Unbound, isp inserting, doh

i am running pihole updated with unbound so on that part all OK

ISP in the other hand insert because it can

if i enable DOH on firefox all the ISP inserting is gone

what are my options? do i need to remove unbound and just go with DOH?

Unbound supports DoT, and the newest version also DoH. That way you can keep using Pi-hole and have DNS requests from all clients encrypted.

any documentation on that?

I couldn't find it in the Pi-hole docs but the drop-in config from the DietPi docs for DoT works (Activating DNS over TLS (DoT) tab): https://dietpi.com/docs/software/dns_servers/#unbound

DoT uses a special port as well, so while the ISP is not able to see the content (due to encryption), it is able to see that you are doing DNS requests. DoH uses HTTPS port 443, so then requests are hidden between common HTTPS requests, while of course they can be identified as going to the IP of a public DNS provider. So not sure what you need. For DoH I'd also need to check the Unbound documentation.

Another alternative for DoH is Cloudflare's cloudflared: https://docs.pi-hole.net/guides/dns/cloudflared/

for anyone reading, this is better tested with nextdns.io since they give you ID and you know if you use them or not

simply inserting that on the config file dont stop the ISP insert, i need to do more reading

You mean you use NextDNS as upstream in Unbound and requests weren't recorded there? DNS insertion is not possible with DoT as the requested hostname is encrypted, so your ISP wouldn't be able to give any reasonable answer :?. And the appended hostname in the forward-addr should prevent the ISP from faking itself as upstream DNS (same as with HTTPS).

As configuration files are parsed in alphabetical order, please assure that the one for DoT is sorted behind the base config, or add the config block at the end of the same config as alternative. Also don't forget to restart Unbound:

systemctl restart unbound

And to check logs:

journalctl -u unbound

And test the DNS via:

dig pi-hole.net @ -p 5335

or specifically the hostname you believe your ISP is interfering.

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37429
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1472
;lelibros.online. IN A

lelibros.online. 300 IN A
lelibros.online. 300 IN A

;; Query time: 870 msec
;; WHEN: Mon Sep 27 22:18:21 BST 2021
;; MSG SIZE rcvd: 76

yet some how ISP still injects

curl -v -k https://thepiratebay.org/
*   Trying
* Connected to thepiratebay.org ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=thepiratebay.org
*  start date: Dec 16 13:07:49 2016 GMT
*  expire date: Dec 16 13:07:49 2026 GMT
*  issuer: C=ES; ST=Madrid; L=Madrid; O=Allot; OU=Allot; CN=allot.com/emailAddress=info@allot.com
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: thepiratebay.org
> User-Agent: curl/7.78.0
> Accept: */*
* Mark bundle as not supporting multiuse
< HTTP/1.1 502 Bad Gateway
< Content-Type: text/html
< Content-Length: 122
* Connection #0 to host thepiratebay.org left intact
<html><body><p>Contenido bloqueado por requerimiento de la Autoridad Competente, comunicado a esta Operadora</body></html>%

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.