Conceptual Questions on Pi-hole and Unbound

Qlumzy · April 1, 2023, 4:08pm

I've installed Pi-hole in a Raspberry Pi, and now, I'd like to install Unbound to pair with Pi-hole to serve as my DNS in my local network. Before doing anything, I need your help in clearing some of the conceptual puzzles in my head.

There're a lot of jargons around: DNSSEC, DNS-over-HTTPS and DNS-over-TLS. In Pi-hole, I believe I don't have to do anything since it's talking over its clients in LAN and its upstream server, Unbound, is within one physical server. In Unbound, I need to enable DNSSEC for confirming the answers coming from authenticated servers. However, I wonder if I need to install DNS-over-TLS for the sake of privacy. Since my DNS is just a private one without connecting onto the internet, how may I get a domain public key for it?

Please advise and correct me if I'm wrong in anything. Thanks in advance.

Qlumzy · April 1, 2023, 4:25pm

Oh, sorry! I missed an important question:
As Unbound is a recursive DNS server, I don't understand why there's a list of forward-addr set up in the config file. Isn't Unbound going to solve the names by consulting the servers authoritative for this query by traversing the domain. What are these forward-addr for?

Once again, thanks for your answers.

DanSchaper · April 1, 2023, 6:33pm

Which config file?

jfb · April 1, 2023, 8:08pm

This was likely installed by your OS, and not deliberately by you. Please post the complete output of the following command from the Pi terminal:

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

Qlumzy · April 2, 2023, 1:03am

It's the unbound.conf file. I didn't got them in mine yet since I don't quite get what those mean to the overall setup.
Sorry, this is somehow off topic since it's not Pi-hole related. It's Unbound. This is the article I read: Encrypted DNS with Caching using Unbound — Nurdletech. Below is an extract of the unbound.conf file. This is what puzzled me.

forward-zone:
    name: "."
    forward-tls-upstream: yes

    # Cloudflare DNS
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

    # NordVPN
    forward-addr: 103.86.96.100@853#dns1.nordvpn.com
    forward-addr: 103.86.99.100@853#dns2.nordvpn.com

    # Quad9
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

Should you find this really off topic and should be removed, please accept my apology and do so.

Bucking_Horn · April 2, 2023, 7:22am

Well, the title of your linked article is already telling you that this is setting up unbound for encypted DNS.

Currently, you can either have recursion or encryption, see e.g. Unbound recursive DNS over TLS - #2 by Bucking_Horn.

This and other aspects of using unbound or encrypted DNS in conjunction with Pi-hole have been discussed here quite a few times, e.g. Best secure and privacy options for DNS.

You may use the forums search function to retrieve those.

Qlumzy · April 2, 2023, 9:33am

@Bucking_Horn, thank you very much. I finally got the answer.
I did read these and a few more, but my brain still couldn't get it straight - recursive and encryption are mutually exclusive. I originally thought they can be combined, and that was why I asked what the role the upstream servers are.

aspace · April 2, 2023, 3:41pm

yeah basically from how i understand it it there are just not enough dns servers yet that actually support dns over tls for this to be viable yet sadly especially for authorativ dns servers

system · April 23, 2023, 3:41pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.