OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: Inxsible on October 01, 2022, 05:38:37 pm
-
Hi,
I currently use Unbound in Resolver mode. I have DNSSEC enabled in it's configuration. I use a 19+ host overrides to access my LAN-only services like vaultwarden, nextcloud etc. I also use all the Unbound blocklists (except Blocklist.site Youtube) to block ads etc. and have whitelisted alt*.gstatic.com because without it, my chromebooks just kept losing the Wifi connection.
I had some time to tinker and I thought I'd try and setup up DOH or DOT and I went down the rabbit hole to learn about AdGuard Home, NextDNS and all their history about AGH being Russian but operating in Cyprus and both having a 300K query limit on the free account etc etc.
I liked that people consistently mentioned that AGH and NextDNS ad-blocking is better than Unbound. It's also easier to maintain the blocklists and UI is better too. Also Unbound takes a long time to restart if and when I make any changes say adding a new host override or changing blocklists or just any other maintenance, so switching might be a good idea for me.
I also read that some ISPs are forwarding the DNS query requests to their own DNS servers irrespective of which server you have set up --https://www.reddit.com/r/pihole/comments/ue08c9/comment/i6ka8mv/?utm_source=share&utm_medium=web2x&context=3 (https://www.reddit.com/r/pihole/comments/ue08c9/comment/i6ka8mv/?utm_source=share&utm_medium=web2x&context=3). So I did a DNS Leak Test and sure enough, I see a Comcast DNS server being used rather than my local Opnsense firewall. Weirdly, running the same test in Chrome tells me I used Comcast DNS, but in Firefox it tells me I am using Cloudflare -- so I am even more confused, but that is for another topic I guess.
My assumption is that using a local resolver is better than a forwarder to keep your latency lower (which is why I opted for Unbound rather than dnsmasq in the first place)and also for privacy
The rabbit hole that I went through led me to read a lot of things and i have some questions based on what I read:
- By Using NextDNS or AdGuard Home, aren't you giving that privacy up to either of them?
- I have seen some posts indicating using NextDNS servers in the Unbound configuration as upstream. Doesn't that make unbound act as a forwarder rather than a resolver?
- If you are implementing #2 above, What's the point of using Unbound rather than dnsmasq
- AGH can use NextDNS as upstream servers and vice-a versa ---What's the point of doing that? Why not use just one of them?
- I am a little concerned by the 300K limit on both AGH and NextDNS -- Between the kids' tablets, our phones, TV, work laptop, and my servers, I don't know how soon I will cross the 300K limit. Caching seems to be the solution, yes, but again with Unbound or with dnsmasq? How would dnsmasq or Unbound work in conjunction with NextDNS/AdGuard Home?
- Is using NextDNS/AGH on the opnsense box better than a separate VM/Container (I have a local proxmox server)? My current opnsense system (J3355) goes to 100% cPU when loading the Dashboard, but after a couple of seconds hovers at 3% CPU and 60% RAM, but I can add another 4GB stick if RAM is a concern
Please spread your knowledge of DNS and it's workings and enlighten me.
Thank you,
-
AdGuard Home is a local recursive DNS server with filter lists. No information is given to anyone and there is no limit I was aware of. You are probably confusing AdGuard Home with AdGuard DNS.
-
AdGuard Home is a local recursive DNS server with filter lists. No information is given to anyone and there is no limit I was aware of. You are probably confusing AdGuard Home with AdGuard DNS.
Possibly. I read so much over the last 24 hours, that I could have easily confused the two.
So AGH is a self-hosted resolver and AdGuardDNS has a 300K limit? Which upstream DNS does AGH use by default then?
-
So AGH is a self-hosted resolver and AdGuardDNS has a 300K limit? Which upstream DNS does AGH use by default then?
I don't know about AdGuard DNS. I do not use upstream servers. AdGuard Home uses whatever you point it to, e.g. a local BIND or Unbound installation. BIND in my case.
You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?
Here's a description of the process I wrote some time ago:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462
-
You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?
Wrong choice of term on my part I guess. I just meant, does it work as forwarder with an upstream server. And yes, i am aware that a resolver is not the only thing that is needed. It, of course, needs to contact other root servers until it builds it cache and still continues doing so for all the cache-misses.
