General consensus to use cloudflare-proxy or unbound?

General
1

what's the general consensus with the pihole universe as to which is more secure, using cloudflare proxy or "unbound" on the pihole?

i recently installed cloudflare proxy for DoH. but see many here use "unbound".

1 Like
2

This depends on your definition of "secure".

With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing.

With unbound, you avoid upstream providers completely and your local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent. Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it's been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated.

For these reasons, I prefer unbound to encrypted DNS:

  1. No upstream DNS provider has your DNS history.
  2. The results are unfiltered.
  3. You have equal assurance that the DNS traffic has not been altered in transit.
  4. There is no less privacy from the ISP.
  5. Generally faster.
  6. I have complete control over my DNS resolver.
5 Likes
3

thank you for the insight & education! my decision to keep cloudflare-proxy or go with unbound is a more educated one now.

also, a few minutes ago i just read one of your posts (assuming you?) on reddit, thread title: "questions_about_dnscryptproxy_unbound_cloudflared" that was excellent in helping me understand this more.

i'll install unbound on my new rpi this weekend and give it a go.

2 Likes