques. DoT/DoH is not really necessary. It can be slower as well, depends on the upstream DNS server load, needs some local processing, etc. In my own experience Stubby sometimes has issues, less reliable. DNS encryption doesn't provide much "privacy". It's more about eventual MITM queries manipulation. The ISP knows the IPs requested anyway.

 

[Tech9]

If not, why

On an Asus AIO home router I would use the built-in Dnsmasq. Nothing else is needed. Unbound as resolver has pros and cons. Why you run Unbound?

 

[aru]

On the Asus AIO home router, Dnsmasq operates like a black box without built-in monitoring and visualization tools. However, in contrast, Unbound comes with plug-in charts that allow us to easily view relevant statistics on DNS resolution. This difference enhances the experience of using Unbound, providing a more comprehensive and intuitive insight.

 

[Tech9]

allow us to easily view relevant statistics on DNS resolution

Well, as I see most of your DNS resolutions are quite slow compared to Dnsmasq to upstream OpenDNS, Google, Cloudflare, etc. You can get constant low latency to enormous DNS cache without the need to build it up yourself and without running extra processes requiring USB external storage. You trade simplicity and performance for graphs, basically. I also see you monitor your connection, sort your logs, monitor your DNS blocker, monitor other traffic stats... how is all this helping you in your daily life?

 

[aru]

Well, as I see most of your DNS resolutions are quite slow compared to Dnsmasq to upstream OpenDNS, Google, Cloudflare, etc.

I'm unable to discern how Dnsmasq compares in speed to upstream services like OpenDNS, Google, Cloudflare, etc. This is because it operates as a black box without any available reports on Asus AIO home router for comparing the differences between them. At least Unbound provides charts for better insights.

You can get constant low latency to enormous DNS cache without the need to build it up yourself and without running extra processes requiring USB external storage.

On my ASUS AIO home router, I've installed numerous plugins and the Unbound package. Almost no usage of the USB external storage's swap file indicates that all activities should be running in RAM. In actual browser usage, pages open within one second, providing a remarkably smooth experience. Additionally, there's a surprising 295MB allocated for caching, highlighting effective software optimization.

how is all this helping you in your daily life?

According to my speculation, query durations within the range of 0 microseconds to 1 microsecond may indicate local high-speed cache queries, while queries exceeding 1 millisecond are considered as the initial queries to upstream services like OpenDNS, Google, Cloudflare, etc. During routine checks, intervention and investigation are necessary only if the frequency of queries within 0 microseconds to 1 microsecond is noticeably lower than those exceeding 1 millisecond. This observation prompts further investigation to confirm the normal operation of the service.

for example:

Good

NG

The above is just my superficial understanding and speculation based on the charts. Please feel free to correct me if my interpretation is inaccurate.

 

[BeachGuy]

On the Asus AIO home router, Dnsmasq operates like a black box without built-in monitoring and visualization tools. However, in contrast, Unbound comes with plug-in charts that allow us to easily view relevant statistics on DNS resolution. This difference enhances the experience of using Unbound, providing a more comprehensive and intuitive insight.

View attachment 56974

View attachment 56975

View attachment 56976

How did you get the charts to work? What settings/config? Thanks

 

[BeachGuy]

On an Asus AIO home router I would use the built-in Dnsmasq. Nothing else is needed. Unbound as resolver has pros and cons. Why you run Unbound?

How do I use the built-in Dnsmasq? Do I just set a DNS provider in WAN and Dnsmasq is the cache? Thanks

 

[Tech9]

Please feel free to correct me

Dnsmasq is also caching as well as your Web browsers. In real life the difference is unnoticeable. When you don't have the record in cache though or it expired Unbound will ask a few root servers upstream and the resolution will take much longer in few 100s ms. This is quite noticeable. If you use one of the popular DNS servers upstream you have access to a cache build up by all users and the resolution will take always 10 ms, for example. There is no right and wrong approach - a metter of choice. Unbound vs Dnsmasq pros and cons were discussed in details already in few related threads. I remember one about 10 pages long.

What you are doing is volunteer home sysadmin job with data control obsession. It happens when you have access to tools or hardware you never had before. I had a 200lbs home lab years ago with rack mounted UPS, Xeon storage server, Xeon gateway, big a** managed switch, etc. It was pretty, it was noisy (working, doing something, you hear it), many blinking LED lights, it was chewing data crazy fast and analizing every packet in and out. After I finished playing with it it was replaced by hardware fitting in a banker's box and doing exactly the same thing. I'm not interested in speed testing and monitoring anymore. So I know why you are doing it from my own experence.

How do I use the built-in Dnsmasq?

You don't have to do anytning, it's pre-configured. Just select your preferred DNS servers upstream and it's ready to go.

 

[BeachGuy]

Dnsmasq is also caching as well as your Web browsers. In real life the difference is unnoticeable. When you don't have the record in cache though or it expired Unbound will ask a few root servers upstream and the resolution will take much longer in few 100s ms. This is quite noticeable. If you use one of the popular DNS servers upstream you have access to a cache build up by all users and the resolution will take always 10 ms, for example. There is no right and wrong approach - a metter of choice. Unbound vs Dnsmasq pros and cons were discussed in details already in few related threads. I remember one about 10 pages long.

What you are doing is volunteer home sysadmin job with data control obsession. It happens when you have access to tools or hardware you never had before. I had a 200lbs home lab years ago with rack mounted UPS, Xeon storage server, Xeon gateway, big a** managed switch, etc. It was pretty, it was noisy (working, doing something, you hear it), many blinking LED lights, it was chewing data crazy fast and analizing every packet in and out. After I finished playing with it it was replaced by hardware fitting in a banker's box and doing exactly the same thing. I'm not interested in speed testing and monitoring anymore. So I know why you are doing it from my own experence.



You don't have to do anytning, it's pre-configured. Just select your preferred DNS servers upstream and it's ready to go.

Thank you as always Tech9.

 

[Tech9]

As I said guys - what you are going to run on your routers is totally up to you. Some folks prefer complexity, others prefer simplicity. Both categories do the same things online the same way. The natural flow - "complexity" group migrates to "simplicity" group over time. It happens after they had enough playing with what they were playing long enough. Sometimes it happens quicker after they mess up the settings and the wife discoveres something not working anymore.

Read the post below. It may save your life.

Skynet - Is default firewall good enough?

Sorry if this has been asked before, I just wanted opinions. Do you think the default AX86U firewall, combined with the usual windows firewall is good enough, and is there any real advantage in using Skynet? We also all have malwarebytes premium installed, trendnet on and adguard with all...

www.snbforums.com

 

[L&LD]

Sigh, simplicity comes from complexity being at the lowest level possible to do what is needed. Not the other way around.

Encouraging others not to learn is kind of... Doing it over and over is running very raw.

Try to not be that person, even if it's obviously in your nature to do so.