I've installed Pi-hole in a Raspberry Pi, and now, I'd like to install Unbound to pair with Pi-hole to serve as my DNS in my local network. Before doing anything, I need your help in clearing some of the conceptual puzzles in my head.
There're a lot of jargons around: DNSSEC, DNS-over-HTTPS and DNS-over-TLS. In Pi-hole, I believe I don't have to do anything since it's talking over its clients in LAN and its upstream server, Unbound, is within one physical server. In Unbound, I need to enable DNSSEC for confirming the answers coming from authenticated servers. However, I wonder if I need to install DNS-over-TLS for the sake of privacy. Since my DNS is just a private one without connecting onto the internet, how may I get a domain public key for it?
Please advise and correct me if I'm wrong in anything. Thanks in advance.
Oh, sorry! I missed an important question:
As Unbound is a recursive DNS server, I don't understand why there's a list of forward-addr set up in the config file. Isn't Unbound going to solve the names by consulting the servers authoritative for this query by traversing the domain. What are these forward-addr for?
It's the unbound.conf file. I didn't got them in mine yet since I don't quite get what those mean to the overall setup.
Sorry, this is somehow off topic since it's not Pi-hole related. It's Unbound. This is the article I read: Encrypted DNS with Caching using Unbound — Nurdletech. Below is an extract of the unbound.conf file. This is what puzzled me.
This and other aspects of using unbound or encrypted DNS in conjunction with Pi-hole have been discussed here quite a few times, e.g. Best secure and privacy options for DNS.
You may use the forums search function to retrieve those.
@Bucking_Horn, thank you very much. I finally got the answer.
I did read these and a few more, but my brain still couldn't get it straight - recursive and encryption are mutually exclusive. I originally thought they can be combined, and that was why I asked what the role the upstream servers are.
yeah basically from how i understand it it there are just not enough dns servers yet that actually support dns over tls for this to be viable yet sadly especially for authorativ dns servers