Cloudflared, Unbound, or Both?

piholeuser3213 · November 15, 2022, 5:02pm

Hello -

I was hoping for some advice. I am still learning about some of the more advanced networking features. I currently have my pi-hole setup as my DNS server, and I've installed Cloudflared to encrypt the DNS requests via HTTPS (DoH).

I am reading about Unbound, and how it can provide a greater degree of privacy. My assumption is that using Unbound would require me to uninstall and stop using Cloudflared, since it seems to leverage recursive DNS providers instead of just funneling everything through Cloudflare.

Is this correct? Apologies if I'm mixed up on the terms/purpose of the setups.

Bucking_Horn · November 15, 2022, 5:50pm

I'd like to think that our unbound guide is pretty comprehensive on that matter.
Did you have a read of it already?

I'd clearly recommend to uninstall cloudflared.
Even if you'd decide against running unbound as a recursive resolver and re-opt for using upstream DNS encryption at a later time, unbound's configuration could be adopted to run it as a DoT forwarder.

piholeuser3213 · November 15, 2022, 9:59pm

Thank you for the answer! I went ahead and uninstalled Cloundflared, and then configured Unbound as specified above. All seems to be working well. I note that there are no instructions relating to how to configure Unbound to leverage DoT for encryption. How would I make that happen please?

jfb · November 15, 2022, 10:15pm

Add these lines to your pi-hole.conf file (example is for Quad 9, change as desired):

    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

    forward-zone:
     name: "."
     forward-tls-upstream: yes
     # Quad9
     forward-addr: 9.9.9.9@853#dns.quad9.net
     forward-addr: 149.112.112.112@853#dns.quad9.net

piholeuser3213 · November 15, 2022, 10:54pm

This is very helpful! Thank you jfb.

I just read that Unbound has supported DoH for the last couple of years - I would prefer to use HTTPS/DoH - any chance there are similar instructions for setting that up?

chrislph · November 15, 2022, 11:19pm

Have you considered using Unbound directly as a recursive resolver instead of DoT/DoH? Using the Pi-hole Unbound guide that Bucking_Horn linked to it works straight out the box. It means instead of sending your DNS queries to a service like Cloudflare, you will be doing your own resolving right there alongside your Pi-hole.

piholeuser3213 · November 16, 2022, 12:50am

Thanks for the responses. I've learned a ton about how all of these things work. It seems like using Cloudflared with Cloudflare as my DNS resolver is likely my better solution for both privacy and security.

I like that Unbound doesn't rely on a single upstream resolver. However, I'd rather work through Cloudflare as a trusted third party, than allow my ISP to log everything that Unbound is requesting while figuring out which authoritative server to query.

It looks like Unbound can be configured to send encrypted requests to third party DNS resolvers - exactly the same as Cloudflared works. Maybe that would make sense if Cloudflare is not preferred.

system · December 7, 2022, 12:50am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.