I am currently using Pihole + Unbound as recursive DNS, but I am using Cloudflare as the Upstream
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1
Is there a benefit of using Quad9 as the Upstream dns server vs Cloudflare?
I started using Cloudflare as I read it's supposed to be a faster dns server.
Any advise on whether I should start using Quad9 instead?
or If I need make any changes to the config file.
EDIT..
Also, what is the difference between adding the Upstream dns server in the config file vs selecting it from the pihole GUI?
You aren't running unbound in recursive mode. You have told unbound to forward all queries to upstream DNS servers, and in this setup unbound is a forwarding resolver and not a recursive resolver.
If your intention is run unbound in recursive mode, remove this forwarding configuration and let it recurse.
If your intention is to use unbound as a forwarding resolver - why?
Each handles filtering and other details differently.
If you enter multiple upstream DNS servers in Pi-hole (for example Cloudflare and Quad 9), then Pi-hole will determine which are the best responders and use them.
When you insert unbound into the DNS path, and use unbound as your only upstream DNS server, then Pi-hole can no longer make this determination. It uses unbound exclusively, because that is the only option available.
There is no privacy gain when you have Pi-hole foward to unbound and unbound forward to Quad9.
In fact, if you do not use any unbound specific features, that setup is a waste of resources. It would be equivalent to have Pi-hole use Quad9 as upstream directly.
So If I only use Unbound with no upstream..does that mean I would have more privacy?
What about security?
Does Unbound check for malware and bad sites?
Sorry for the dumb question as I donβt really understand how Unbound really works.
Thanks for the info.
What about just using Quad9 by itself without using Unbound.
I read also that Quad9 is a recursive DNS and there's no need for Unbound as it's basically the same thing. Is that accurate?
And... if I want to stop using Unbound, do I have to uninstall it or can I just remove the info from here
and select Quad9 from here?
I ask because I just want to test things and not wanna have to reinstall Unbound if I don't have to.
The difference is that when you use Quad9 you are sending all of your domain queries to Quad9 for them to resolve. When Quad9 says that they don't log those queries, that is likely true but you have to trust that it is true, and it is goverened by Swiss law.
They do capture aggregate data, to which your queries will end up contributing. Compare that to, say, Google's DNS.
When you use Unbound in recursive mode, you are running your own DNS resolver and have no need for these external services. That means you are no longer sending all your domain queries to anyone external to be resolved. This is the more secure option.
This image explains it well β your home network is everything in the grey box on the left side. You also have Pi-hole in there in the Resolver part. Unbound is the Local Name Server part at the top, still in the grey box on your home network.
Follow the blue and green arrows and the numbered parts, starting with "1. Resolution Request" to see how the lookup is processed. Each one of those blue arrows leaving your home network is Unbound checking the next part of the domain name, building it up recursively, step by step, until the final "16. Requested IP address".
So instead of Quad9 or Google receiving all your domains to be resolved, logging whatever they log, and then doing all that to them, now you are doing all of that yourself using Unbound in recursive mode.
Thank you, I am beginning to understand more now.
So when using Unbound in recursive mode, does the ISP play any role?.. meaning, can they still see all my queries even though all the queries are being done by Unbound?
The ISP's role here is just to carry your traffic between your network and the Internet. So in this case, that traffic will include Unbound doing its recursive lookups. Technically they could see that, but it is different to if you were using your ISP's own DNS, where they are then acting like Quad9 or Google in the previous example.
However once Unbound has got the final answer and handed that back to Pi-hole, which hands it back to the computer on your network that asked for it, that computer will then use it to make a connection of some kind. Your ISP can also see that you made a connection to that location, even if it can't see the traffic on that connection.
So there is an implicit trust with your ISP anyway, and if you are using your own recursive resolver, that traffic is just more packets of data that they are carrying. The main thing is that by running your own recursive Unbound you are no longer handing anyone a 24/7 list of every single domain your network is using.
Just in case, that command has to be run on the Pi-hole, not a client on the network. If it's all set up correctly then Unbound will running alongside Pi-hole on port 5335.
What do you get if you try fail02 instead of fail01? And if you try a known good domain, eg CNN?
dig fail02.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> fail02.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached
$ dig fail02.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.44-Debian <<>> fail02.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached
however in your case it states that there was a communications error to Unbound itself (127.0.0.1#5335). But then the CNN one worked okay, suggesting it's okay.
What does this query give?
dig @127.0.0.1 -p 5335 www.isc.org. A +dnssec +multiline
That checks out perfectly. In Pi-hole go into Settings > DNS and clear all the Upstream Servers checkboxes and then put 127.0.0.1#5335 into Custom 1 and tick that box, so it is the only one ticked, and scroll down and hit Save.
Then in your terminal try
dig @127.0.0.1 foxnews.com
Note, there is no -p 5335 in that one. That will request that domain from Pi-hole instead, and then Pi-hole will request it from Unbound (the Custom upstream you just configured), and you should get a response.
Then take a look at Pi-hole's Query Log and refresh it and you will see the query in there. If so, then Unbound is working as a recursive resolver (from the previous tests) and Pi-hole is using it for DNS.
Oh you know what.. I just remembered that this Linux machine, I had to set it to NOT use Pihole because it was interfering and blocking Pihole updates, so they recommended to set this machine on a different dns server.
