Some clarification on using Unbound with Pihole for privacy and security

I'm not a network guru and lots of the things I read, get only about 50% absorbed :slight_smile:

The goal: Getting privacy and security as much as possible using Pihole on RPi with FF or Chrome, even for home use.

TL;DR
I'm a bit confused on the better setup for privacy and security, thinking I could achieve my goals using Pihole+Unbound+DoT, but not really getting anywhere.

I've setup Pihole + Unbound from scratch.

I was trying to understand if it's possible to use Unbound with Cloudflare, but then I realised that if I set upstream resolver settings then I go against the idea behind Unbound which is setting up my RPi as a recursive DNS server solution

Another thing I think I learned is that Unbound as a recursive solution, cannot be used with DoT. It's either DoT or Recursive DNS.

Given the above learnings/assumption (based on my limited knowledge), I find it hard to decide what is the better approach at this moment in time, in order to get the best possible privacy.

Ideally, I would like my DNS requests to be encrypted and untraceable, as much as possible with current limitations/available technology.

Given what I wrote so far, the following questions came to mind when I was setting and re-setting unbound with Pihole based on the Pihole guide and some other guides I found online:

  1. Is there any solution that can be implemented with Pihole to get the best privacy and security in addition OR alongside to ad-blocking?

  2. All unofficial Pihole + Unbound guides describe how to add upstream DNS resolvers which means getting Unbound with DoT but eliminating the recursive DNS usage. Why does Pihole guide is geared towards a recursive over DoT?

  3. Why the official Pihole + Unbound guide doesn't mention to make sure DNSSEC is unchecked in DNS settings?

  4. Unbound 1.12.0 is out (https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-12-0) allwoing the support of DoH. Can this be installed with Pihole? and is it better over DoT?

  5. Playing around with /unbound.conf.d/pi-hole.conf I left the config file as follows: https://textuploader.com/1pusu
    Given this configuration, when I test Chrome and FireFox, I get different results (see below). Can I get some help understanding why the differences and how can I get Chrome to match Firefox?

FireFox tested on 1.1.1.1/home
Pihole and the pi-hole.conf are not set to use Cloudflare, so how come it shows that I am using it?

Chrome test on 1.1.1.1/home

FF test security - Using secure DNS

Chrome test security - Not sure if using secure DNS

Thanks!

Debug token in case and required:
https://tricorder.pi-hole.net/imuf1cph3i

Not sending things to CloudFlare.

Edit: I'll clarify a little. It doesn't matter how well you hide your DNS lookups, you shout the destination you go to every time you visit it. Your ISP knows everything, as does any server on the path between you and the destination. Even TLS has you sending the domain in the clear before you can connect.

So what's the motivation behind DoT/DoH/Unbound and all that shenanigans if nothing really helps?
Why does a page like this: Cloudflare ESNI Checker | Cloudflare UK even exists if the DNS requests are not really encrypted, or it doesn't matter if they do because it's visible to everyone?

I'm so confused right now...

Solutions looking for problems. DoH is a shitpile. DoT is okay if you have the need for it. Unbound works just fine.

So CloudFlare can get you and your data. And then upsell you on buying the bigger packages that cost.

Read the fine print:

1 Like

Once your client has an IP address in hand, via any means, the client sends the IP in clear text to the ISP. Then it sends the IP the SNI, also in clear text. Your ISP and anybody else privy to your internet traffic can see this.

Once you establish a secure connection to the destination IP, your data traffic becomes an encrypted stream.

As a result, there is no privacy gain from encrypting your DNS traffic.

The advantages of unbound as a local recursive resolver (in my opinion) are:

  • No upstream DNS resolver has your DNS history. Instead of trusting your ISP and a third party DNS service, you trust the ISP and yourself.

  • No filtering of the DNS results. You get your answers directly from the authoritative nameservers - the official internet phone book.

3 Likes

Yeah, well I'm a home user so I won't buy any packages from them :slight_smile:

A few questions:

  1. So bottom line is just have Unbound WITHOUT upstream resolvers and be done with it? (if you can kindly check the link to the .conf file I uploaded)

  2. Using the 1.1.1.1/help, why does FF shows I'm connected to 1.1.1.1 and using DoH and secure DNS, while Chrome doesn't?

  3. Lastly, is there a way using Pihole+Unbound to figure out which DNS servers I am using?
    I guess this answers question 3:

No filtering of the DNS results. You get your answers directly from the authoritative nameservers - the official internet phone book.

EDIT:
4. Should I disable DNSSEC in the DNS settings if I use Unbound?

