Unbound and QNAME minimisation

upapi_pihole · June 4, 2018, 12:00pm

/etc/unbound/unbound.conf.d $ ls
pi-hole.conf  qname-minimisation.conf  root-auto-trust-anchor-file.conf

whereas

cat qname-minimisation.conf
server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    qname-minimisation: yes

and

dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("

version 1.6.0

jfb · June 4, 2018, 3:05pm

I have the same files as glenw, and no "recursive.conf" either.

jfb · June 4, 2018, 4:53pm

I ran a test on the web addresses listed in the referenced document (page 34 of 42 in the document) with QNAME minimisation enabled - I was able to resolve them all with dig.

I suspect that since the date of that paper (May 2015) the noted problems at the authoritative name servers have been corrected.

I am running two setups of unbound and Pi-Hole; identical but on different Pi's. One has QNAME off, the other has QNAME on. I cannot see any different in DNS resolution between the two.

I believe that Cloudflare is using QNAME minimisation on their DNS service: https://blog.cloudflare.com/dns-resolver-1-1-1-1/

DL6ER · June 4, 2018, 8:11pm

Thanks for testing it so throughly. It's good to know that we don't have to expect issues from possible system provided config files that enable qname minimization without the (explicit) knowledge of the user.

DanSchaper · June 4, 2018, 10:32pm

I haven't checked, but it may be that dnsmasq from Raspbian is dropping in the qname file. Will have to do some more research on that.

jfb · June 5, 2018, 2:37am

I support the approach the PiHole developers take for installing add-ons (unbound, DNS over HTTPS, etc) - give detailed guides, explain the ramifications of various settings, let the user install as he/she desires. I prefer that to a "click here and it's installed" approach. I'm not that handy around Unix and I've been able to follow your guides nicely.

I've read in the feature requests for DNS over TLS the discussion on that topic. I'm in your camp on this one.

glenw · June 5, 2018, 3:31am

I have simply modified the qname-minimisation.conf to be set to "no". Reading jfb's information that so far he has no difference between his two configurations (one qname-minimisation on and one off) is the recommendation still to disable this?

I did this based on approx 12% of queries failing on a few of the large CDN hosts. If it is now reliable I would change it to "yes" again to benefit from better privacy.

I'd be interested in others opinions on this, thanks.

system · June 26, 2018, 3:31am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.