Is there a way to avoid Russian root servers using unbound?

Hello,
I installed unbound according to the manual without any issues.
https://docs.pi-hole.net/guides/dns/unbound/
But now I don't want to address any root server located in Russia(or Belarus).
I checked the list of root servers and most of them are American. But using anycast.
I think I can never be sure where the root server handling my request is located.

Of am I wrong here?

First thing unbound does is pick an IP from the root.hinst file:

pi@ph5b:~ $ awk '/ A | AAAA / {print $4}' /usr/share/dns/root.hints
198.41.0.4
2001:503:ba3e::2:30
199.9.14.201
2001:500:200::b
192.33.4.12
2001:500:2::c
199.7.91.13
2001:500:2d::d
192.203.230.10
2001:500:a8::e
192.5.5.241
2001:500:2f::f
192.112.36.4
2001:500:12::d0d
198.97.190.53
2001:500:1::53
192.36.148.17
2001:7fe::53
192.58.128.30
2001:503:c27::2:30
193.0.14.129
2001:7fd::1
199.7.83.42
2001:500:9f::42
202.12.27.33
2001:dc3::35

And query one of those to load the actual current root servers into cache similar like below:

pi@ph5b:~ $ dig +norecurse +noall +answer +additional @198.41.0.4 . ns
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
a.root-servers.net.     518400  IN      A       198.41.0.4
b.root-servers.net.     518400  IN      A       199.9.14.201
c.root-servers.net.     518400  IN      A       192.33.4.12
d.root-servers.net.     518400  IN      A       199.7.91.13
e.root-servers.net.     518400  IN      A       192.203.230.10
f.root-servers.net.     518400  IN      A       192.5.5.241
g.root-servers.net.     518400  IN      A       192.112.36.4
h.root-servers.net.     518400  IN      A       198.97.190.53
i.root-servers.net.     518400  IN      A       192.36.148.17
j.root-servers.net.     518400  IN      A       192.58.128.30
k.root-servers.net.     518400  IN      A       193.0.14.129
l.root-servers.net.     518400  IN      A       199.7.83.42
m.root-servers.net.     518400  IN      A       202.12.27.33
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35

Maybe you can override when creating your own A or AAAA records in unbound for those root-servers.net. entries.
But most likely DNSSEC will fail ????

pi@ph5b:~ $ man unbound.conf
[..]
       do-not-query-address: <IP address>
              Do not query the given IP address. Can be IP4 or IP6. Append /num
              to indicate a classless delegation  netblock,  for  example  like
              10.2.3.4/24 or 2001::11/64.

There are 13 root servers, but many more mirrors distributed around the world. If you want to block only those mirrors that are located in Russia, you will need to find those IP's and block them in your firewall or in unbound.

Why do you want to do this? All the root server mirrors distribute the same root zone.

1 Like

I blocked all of them except the last one 202.12.27.33 (I dont have IPv6 support upstream):

pi@ph5b:~ $ sudo nano /etc/unbound/unbound.conf.d/do-not-query.conf
server:
    do-not-query-address: 198.41.0.4
    do-not-query-address: 199.9.14.201
    do-not-query-address: 192.33.4.12
    do-not-query-address: 199.7.91.13
    do-not-query-address: 192.203.230.10
    do-not-query-address: 192.5.5.241
    do-not-query-address: 192.112.36.4
    do-not-query-address: 198.97.190.53
    do-not-query-address: 192.36.148.17
    do-not-query-address: 192.58.128.30
    do-not-query-address: 193.0.14.129
    do-not-query-address: 199.7.83.42
pi@ph5b:~ $ unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
pi@ph5b:~ $ sudo service unbound restart
pi@ph5b:~ $

Get something in cache:

pi@ph5b:~ $ dig +noall @localhost -p 5335 . ns
pi@ph5b:~ $

Only the one remaining 202.12.27.33 seems be addressed when I sniff the packets:

pi@ph5b:~ $ sudo tcpdump -nqti eth0 port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.0.0.4.35790 > 202.12.27.33.53: UDP, length 28
IP 202.12.27.33.53 > 10.0.0.4.35790: UDP, length 1097
IP 10.0.0.4.40787 > 202.12.27.33.53: UDP, length 28
IP 202.12.27.33.53 > 10.0.0.4.40787: UDP, length 1097
IP 10.0.0.4.17487 > 202.12.27.33.53: UDP, length 28
IP 10.0.0.4.18697 > 202.12.27.33.53: UDP, length 37
IP 202.12.27.33.53 > 10.0.0.4.17487: UDP, length 864
IP 202.12.27.33.53 > 10.0.0.4.18697: UDP, length 709

Which one(s) is/are situated in Russia by the way?

Aha the Wiki map makes it clear:

https://upload.wikimedia.org/wikipedia/commons/e/ee/Root-current.svg

So seems hard to do this at the IP level if you dont have any influence over the anycast structure underneath.
If I'm correct???

The main reason actually is because of a privacy point of view.
If for instance I request to access a french website, I will request the rootserver for the .fr TLD.
which probably tells them something about the languages I can read.
And in some countries you can't know if maintainers of those servers are involved with the local government or not.
maybe you can never know.

But it would be great if it is possible to always locate a rootserver within the region from where you are browsing.
Or maybe when you live in China or something to use a rootserver which is somewhere in afrtica, so the government doesn't know visit Taiwanese websites.

That's indeed the issue

Virtually impossible. And completely useless even if possible.

1 Like

It doesn't really matter which root servers you use. The DNS traffic to/from your local unbound instance (running in recursive mode) is unencrypted. All your ISP has to do is look at the DNS traffic leaving your home.

That's a shame, I didn't anticipate on that one.

Then still it would be useful to always use root-servers close by, so the amount of parties which can intercept is kept to a minimum.

or is this already, automatically the case?

There is no way to predict which nameservers will be used by unbound.

If you are concerned with your ISP or government being able to see your DNS traffic, you can configure unbound as a forwarding server, and you can encrypt the DNS queries/replies leaving your home network.

This will require that you trust the upstream DNS server you use, and doesn't effectively hide where you are browsing from your ISP.

Once you get an IP (whether via a DNS query, typing it into your browser, or in a local hosts file, among several possibilities), you send the IP and the SNI in clear text to your ISP. They will know where you are browsing.

In my opinion, your fear of foreign root servers is unfounded. They all do the same thing - provide the TLD nameservers to clients. If any of these operators were misbehaving, they would be quickly shut off from being a root server mirror.