ISP DNS is leaking when using unbound

I set up unbound according to your guide, but when I do a DNS leak test, I see my ISP DNS.

Should it be like that?

Thanks.

When using unbound, a DNS leak test would be expected to show your public IP being used as DNS server, e.g. your public IPv4 as assigned by your ISP to your router.

Are you really seeing your ISP's DNS servers being used?

1 Like

Running a DNS leak test is only of value if you are running your traffic through a VPN. A DNS leak would be when the DNS traffic is visible outside the VPN tunnel. If you aren't running your traffic through a VPN, then you needn't worry about a DNS leak.

When you run unbound, the IP of your DNS provider is your IP, since you are running unbound at your IP.

2 Likes

You're probably right, it's the same IP as the IP get from WhatIsMyIP.
But the DNS leak test tell me my ISP somehow. Is that OK? Maybe because I'm behind ISP's NAT?

I'm not worrying about a DNS leak, just trying to figure out if the my setup is working as excepted.

Another question, how unbound in you setup using DNSSEC without the auto-trust-anchor-file parameter? I saw other guides using this parameter for DNSSEC.

Thanks.

No, the leak test is looking at your IP address and using the PTR record for it in a reverse lookup. Since your ISP owns the IP address, they set the name.

1 Like

You need the trust anchor. This should already be configured by the unbound installer as follows, which is why we don't include it in our pi-hole.conf file:

cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
1 Like