Hi!
So i have Pi-hole + Unbound setup in my Raspberry Pi , and i was wondering if i can add Stubby to use with my setup ?
What are you trying to achieve? When I moved to unbound, I abandoned using stubby + cloudflare. There is no need for it.
i was doing some research , and saw that you can use stubby + Pi-hole unbound at the same time, the purpose it to have DNS querys encrypted.
You don't need the added complexity of running them both. Unbound has the ability to run as a forwarding resolver, sending it's queries via TLS to an upstream provider.
Note there is no normal benefit to encrypting your DNS queries, and unbound is more private in recursive mode.
2 Likes
thanks.
I recognize this is an old post but it seems reasonable to correct misinformation (or at the very least prevent misunderstanding).
For anyone only interested in blocking ads, perhaps, but this is not the case for the privacy and/or security-minded! Plaintext DNS queries are not only vulnerable to MITM attacks (undertaken by both bad actors AND internet service providers) but are easily tracked and logged.
Not so, per se, though it may be a matter of whom you trust. Further to the above (and as you know) recursive traffic is unencrypted, making Unbound traffic leaving your network vulnerable to the same principle described above. Unbound in recursive mode is definitely "less-private" than leveraging encrypted queries otherwise carried out in plaintext over port 53, in that its traffic for non-cached queries transpires over the same protocol. This can arguably be mitigated by ensuring recursion occurs over (allegedly) non-logging VPN.
Tl;dr - Don't do business over port 53 beyond your network perimeter unless it's recursive Unbound, and only if its wrapped with VPN. Use Unbound in DoT mode for simplicity if you're comfortable with shifting trust to a 3rd-party.
Which is why DNSSEC exists.
What is more easily tracked and logged is your actual traffic to the sites. Obfuscating your DNS lookups does nothing more than security theater when you take the IP that you hid in the DNS query and use it to visit the site. And no, TLS doesn't do much for you when you pass the host name in plain text to start the handshakes.
That's the key takeaway.
Only it's not. I'd rather "them" log the fact I connected to an IP address (assuming for full-path masking in the case of HTTPS) in in favor of host/domain knowledge. Absent of a domain and considering virtual hosts, CNAME records, etc., identifying nature/purpose of traffic going to any given IP is best left to data science, and I'm not expecting an ISP to find value in correlating these.
Indeed...SNI is & will continue to be addressed in TLS1.3 w/ ECH or its successor(s); drawn-out adoption & support timeline notwithstanding.
A good discussion, and one I appreciate, but these factors do not lend credibility to the original 2 points to which I was responding. Would you agree?
I don't agree.
As Dan noted, even with encrypted DNS (and prior to any adoption of Encrypted Hello), regardless of how you obtain an IP, you send both the IP and SNI in clear text to your ISP, so you aren't effectively hiding anything from them. They can quickly figure out which sites you are visiting. They won't see any of the traffic that follows the establishment of the encrypted connection, but everything prior to that is in clear text.
The two cases where I see benefit to using encrypted DNS are:
- Your ISP hijacks DNS traffic. This is not a privacy issue, it is a data security issue.
- You are using a VPN service and want to route your DNS traffic through Pi-hole without creating a DNS leak.
I suppose it boils down to what is important to you. I prefer to avoid third party DNS services entirely (if you use them, they have your complete DNS history and are free to do with it what they wish).
I would rather eliminate a third party DNS service and have a net privacy gain by doing so. Particularly since the ISP can see where I visit regardless of whether my DNS traffic is encrypted. The privacy gain comes from cutting out one party from the information. Instead of having to trust the ISP and the upstream DNS service, I only have to trust the ISP.
When Encrypted Hello becomes a standard, my opinion may change.
This is part of the hello process.
True statement, but this is unrelated to the fact that you visited the site in the first place, and is independent of whether or not you use encrypted DNS.
2 Likes