My isp does the same to me. I've been using stubby and pihole without issue. It's always worth trying something new if not for anything other than entertainment imo.
Will I guess we have some differences my isp didn't actually change or try to change my results. Thus I didn't have the dnssec issues. They definitely kidnap my request as they would keep showing up in leak test no matter what
On more thing can you ping 80.241.218.68
yes i can
Ill redo my config later and let you know.
Hi folks,
after nearly 200 posts, may I ask what you're trying to achieve here? The well known "longest thread on the board"?
Is the initially posted question solved now? Yes? Then why there are no new, further threads for other problems discussed here?
What have the latest posts to do with the initial problem (Unbound & DNSSEC)?
Why there are dozen of posts without any useful content (posts that look like a private small talk chat to me)?
looks like this might be my last post buddy. They already logged my out of my account this morning next I expect to be banned.
If its not the .yml formatting it could be this line
if not matching change from 0 to 1
edns_client_subnet_private : 1
This will be my last reply to this thread good luck!
Nobody logged you out and you're not going to be banned. I moved the server from San Francisco to New York and that needed a reboot.
In my opinion, no, my original question still stands.
Still seeing dnssec tests failing
No combination of any services or installs see a dnssec test pass. Be that unbound and/or stubby.
My config matches this. Value set to 1
In truth, I'm unsure.
Using stubby I now see the dns provider I expect to see, as configured via stubby, @drewski I see dismail.de after rewriting stubby.yml
But dnssec tests fail. And the algorithm test shows all comeback as yellow. And en.internet.nl reports Sky as my DNS provider. Where dnsleaktest.com state dismail.de.
So to me it's still unclear
I understand this is not a pi-hole issue, so appreciate the above comments from @mibere (whom I assume to be a mod)
If the thread needs closing please do so
My only reasoning for not starting additional threads was purely with the good intentions of not cluttering the board with multiple threads of the same nature. Apologies if any rules have been broken
If it's just two people working on the issue (and after 195 posts I'll risk it and say that's the case) then just DM each other. If you find something that everyone needs to be aware of then make a new thread.
Okay shoot me please. First I am sorry for being accusatory, second sorry for lying here is another reply.
^ This advice above is solid. I just want to really drive this former statement of mine. You can beat this if you block Port 53 OUT on the router. You would likely need an advanced firmware for this. turn off ALL dnssec and let dismail.de handle it. DONE
I tried to send this in a pm getting internal server error
Not even if it itself is asking the root servers? See this is where I'm confused as I thought that it carries all the way down the chain?
Has anyone put WireShark or a protocol analyzer on things to see what the actual payloads are?
Or, with unbound running, increase verbosity to 5 and see all the details of the transactions?
i havent, i have zero experience and knowledge of wireshark.
im running Debian buster on laptop
Im a little reluctant to post here again, but some more info i discovered.
Running tests on Android device (OnePlus 7 Pro 5G, Android 9) gives what i would say are negative results...tried multiple browsers, Chrome, Firefox, Opera, DuckDuckGo, and all see dnssec tests fail (multiple sources), with almost all 'yellow' results in the algorithm test.
However, if i perform the same tests on a laptop running Linux (debian 10) i get different results...dnssec tests pass.
I had a quick play with Wireshark, but wasnt really able to understand what i was looking at, so i guess i need to learn!
I have done this, and posted results here, and at the Unbound git page...they concluded ISP was hijacking.
Some googling and this highjaking by Sky seems to have been debated in other corners of the web, some saying they definetly do, while other adamantly refute it.
Im interested to learn how i can best determine as accurately as possible if this is happeneing, and if it is the reason for inconsistant dnssec results?
This looks like a good place to leave this.
Unfortunately I have no experience
Stumbled upon this on ispreview.co.uk
A spokesperson for Sky told ISPreview.co.uk: â Our latest firmware update is designed to support new, exciting features coming to Sky Broadband soon. If customers wish to continue using a third party DNS server, they can request a roll-back to the previous firmware which can take up to 7 days however customers will still be able to access the internet using Sky DNS servers throughout this time .â
Seems Sky have acknowledegd that they have made changes, and will not allow their customers to use 3rd party DNS providers!
Looking through some sky forum threads the term "Transparent DNS proxies" is used a lot...makes sense?
Still leaving me confused as to what i can best do to keep the best level of privacy/security possible, if we assume that i am bound to Sky DNS servers...if i understand correct, Stubby is the optimal solution.
So it seems its a pretty safe and accurate conclusion that SKy are indeed hijacking, in some capacity...but im still not clear on why this prevents unbound from working
This does not appear to be the case.
Request the firmware rollback.
Why do you say this? Correct there doesnt look to have been a direct statement that they have implemented such dns proxies, but the fact they state a request can be made to roll back to allow use of third party, very much alludes to them having made a significant change?
Or am i interpretting the forum posts wrong?
Yep, i will.
But anyone that is a sky customer will know their customer service is apalling, so I dont hold much hope.Unfortuately switching ISP is not really an option for me, as muych as it pains me, the deal i get, and speeds I hit are very good, and no other provider can compete.
You have the option of requesting a reversion to previous firmware. Thus, they will allow you to use DNS service of your choice.