What are you running? DNSCrypt or Unbound?

[gspannu]

What do you run on your router?
Unbound or DNSCrypt?
(or both?)

It would also be good to know why you use/ recommend one over the other?

I am aware that some people run DNSCrypt, Unbound or both on Raspberry Pi along with Pi-Hole. Would also like to have feedback from such users on the same topic.

 

[SomeWhereOverTheRainBow]

What do you run on your router?
Unbound or DNSCrypt?
(or both?)

It would also be good to know why you use/ recommend one over the other?

I am aware that some people run DNSCrypt, Unbound or both on Raspberry Pi along with Pi-Hole. Would also like to have feedback from such users on the same topic.

If you want your DNS queries to be handled recursively and locally, I recommend Unbound as your solution because you become your own DNS server. Unbound uses root servers to get the information fresh from the source. otherwise, I recommend Dnscrypt-proxy 2 for either a DoH server , or a Dnscrypt server (with anonymized relays). Your information this route is private between you and the dns server you decide to use. the data is encrypted and less likely to be manipulated between the response server and you. For the simplest approach, I recommend the routers DoT as your solution as the rest of the solutions require you to install scripts.

 

[gspannu]

If you want your DNS queries to be handled recursively and locally, I recommend Unbound as your solution because you become your own DNS server. Unbound uses root servers to get the information fresh from the source. otherwise, I recommend Dnscrypt-proxy 2 for either a DoH server , or a Dnscrypt server (with anonymized relays). Your information this route is private between you and the dns server you decide to use. the data is encrypted and less likely to be manipulated between the response server and you. For the simplest approach, I recommend the routers DoT as your solution as the rest of the solutions require you to install scripts.

So does this mean that...
- Unbound is local DNS resolver but will not hide the DNS queries from the ISP.
- DNSCrypt will encrypt/ hide the DNS queries itself from the ISP.

Quick question: Can both be used one the AX88U? Or are there any side effects of using both? I'm happy to dabble with scripts... (Learning is what this forum is about !)

I have seen Raspberry Pi implementations where both DNSCrypt & Unbound are installed.

 

[SomeWhereOverTheRainBow]

So does this mean that...
- Unbound is local DNS resolver but will not hide the DNS queries from the ISP.
- DNSCrypt will encrypt/ hide the DNS queries itself from the ISP.

Quick question: Can both be used one the AX88U? Or are there any side effects of using both? I'm happy to dabble with scripts... (Learning is what this forum is about !)

I have seen Raspberry Pi implementations where both DNSCrypt & Unbound are installed.

you would need to try them separately. Because of limited memory resources and conflicting mechanisms.

Unbound is in plain text but you are not passing your information off to other sources. for example unbound has plenty of security methods of hiding or minimizing how much information about you is revealed from the plain text data. The route your data travels is not easily predicted. Unbound has strict DNSSEC measures as well. unbound also has great caching features.

Dnscrypt proxy 2.0 shares your information with whatever dns server you choose to use. there is no telling how old the information is or how long the dns server has held it in their cache and there is no encryption for that data until it arrives at the DNS server. the only encryption is between you and the dns server, but not the dns server and the root servers.

Let us not forget, unbound is also equipped with DoT capabilities, if you really needed encryption, but then your request are forwarded to whatever DoT server you choose to use, at that point it becomes no better than using Dnscrypt proxy 2.0 as your look ups are no longer recursive.

 

[gspannu]

you would need to try them separately. Because of limited memory resources and conflicting mechanisms.

Unbound is in plain text but you are not passing your information off to other sources. for example unbound has plenty of security methods of hiding or minimizing how much information about you is revealed from the plain text data. The route your data travels is not easily predicted. Unbound has strict DNSSEC measures as well. unbound also has great caching features.

Dnscrypt proxy 2.0 shares your information with whatever dns server you choose to use. there is no telling how old the information is or how long the dns server has held it in their cache and there is no encryption for that data until it arrives at the DNS server. the only encryption is between you and the dns server, but not the dns server and the root servers.

Let us not forget, unbound is also equipped with DoT capabilities, if you really needed encryption, but then your request are forwarded to whatever DoT server you choose to use, at that point it becomes no better than using Dnscrypt proxy 2.0 as your look ups are no longer recursive.

Thank you. Cannot say I have understood 100%, but I am starting to understand some bits.
What is better to run with Unbound? Diversion or Unbound's inbuilt ad-blocking?

