IP Address(pi-hole+unbound)

bluesteal · December 12, 2020, 7:01pm

Hello

I have a question about ip addresses when resolving dns
queries locally. If you resolve DNS queries locally using
pi-hole and unbound and query a dns leak test domain, it shows the public ip address of the ISP. Does this leak the ip address to the website you are making the query to? Or would it leak to your ISP or the website's ISP or an caching server like Cloudflare? Also, if you use unbound to resolve queries locally, what gets used as a root nameserver or authoritative nameserver? Just want to make sure the ip address is not unintentionally leaking. Would it be different if it were being resolved from a public resolver like cloudflare or quad9?

jfb · December 12, 2020, 7:21pm

A DNS leak is when you use a VPN but your DNS traffic is outside the VPN tunnel.

Any results you get from the DNS leak test site are meaningless if you aren't running your internet traffic through a VPN service.

bluesteal · December 12, 2020, 8:28pm

What's the most secure DNS solution for ad-blocking, malware domain blocking, XSS blocking etc while protecting ip address using VPN or Tor?

DanSchaper · December 12, 2020, 8:35pm

Turning off the router.

bluesteal · December 12, 2020, 9:03pm

If we assumed turning off the router was not one of the options...

DanSchaper · December 12, 2020, 9:10pm

Okay, then define "secure". What are you hiding and who are you hiding it from.

bluesteal · December 12, 2020, 9:37pm

advertisers, trackers, ISPs, hackers, Google, Facebook, any third party trying to collect data and monetize it or use it maliciously.

DanSchaper · December 12, 2020, 9:39pm

Then stock is fine.

bluesteal · December 13, 2020, 1:02am

So by "stock" do you mean not redirecting to unbound locally or using something like cloudflare or quad9. What's the best way to resolve without showing ip address

DanSchaper · December 13, 2020, 2:46am

Doesn't really matter if you show IP addresses when your IP address will be attached to every single packet that leaves your computer on the way to the website you visit. (Every single router hop in between knows your IP and the IP you are trying to visit.)

bluesteal · December 14, 2020, 3:31am

Im referring to the DNS query. The DNS query is a UDP packet but if you use unbound as a recursive resolver, it shows the ip address of the ISP which is not great for privacy. If you set it up in forward mode, it will forward the request to another recursive resolver, which will handle the query and it's ip address is displayed as the dns provider. There is a difference there because unbound acting recursively shows the ip of your ISP to the webserver. In forwarding mode it's the ip of the upstream recursive resolver.

jfb · December 14, 2020, 3:43am

As noted, everybody sees your IP anyway.

DanSchaper · December 14, 2020, 4:11am

As opposed to the webserver seeing your IP when it's part of the HTTP traffic?

bluesteal · December 14, 2020, 4:15am

When you say "everybody sees your ip anyway" what exactly do you mean by that; are you referring to HTTP/HTTPS or the DNS query

DanSchaper · December 14, 2020, 4:19am

Anything involving TCP/IP.

jfb · December 14, 2020, 5:24am

Both. However you obtain an IP (whether by unencrypted DNS, encrypted DNS, or having it in a hosts file), you ask the ISP in clear text to connect you to that IP. The IP is not encrypted even if you are connecting to a website via https.

For a DNS query to an upstream resolver, they know the IP to return the answer to.

bluesteal · December 15, 2020, 3:40am

Is it worth it to setup an authoritative nameserver within a LAN?

DanSchaper · December 15, 2020, 4:24am

Authoritative for what zone? Are you considering creating your own root server?

bluesteal · December 15, 2020, 9:31am

You know what; I think DNS is antiquated, just going to use IPFS