-
AdGuard Home does accept recursive queries - of course - but cannot do the recursion on its own starting at the root servers. It needs another server to forward to.
I like to setup both AGH and BIND to listen on localhost only with AGH forwarding to BIND. Then in VLANs with ad blocking I port forward/NAT 53/UDP+TCP to AGH and in VLANs without ad blocking directly to BIND bypassing AGH.
This also solves the problem with AGH and CARP addresses (bug in the FreeBSD Golang port).
-
I don't know about AdGuard DNS. I do not use upstream servers. AdGuard Home uses whatever you point it to, e.g. a local BIND or Unbound installation. BIND in my case.
So if you are using your local BIND, then how does the ad-blocking of AdGuard Home help? I was under the impression that the using AdGuardDNS or NextDNS as the service is how the ads are blocked at the DNS level. Or is that an incorrect assumption?
-
Client queries AdGuard Home, AdGuard Home queries BIND, AdGuard Home applies block lists to result, delivers result or 0.0.0.0 depending on blocklist entry.
Blocklist management, statistics, exceptions, all in a very nice and convenient UI with AGH.
-
You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?
Here's a description of the process I wrote some time ago:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462
1. If I understood correctly, by enabling DoT, I enable a bunch of upstream servers whose owner has visibility of which pages I'm requesting/visiting, but my ISP just see encrypted packets, hence I'm transferring my 'privacy' from my ISP to that 3-party company, is that right?
2. If I just use Unbound, then it will query one of the root servers and at the end my client (i.e. laptop) will get the IP address requested: does it mean my ISP can see which pages I'm visiting?
Tia.
-
1. Correct.
2. No, the ISP cannot see which DNS names you are resolving - at least not at the DNS level, if you are not using your ISP's resolvers.
The ISP can theoretically sniff all your unencrypted traffic including your self managed DNS queries.
I trust any European ISP bound by GDPR far more than any of the global DoT providers. Transport layer encryption of DNS queries is a strawman, IMHO.
And while we are at it: same for "VPN" for privacy. You are handing all your traffic to a single entity. Good luck with that. I can understand the desire to circumvent geoblocking, but VPNs do not enhance privacy.
-
Thanks for the clarification.
Disabling DoT and running DNS leak test I get as result I'm using my ISP DNS servers which I believe is expected, is that right?
I thought Unbound was taking care of querying root DNS servers without going through my ISP DNS servers, but I guess I misunderstood ?
If I don't want t use those DNS servers, is DoT the only possible alternative solution?
Tia.
-
I am not using Unbound but BIND. That by default implements a full-featured resolver that does not use your ISPs resolvers as forwarders.
I would have a look at the Unbound config as it is written by the UI and if you find any upstream servers, then look for the options in System > Settings > General.
Unfortunately for historical reasons there are options that apply to DNS spread across various parts of the UI. Maybe someone who uses Unbound can assist.
What do you need to set in the UI to have Unbound work on its own without any forwarder?
HTH,
Patrick
-
What do you need to set in the UI to have Unbound work on its own without any forwarder?
1. Services --> Dnsmasq DNS
Enable Dnsmasq = False
2. Services --> Unbound DNS --> General
Enable Unbound = True
3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
-
Reverting back to my original questions:
- What's the advantage of using AdGuard Home over Unbound (when both are used as resolvers)
- Advantages/Disadvantages of AGH plugin on Opnsense(from mimugmail repo) vs a separate AGH VM/container?
-
AdGuard Home needs an additional recursive resolver. It does filtering only.
The filter implementation in Unbound is a bit naive^H^H^H^H^Hstraightforward. Filter lists are pulled from their respective sources, translated into configuration statements, and loaded as unbound configuration.
This leads to two undesirable effects:
- the startup/restart time of Unbound can get really long
- if there is just a single syntax error in just one of the lists, Unbound will fail to start
AdGuard Home on the other hand is designed from the start as an ad filter and can easily cope with both issues.
And then: have you ever TRIED AdGuard Home? I mean Just look at the UI - isn't that huge feature by itself?
As for the second question - I don't know. Not needing a separate VM, possibly? Some people might have only one firewall device? What's the disadvantage of running AGH on your OPNsense? I don't see any.
-
I second that view. I moved from pihole on a vm to AdguardHome on OPN. Both point to Unbound on OPN.
