Setup with Unbound vs Dnscrypt

nullptr · March 17, 2021, 7:00pm

I setup PiHole recently, and all's working fine. I went to the website of PiHole and followed the tutorial for Unbound setup, and that's working fine too.

I think my ISP is blocking some of the DNS requests, so I want to setup encrypted DNS requests.

Correct me if I'm wrong, but if I'm using unbound as a recursive DNS resolver, there's no way I can do "encrypted dns", since they "have to be" in plain, as upstream might not support DoH or DoT. So, my solution would be to point PiHole to DoH or DoT server (such as dnscrypt-proxy2) and point that to upstream recursive server, or my own hosted recursive server which runs Unbound, correct?

jfb · March 18, 2021, 3:00am

Why do you think this? What replies do you see that support this assertion?

nullptr · March 18, 2021, 6:07am

I can visit a few websites through Firefiox with DoH enabled, but not with it disabled

nullptr · March 21, 2021, 10:49am

What would be the correct approach? Is my reasoning correct?

ChurchOfNoise · March 21, 2021, 12:56pm

did you try the command dig <url here> from the command line?
Additionally, did you try pihole -q <url here>?

nullptr · March 21, 2021, 2:29pm

Yeah. I tried some domains without pihole, and pihole + unbound. Both give me the same response. Same if I try to load the website with Firefox. But, if I enable DOH on Firefox, I can reach those domains again.

So,

pihole + unbound doesn't work
pihole + dnscrypy (upstream as cloudflare) works
Normal network without pihole etc doesn't work
Firefox on normal network + DOH in firefox works

nullptr · March 21, 2021, 2:31pm

But the main clarification I seek is,

Unbound can do DOH or DOT with an upstream recursive dns server, or, itself serve as a recursive DNS resolver, but without encryption, correct?

ChurchOfNoise · March 21, 2021, 3:00pm

Correct. The authoritative servers don't do DOH or DOT (learned that myself on these forums a while ago )

jfb · March 21, 2021, 3:10pm

Substitute domain name for URL.

Pi-hole works with domains, not URLs.

jfb · March 21, 2021, 3:13pm

Depending on your version of unbound. All versions that ship with supported distributions can do DoT, but only newer versions (since 1.12) can do DoH.

Debian Buster ships with 1.9.0, for example.

nullptr · March 21, 2021, 5:32pm

My bad, I meant just that!

Yeah so I guess unless tech catches up, I'll either have to setup my own recursive DNS resolver somewhere in the cloud, and DoT/DoH to that, or just hand it over to [insert providers]

Even when setup as a recursive DNS resolver?

jfb · March 22, 2021, 1:33am

When setup as a recursive resolver, unbound does no encryption. The nameservers don't support it.

nullptr · March 22, 2021, 3:07am

Yeah that's what I was looking for haha. Thank you for clearing that up!

So if I setup a cloud server upstream for recursive DNS, how do I secure it? To prevent DNS poisoning and other forms of attacks? Want to learn a bit about it. (I guess this part is off topic, if so, please do let me know : ) )

Bucking_Horn · March 22, 2021, 8:33am

Enable DNSSEC.
It is the only way to determine whether DNS records are authentic and have not been tampered with by cryptographically signing and verifying the records.

All root servers and >90% of tld servers support DNSSEC, while support in lower level domain servers is still improving.

nullptr · March 22, 2021, 11:26am

Is there any way I can check if DNS requests were blocked? For example when I setup a recursive server on a cloud?

system · April 13, 2021, 4:43pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.