Yes.

FireFox enabled DoH by default, unless you turn it off or you use Pi-hole as the sole DNS server.

You're not using any DNS server with unbound, at least in the sense of a single upstream. You are your own upstream.

Nope.

Yes. Use the configuration file we provide in our unbound guide.

You might have private browsing enabled in Chrome.

In recursive mode, Pi-hole uses the authoritative nameservers.

Your choice. Unbound is doing DNSSEC. Enabling this is Pi-hole adds a column in the query log to display results.

Isn't enabling DNSSEC in DNS settings doubling up on work?

When you're using unbound you're relying on that for DNSSEC validation and caching, and pi-hole doing those same things are just going to waste time validating DNSSEC twice and confusing unbound's cache by not passing through commonly requested entries

source: https://www.reddit.com/r/pihole/comments/d9j1z6/unbound_as_recursive_dns_server_slow_performance/

You mentioned that DoH is a shitpile, so your recommendation is to turn it off on FireFox and ignore the test pages in Cloudflare?
If not turning it off, does it mean that using FF browser I'm not longer using a recursive server? i.e., the DoH is using Cloudflare as an upstream resolver?

Trusting my ISP is also an issue. I have no trust in them. So essentially, the only way to get privacy from them is to use a paid VPN service like nordVPN?
I thought that using Unbound is only about trusting myself.

Nope.

Yep.

How come it doesn't? I'm not implying you are incorrect, but I'm keen to learn if you kindly provide some clarification on the benefit of having DNSSEC enabled while DNSSEC is already running with Unbound.

I'm more than happy to read about it if you can refer me to the right place. Appreciate your answer.


p.s. - from cloudflare's website about their 1.1.1.1 usage policy:

  • Public DNS Resolver Users

  • Limited DNS query data: We will collect limited DNS query data that is sent to our 1.1.1.1 resolver. Our 1.1.1.1 resolver service does not log personal data, and the bulk of the limited non-personally identifiable query data is only stored for 25 hours. You can learn more about our 1.1.1.1 resolver commitment to privacy here.

and more here: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/

The last question I have:
So why most online guides describe how to setup Unbound with DoT (and lately DoH)? It doesn't have to forward to Cloudflare, it could be to Quad9. People seem to guide on that type of usage.

Believe cloudflare, use them, get rid of Pi-hole. Seems to be the best option here.

I don't know what guides you are reading but setting up Unbound to point to another upstream is just a waste.

With unbound acting as the DNSSEC checker, Pi-hole gets the DNSSEC information from unbound and displays it in the query log. In older versions of dnsmasq (which we embed in pihole-FTL), the information was not processed correctly. This is resolved in the dnsmasq version we ship.

Enable DNSSEC in Pi-hole if you want this information in your query log. Note this will expand the size of your long term database to store these results.

2 Likes

My opinion - because they don't understand there is no real privacy gain with encrypted DNS. They are following the "hey, let's enable this option. It is offered so it must be good" thought process.

You will need to decide which method of DNS resolution best meets your specific needs. If you don't trust your ISP, use a VPN service to hide your traffic from them. If you want to use Pi-hole for DNS while using the VPN service, then encrypted DNS will allow you to avoid a DNS leak.

If you don't use a VPN service, recursive unbound increases your privacy.

The purpose of my questioning is to learn and hopefully to clarify to others who are just learning to "swim" these waters as I do.

Posting the information from Cloudflare's policy page was to figure out from your experience if those claims are enough to go by or there's more to it than what they write, given your experience of course.
I wasn't trying to downplay Pihole and the work you're doing.
As I stated, I'm happy to read if there's a good source you can refer me to. But in any case, my questions were designed to educate myself and that's it. I simply want to make the better choices given what I learn as I go.

example of guides:

https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients

Thank you, Dan.


Understood. I'll enable it. I think it's worthwhile mentioning this in your document for setting up Unbound.

This^
But if I learnt well, encrypting DNS negates recursive DNS.

I have NordVPN and I use it mainly when I use torrent/Kodi. I was hoping I could use the privacy of nordVPN, but using Pihole as the DNS in such a way there won't be any DNS leaks.

Thanks heaps.

You don't know if the claims are true, and unless you can verify them you have to plan on the fact that they are not.

I wouldn't say .link domains are all that common. There's one guide you need to follow and that's it. Redirecting...

Yes, there is no need to encrypt queries to your own recursive resolver, unbound on the same device as Pi-hole will talk without even leaving the devices memory.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.