Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Learning about Unbound
« previous
next »
Print
Pages: [
1
]
Author
Topic: Learning about Unbound (Read 2354 times)
hushcoden
Hero Member
Posts: 543
Karma: 23
Learning about Unbound
«
on:
March 21, 2021, 01:31:25 pm »
I read an interesting article
here
and my current configuration is pretty similar with the one in the article is "example 2", i.e. DoT, recursive caching DNS, TCP port 853 and DNSSEC.
There is an "example 3" (Authoritative, validating, recursive caching DNS) and I've noticed a few differences. i.e. there are no upstream servers, the listening interface/address is only 127.0.0.1, there is no DoT - I'm trying to understand if there is a real benefit in using this third configuration...
How do you configure Unbound ? Keen to hear (and learn) from the experts of this subject, thanks.
«
Last Edit: March 21, 2021, 02:07:13 pm by hushcoden
»
Logged
Maurice
Hero Member
Posts: 1197
Karma: 152
Re: Learning about Unbound
«
Reply #1 on:
March 21, 2021, 02:36:53 pm »
When using upstream DoT, unbound forwards all queries to the configured DoT provider. Pros: Your ISP can't see or manipulate your DNS queries. Cons: The DoT provider can see and manipulate all your DNS queries. And the DoT provider is a single point of failure.
When running it as a recursive resolver, all queries are handled by unbound itself. Pros: There is no third party which can see and manipulate all your DNS queries. And there is no single point of failure. Cons: Your ISP can see and manipulate all your DNS queries.
So it comes down to who you trust less: Your ISP or some third party DoT provider.
(I run unbound as a recursive resolver because my ISP doesn't have a history of messing with DNS.)
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
hushcoden
Hero Member
Posts: 543
Karma: 23
Re: Learning about Unbound
«
Reply #2 on:
March 21, 2021, 03:02:53 pm »
Thanks Maurice, I'm so intrigued to learn more about this topic...
According to that article you ave set up Unbound as a caching DNS, a recursive caching DNS, a validating recursive caching DNS, an authoritative validating recursive caching DNS, etc... wil get there
And I believe Unbound acts as a recursive caching DNS server?
Also, I read that to set up Unbound as authoritative, validating, recursive caching DNS server, the listening interface/address is 127.0.0.1, but I can't find that option: you can only chose between your LANs and WAN interfaces...
And sorry if I'm messing up things, I'm learning...
«
Last Edit: March 21, 2021, 03:24:02 pm by hushcoden
»
Logged
Maurice
Hero Member
Posts: 1197
Karma: 152
Re: Learning about Unbound
«
Reply #3 on:
March 21, 2021, 03:26:07 pm »
Disclaimer: I didn't read the linked article.
"Caching" just means unbound caches results so queries don't have to be resolved / forwarded over and over again.
"Recursive" means unbound resolves queries itself and doesn't just forward them. If you use upstream DoT, unbound is NOT a recursive resolver, but a forwarder.
"Validating" means unbound verifies DNSSEC records.
"Authoritative" only applies to zones hosted by unbound itself. In OPNsense, this is typically only your local domain configured in the system settings.
In your config, unbound is a "caching validating forwarder".
The listening interfaces are not relevant for any of these.
«
Last Edit: March 21, 2021, 03:29:20 pm by Maurice
»
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
hushcoden
Hero Member
Posts: 543
Karma: 23
Re: Learning about Unbound
«
Reply #4 on:
March 23, 2021, 08:56:18 am »
So, since I pretty much trust my ISP, I can delete the
forward-zone:
section, right?
Also, can I delete the line
tls-cert-bundle: /etc/ssl/cert.pem
from the section
server:
or it's used by something else too ?
Logged
Maurice
Hero Member
Posts: 1197
Karma: 152
Re: Learning about Unbound
«
Reply #5 on:
March 23, 2021, 12:39:29 pm »
unbound.conf shouldn't be edited manually at all. It gets recreated whenever you make changes in the Web GUI.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Learning about Unbound