The filtering is done and the stats page are useful on ADG, as it is its main purpose.
The load on OPN has been acceptable and I was able to take a VM out of commission.
-
I prefer PiHole which goes deeper than just IP of unbound and allows you to add Regular expressions from the URL to block these from showing adds. I use this at home so that all the no so "Smart TVs" show no advertisements.
-
1. Services --> Dnsmasq DNS
Enable Dnsmasq = False
2. Services --> Unbound DNS --> General
Enable Unbound = True
3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
I believe it now works as if I do a DNS leak test I get as result my IP address and non the ISP DNS serves IP addresses, is that right?
tia.
-
I prefer PiHole which goes deeper than just IP of unbound and allows you to add Regular expressions from the URL to block these from showing adds. I use this at home so that all the no so "Smart TVs" show no advertisements.
Unless I misunderstand what you do, AGH does the same or similar. I use that too.
-
Last I tried it the Regex scripts were not supported by AGH.
-
AdGuard Home needs an additional recursive resolver. It does filtering only.
Ok thanks. Then it would need some other DNS service (local or otherwise) to be able to serve the domain names.
The filter implementation in Unbound is a bit naive^H^H^H^H^Hstraightforward. Filter lists are pulled from their respective sources, translated into configuration statements, and loaded as unbound configuration.
This leads to two undesirable effects:
- the startup/restart time of Unbound can get really long
- if there is just a single syntax error in just one of the lists, Unbound will fail to start
AdGuard Home on the other hand is designed from the start as an ad filter and can easily cope with both issues.
And then: have you ever TRIED AdGuard Home? I mean Just look at the UI - isn't that huge feature by itself?
Ok that helps a lot. I might have to look into installing AGH and tinker around a bit
As for the second question - I don't know. Not needing a separate VM, possibly? Some people might have only one firewall device? What's the disadvantage of running AGH on your OPNsense? I don't see any.
I know that usually people don't have a lot of machines to separate devices, but as I said, I already have a Proxmox server, so firing up a new container is not difficult. Plus I am more comfortable in a linux environment compared to the FreeBSD cli. Also, I wouldn't have to add a 3rd party repo in my firewall.
But on the other hand, I do see the advantage of putting the DNS server on the firewall itself for the least amount of latency possible
-
Last I tried it the Regex scripts were not supported by AGH.
I was referring to these capabilities https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists but you might have more complex requirements of regex or additional scripting.
-
I installed Adguard Home as a plugin on Opnsense and everything seems to be working.
I also disabled the Blocklists under Unbound DNS and found that my memory consumption dropped from around 60% to 20% without any affect to the CPU usage, so that's a plus.
I do notice a few differences -- like the Ad links Google searches produces used to give me a ERR_REFUSED, but now they work -- but I guess that's fine as my wife kept complaining that she can't get to any links from her searches etc.
I am also trying to set up HAProxy configuration, so that I can access AdGuard Home using a host.domain instead of the IP, but I can't seem to get this to work. My real server is pointing to the OpnSense IP with port = 81 (the one I chose when setting up AdGuard Home). Any pointers on this would be really helpful.
Finally, I have some questions on the whole DOH/DOT. Unbound allows DOT setup and it works when I set it up... but I wanted to understand it a bit better.
When not using DOH/DOT, your ISP can (if they wanted to) see and log the websites that you request DNS for. When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?
So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?
-
When not using DOH/DOT, your ISP can (if they wanted to) see and log the websites that you request DNS for.
This depends on how you define "see and log".
If you use your own recursive DNS, e.g. Unbound, and do not use your ISP's recursive DNS as a forwarder, then your ISP does not see your requests. Period.
Unless ... they actively sniff all of your network traffic and look for DNS requests. Which at least here in Europe would violate several laws.
So in a civilized country with e.g. GDPR in place, I argue that running your own recursive DNS is the best protection of your privacy you can get.
When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?
So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?
Exactly. You are freely giving all your DNS requests to a single centralized third party - which in case of 1.1.1.1 or 8.8.8.8 is a US American company probably not bound by GDPR in any way.
So as a EU citizen I do not trust my ISP not to log DNS requests should I use their recursive DNS. But I do trust that the deterrent of local legislation is high enough for them not to actively sniff traffic.