 

[SomeWhereOverTheRainBow]

Thank you. Cannot say I have understood 100%, but I am starting to understand some bits.
What is better to run with Unbound? Diversion or Unbound's inbuilt ad-blocking?

Just pick one, either one is fine. if you want a pretty tiny non visible image response go with diversion as it has pixelserv-tls. If you want a nxdomain unpretty (but sometimes faster) response, then go with unbound. I recommend choosing a route that you are going to setup and just leave it alone except for the occasional update maintenance.

If you put too much thought into it you will spend too much time tinkering, and never really get to enjoy or appreciate whatever route you decide to go with.

 

[heysoundude]

If you want your DNS queries to be handled recursively and locally, I recommend Unbound as your solution because you become your own DNS server. Unbound uses root servers to get the information fresh from the source. otherwise, I recommend Dnscrypt-proxy 2 for either a DoH server , or a Dnscrypt server (with anonymized relays). Your information this route is private between you and the dns server you decide to use. the data is encrypted and less likely to be manipulated between the response server and you. For the simplest approach, I recommend the routers DoT as your solution as the rest of the solutions require you to install scripts.

Alrighty - today's the day I roll up my mental sleeves and dig into this a bit deeper. Unbound is a fork in the road

I have Native IPv6 from my ISP, but to handle my non-static WAN IP (I don't care to pay extra for it), I've got DDNS set up with Hurricane Electric's tunnelbroker.net (I believe this means I'm dual stacked)
I'm currently using CloudFlare and Merlin's built-in DoT. setting up unbound turns me into my own CloudFlare, and makes DoT extraneous; keeping diversion and pixelserv are appealing
https://www.home.neustar/blog/recursive-dns-what-it-is-and-why-you-should-care from this I think I'd need to point my unbound at authoritative DNS servers (right?) AND (probably) firewall myself in with SkyNet (yes?). SkyNet posed a few problems to my kodi that I was never able to devote time to remedying, so I just uninstalled it.

where would I point the connmon script at to monitor packet loss? pinging unbound seems...redundant. ridiculous even. and jitter would be negligible at that point as far as I understand it

 

[L&LD]

I use unbound and point connmon at 1.0.0.1.

 

[SomeWhereOverTheRainBow]

I use unbound and point connmon at 1.0.0.1.

I thought you were going to say you point connmon at nextdns where you keep track of them with nextdns logging.

 

[Zastoff]

I use Anonymized DNSCrypt, Feels very stable secure and fast.
DNSCrypt Installer handles most settings with ease.
I use what the installer offers and together with awesome scripts like Diversion, Skynet it feels like a complete solution for me.

DNSCrypt-proxy v2 has a lot of features (some more advanced and needs to be manually edited) that can be added with any(DoH & DNSCrypt) server setup.
Some examples:
Filtering, even time-based (example: block youtube between certain hours)
Ad-block
Forwarding
ESNI Support with built in DoH server (ESNI renamed to ECHO)
Link (wiki)

 

[SomeWhereOverTheRainBow]

I use Anonymized DNSCrypt, Feels very stable secure and fast.
DNSCrypt Installer handles most settings with ease.
I use what the installer offers and together with awesome scripts like Diversion, Skynet it feels like a complete solution for me.

DNSCrypt-proxy v2 has a lot of features (some more advanced and needs to be manually edited) that can be added with any(DoH & DNSCrypt) server setup.
Some examples:
Filtering, even time-based (example: block youtube between certain hours)
Ad-block
Forwarding
ESNI Support with built in DoH server (ESNI renamed to ECHO)
Link (wiki)

I can confirm your findings as we have spent many hours (Days:weeks:months) performance testing and optimizing.

 

[bbunge]

I run pi-hole, on a Pi, with stubby set to DNSSEC and Quad9 upstream resolvers. My stock Asus WAN DNS is also set to Quad9 and the Pi-hole is advertised to clients in router LAN settings. This way the router is a fall back if the Pi has problems.

 

[glehel]

unbound + vpn tunnel dns inquiry

 

[SomeWhereOverTheRainBow]

I run pi-hole, on a Pi, with stubby set to DNSSEC and Quad9 upstream resolvers. My stock Asus WAN DNS is also set to Quad9 and the Pi-hole is advertised to clients in router LAN settings. This way the router is a fall back if the Pi has problems.

Wouldn't half the time your ads not get blocked with this approach? I thought there was no guarantee which one queries would go to? or are you only advertising pihole to clients?

 

[L&LD]

I thought you were going to say you point connmon at nextdns where you keep track of them with nextdns logging.

We get tracked anyway, but I would never pay to get tracked.