Unbound or stubby


#1

I resently saw there are basically three setups people use

  1. unbound
  2. stubby
  3. unbound and then stubby behind it

I kind of understood that with just unbound you do not need to connect to for example googles server in between,
and with stubby you need to, but therefore you could use encryption on it. But whats the advantage of using unbound and stubby behind it? (I am kind of new to the DNS stuff, so probably I miss something pretty obvious here :wink: )


#2

The basic differences:

  1. Stubby is “an application that acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine (desktop or laptop) to a DNS Privacy resolver increasing end user privacy.” Stubby is basically an encryption stub that encrypts the DNS traffic between you and an upstream resolver.

  2. Unbound is “a caching DNS resolver.” It directly communicates with the authoritative name servers and does the resolving itself, avoiding the need for a upstream resolver. It has very efficient caching and is generally quite fast.

In my opinion, there is no advantage. By itself, unbound has the advantage that you don’t have to trust any upstream DNS service with your entire DNS history. It runs locally, it is secure and fast. It uses DNSSEC to validate that the answer from the authoritative servers is not altered in transit. The setup per the guide here (https://docs.pi-hole.net/guides/unbound/), which also nicely explains how unbound works, takes maybe 15 minutes.

The general argument for using encrypted DNS is to hide the DNS traffic from an ISP. The weakness in this argument is that even if you do mask your DNS queries (the ISP doesn’t know you are looking for domain xyz), after the DNS resolver gives you the answer, you immediately ask the ISP for the IP address of domain xyz, so the ISP knows where your traffic is going anyway. The other argument for encrypted DNS is that the traffic goes in an encrypted tunnel and won’t be tampered with. With DNSSEC, unbound verifies that received IP addresses are as sent by the name servers.

Summary - Stubby encrypts your DNS traffic to an upstream provider. You have to trust both the upstream provider and your ISP. Unbound communicates directly with the authoritative name servers, eliminating the upstream DNS server. You only have to trust yourself and the ISP.

For these reasons, I prefer unbound and run it on each of my Pi-Hole installations.


#3

ty for the clarification. Then I will definetly go with unbound


#4

The benefits are primarily for those using DNS over HTTPS (not withstanding the tradeoffs in the post above), stubby’s support for pipelining and so on are generally better than using unbound to communicate directly with the DoH servers, while you get the finer grained local control that unbound provides.