That's why I recommend using a local recursive DNS server.
The Internet's infrastructure is supposed to be decentralized, remember? ;)
As always your mileage may vary. Specifically if you are a US citizen or if you are in a really repressive country. In the latter case using 1.1.1.1 or 8.8.8.8 might be the lesser evil.
Kind regards,
Patrick
-
This depends on how you define "see and log".
If you use your own recursive DNS, e.g. Unbound, and do not use your ISP's recursive DNS as a forwarder, then your ISP does not see your requests. Period.
Ok, that makes sense. I am not using Query forwarding anywhere in Unbound configuration.
Unless ... they actively sniff all of your network traffic and look for DNS requests. Which at least here in Europe would violate several laws.
At this point either the government or Comcast has something on me, and no amount of hiding is gonna save me. So I am not really bothered if they are sniffing all my traffic.
So in a civilized country with e.g. GDPR in place, I argue that running your own recursive DNS is the best protection of your privacy you can get.
When using DOT under Unbound, it would still be the same thing, except instead of the ISP, your DOT provider (Google, or Cloudflare etc) would be able to see & log the websites that you request --- Is that a correct statement?
So DOH/DOT is simply transferring trust from ISP to the DOT provider that you choose -- correct?
Exactly. You are freely giving all your DNS requests to a single centralized third party - which in case of 1.1.1.1 or 8.8.8.8 is a US American company probably not bound by GDPR in any way.
So as a EU citizen I do not trust my ISP not to log DNS requests should I use their recursive DNS. But I do trust that the deterrent of local legislation is high enough for them not to actively sniff traffic.
That's why I recommend using a local recursive DNS server.
The Internet's infrastructure is supposed to be decentralized, remember? ;)
As always your mileage may vary. Specifically if you are a US citizen or if you are in a really repressive country. In the latter case using 1.1.1.1 or 8.8.8.8 might be the lesser evil.
Kind regards,
Patrick
Ok thanks for confirming my understanding. I am in the US and so no GDPR type law that I know of, but as I mentioned, I am not trying to hide from the government.
For me -- no point of adding additional latency for DOT under Unbound then, I have it disabled already as I was only testing.
Now the only thing remaining is HAProxy configuration for AdGuard Home !!
-
For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn. Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.
-
For blocking google ad services if you want to have it again, try the steven black blocklist https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
Ok thanks, I will try that. I did have that in my Unbound Blocklist. I was going to enable 1 at a time and see if it was worthwhile to add it to AdGuard Home.
For reaching your AGH from outside, is a bit more involved. I did it with nginx as reverse proxy on opnsense with a real server on the lan that was doing the required translations i.e. upd and dot (for android) but I changed my infrastructure and haven't re-done it. I needed a quick workaround for traveling and setup a wireguard vpn. Now when I'm out, I enable wg on the phone and all flows through my home network including dns queries through ADG. Just a thought.
I do NOT want to access AGH from outside the network. I actually have a OpenVPN Road warrior setup and that works great for me to connect to the home network. I might think about setting a WireGuard VPN if there are speed benefits as everyone claims.
What I am currently trying to do is just use https://adguard.mydomain.com to access AGH instead of 192.168.1.1:81 from within my local network. I use such a setup for all my services and I own a domain and issue a wildcard Let's Encrypt certificate for all of them.
-
Right, clear now. Internally.
You'd want to see where are your clients looking for their internal dns resolution and put an override there. Presumably it's Unbound. So try a host override.
-
1. Services --> Dnsmasq DNS
Enable Dnsmasq = False
2. Services --> Unbound DNS --> General
Enable Unbound = True
3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
I believe it now works as if I do a DNS leak test I get as result my IP address and non the ISP DNS serves IP addresses, is that right?
tia.
Could someone confirm if my assumption is correct?
Ta.
-
If you are getting just your IP then your unbound is working as a resolver, yes.
-
Right, clear now. Internally.
You'd want to see where are your clients looking for their internal dns resolution and put an override there. Presumably it's Unbound. So try a host override.
Yeah, unbound is running in resolver mode and I already have a host override setup for adguard pointing to the IP of opnsense.
EDIT: Turned out that the SSL check was on in the Real Server configuration of HAProxy. Not sure how I missed that !!!! :angry: