About Unbound

i had follow this guide and install unbound

from what i had read on the net, this is how unbound work

client <> Pi Hole <> unbound <> Root

i have a few questions and hope this community can help me

  1. Is there any command/ways to check if unbound is communicating to root and not cloudflare/ quod9 / google, etc?

  2. Unbound send clear text to root, how is it different when we use cloudflare/ quod9 / google DNS ( different as in security )? what happen if there is men-in-the-middle attack?

  3. after i had installed unbound, why is pi hole has more forward destination than before i had installed unbound?

ps, i am just a person with zero to limited linux & code knowledge

Not quite:
unbound enquires with each authoritative DNS server of the domain to be resolved, starting with the root servers. So no one DNS provider has your complete DNS history. In addition, ideally any authoritative DNS server would see only that part of the requested domain it is responsible for resolving.

You could have a look at unbound's configuration and its log files, or you could use an online DNS probing tool like https://www.dnsleaktest.com/, which would show the public IP of your router as being used for DNS queries.

In the ways already described above.
In addition, unbound employs a best effort to verify authenticity and integrity of DNS records received by means of DNSSEC. Whether DNSSEC can be employed depends on whether an authoritative DNS server supports it.

As detailed in the guide, unbound should be your Pi-hole's sole upstream server.
Please verify that you've correctly applied the settings from the guide.

Hi Bucking_Horn,

thanks for the explanation, for the last part i believe i wrote it in the wrong way.
It should be :

Why does pi hole's forward destination percentage increase so much more than before i had installed unbound? Currently it is at 70%

The choice of upstream resolver (in this case unbound) is unrelated to the percentage of queries forwarded to the upstream resolver.

If Pi-hole does not answer (including block) the domain locally, and the answer is not in cache, it is forwarded to the upstream resolver.

If you restart Pi-hole, this will clear the cache, as one example.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.