Hi there, I was using DoH before, but I wanted more privacy. I installed unbound as described in the documentation, and actually it is perfectly working.
I have some thoughts though.
First to your post title: Yes and No. Initially, Unbound is pretty slow, as it has to build the chain of trust and walk all the domains up into the root zone. However, when it finished priming things, it'll be almost as fast (sometimes even faster) than external DNS providers. This usually takes only a few minutes but is noticed when doing benchmarks immediately after starting Unbound.
Lookups are cached so they will be served in sub-milliseconds once having been resolved once.
You can either try to hide from your internet service provider (ISP) and offer all your data to Cloudflare for free - or - do give everything for free to Cloudflare under the risk of that your ISP could capture more easily where you are browsing to (simply by looking at your plain DNS requests).
My personal conclusion here is: My ISP can see where I'm making connections to even when they don't see the DNS requests because they are the ones that will route my entire traffic in the end. Yes, one could now add a third-party (a VPN provider), but why should I trust them?...
That's what the documentation asks you: It depends on your particular threat model (and this is not a joke). I am in the comfortable position of living on the European mainland without any signs whatsoever that my ISP would like to spy on my data. Actually, there are severe fines in my country if they'd do without really good justifications for doing so. This makes my choice: Trust my ISP, use plain unbound an easy choice.
Then something is wrong with your configuration (maybe auxiliary IPv6 DNS servers?). You should never see DNS leaks with unbound.
How do you anticipate that you will have DNS leaks with unbound? A DNS leak occurs when you are using a VPN tunnel and the DNS traffic is exposed outside of the tunnel.
I tested it, but yeah maybe a misconfiguration of ipv6 but I don't know where. Do I need to activate it in Pi-hole ?
I saw my public IP address, obviously, but I saw another one that is totally not my ip (but same ISP)
Thanks a lot, I loved the explanations. I'm going to stick with Unbound then ^^
I uninstalled ipv6 on Windows 10 (even if I heard it's not recommended) and there's no leak anymore
Do I need to activate ipv6 filtering on Pihole or is it useless to do that ?
No. Both A and AAAA records can be resolved by Pi-hole using an IPv4 address only.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.