Hi,
I am fairly new to using a Raspi but managed to get pi-hole up and running and I love it.
I read the guides about "Pi-hole as All-Around DNS Solution" and "Configuring DNS-Over-HTTPS on Pi-hole"
https://docs.pi-hole.net/guides/unbound/
I don't know which one you guys would recommend? Does any of those solutions prevent my ISP from collecting DNS data and generating a profile?
DNS over HTTPS will encrypt your DNS traffic to/from the third party DNS server, so this will hide your DNS data from your ISP.
unbound is a local recursive resolver that (if set up per the guide you reference), will send DNS requests in the clear. They are authenticated, but not encrypted, and will be visible to your ISP. There are certain things you can do (qname minimisation, for example) to improve your privacy a bit.
Note that even if your DNS requests are not visible to your ISP, you will be immediately following the DNS request with the IP you have requested. Your ISP can analyze those requests.
Having tried both options, I prefer unbound. Having a local resolver that I have full control over is preferable to trusting a third party DNS provider (Cloudflare in this case). Upstream providers see all your DNS traffic, and you have no control over what they do or will do with that data.
I was under the impression that unbound would generate it's traffic in the LAN, thus the ISP wouldn't see the content of the traffic, only that you were connecting to the dns root zone. Now that I've been corrected, is there a way to run unbound with cloudflared at the same time effectively?
What would be the goal doing that?
Then will host unbound in the cloud and use https or dnscrypt a good solution?
The goal would be have the advantages of unbound with the privacy of dns over tls
The advantage of using unbound (per the setup guide) is that unbound becomes your recursive resolver, and you aren't using a third party DNS provider.
If you were to use unbound going to an upstream third party provider, this doesn't make use of the recursive ability of unbound - you are still using the upstream provider. It seems simpler to use the cloudeflared option and have that software encrypt the connection to the upstream DNS provider.
I had the same dilemma. I don't think you can use both a local recursive resolver AND encryption yet (yet!). A recursive resolver contacts ALL authoritative name servers for the sites that you want to visit but they don't use encryption yet. If you want encryption, the only option at the moment is to forward all DNS request to a name server that supports encryption like Cloudflare, but then they get to see all your DNS request and you're not a local recursive resolver anymore yourself. I chose to use unbound as a recursive resolver and forget about encryption for now.
this is what convinced me to move away from dnscrypt, and this is the guide i used to deploy unbound + stubby.
the above is for BSD, so it'll need to be adapted to other distros (concept and general steps remain the same). steps performed via opnsense UI can easily be replicated in unbound settings via CLI.
note this is still relying upon upstream dns but my goal was obfuscating traffic flowing through ISP. also, i used the list of weird ass servers specified in the list and resolution has actually sped up since shifting from 4x1 + 4x9...ymmv.
I wasn't aware root servers didn't use Encryption. Thanks marcobloom
Public name servers with encryption:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
Public and private name servers with suppert for DNS over LTS: DNS Privacy Test Servers - DNS Privacy Project - Global Site
An overview:
It's not a lot.
Do you know of many authoritative name servers that use encryption?
To the best of my knowledge, none of them do.