Unbound doesn't work

Help Community Help
22

I think I maybe found a hint in below:

Above looks akward and should resemble below or similar to my knowledge for unbound v1.9:

pi@ph5a:~ $ sudo unbound-control lookup .
The following name servers are used for lookup of .
[..]
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:ba3e::2:30     not in infra cache.
198.41.0.4              expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:200::b         not in infra cache.
199.9.14.201            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:2::c           not in infra cache.
192.33.4.12             expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:2d::d          not in infra cache.
199.7.91.13             expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:a8::e          not in infra cache.
192.203.230.10          expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:2f::f          not in infra cache.
192.5.5.241             expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:12::d0d        not in infra cache.
192.112.36.4            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:1::53          not in infra cache.
198.97.190.53           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:7fe::53            not in infra cache.
192.36.148.17           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:c27::2:30      not in infra cache.
192.58.128.30           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:7fd::1             not in infra cache.
193.0.14.129            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:9f::42         not in infra cache.
199.7.83.42             expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:dc3::35            not in infra cache.
202.12.27.33            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.

And the NoAuthButRecursive bit looked familiar to me:

Checkout solution for that one.
There might be some DNS filtering/redirecting going on upstream that bugs the system.

2 Likes
23

The issue I have is ISP-level DNS hijacking, like the topic you mentioned. Sadly, I cannot turn it off.

Iran is using both DNS hijacking and DPI to block internet access to many services. I though Unbound could fix that issue for me. Apparently not.

1 Like
24

Well if they sniff properly, there is no way to fix this with DNS only.
Everything SSL/TLS related will get sniffed for the unencrypted SNI thats communicated:

So even if you get the DNS right, they are still able to block/filter:

pi@ph5b:~ $ curl -I https://pi-hole.net
HTTP/1.1 200 OK
[..]

pi@ph5b:~ $ sudo tcpdump -nqtX tcp port 443
[..]
IP 10.0.0.4.49146 > 3.18.136.52.443: tcp 517
[..]
        0x00c0:  0100 0175 0000 0010 000e 0000 0b70 692d  ...u.........pi-
        0x00d0:  686f 6c65 2e6e 6574 000b 0004 0300 0102  hole.net........

Sounds like you have to go the VPN way to get through.

25

No indeed, and it doesn't make any promises matching that purpose.
unbound is querying the authoritative DNS servers instead of your ISP's or some other public DNS resolvers. That may add to your privacy, as no public DNS resolver would have your DNS history to analyse - but if DNS traffic is forcefully redirected, that would not work, obviously.

26

is there any way of getting around DNS poisoning? if Unbound isn't the solution, what is?

want to have pihole locally for speed reasons

27

Difficult.
Traditional Do53 (DNS over port 53) is easy to block bc it doesnt have encryption.
DoT can be blocked by blocking the DoT servers like that of Cloudflare:

And even DoH depends on TLS for which we know they can sniff the SNI:

And known VPN providers can be blocked also.

28

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.