English Forums > Tutorials and FAQs

FRESH NEW AND IMPROVED GETDNS STUBBY AND UNBOUND AKA DNS PRIVACY

<< < (3/3)

Nekromantik:
yes may need to play around with servers

simops:
Thanks for posting guys, both the original tutorial and the followup posts were extremely helpful.

At first I was just running a pi-hole as a DNS server behind my opnsense home firewall. I then used the method in the first post to set up Stubby and Unbound, once I understood how it worked the only issue I had was I had to change the tls_ca_file: "/etc/ssl/cert.pem" entry as per Koldnitz's post and everything worked perfectly.

I can now send queries either via pihole -> Unbound -> Stubby -> Cloudflare over TLS, or just go directly Unbound -> Stubby -> Cloudflare. Since the latest version of opnsense has blacklists built into Unbound the pihole is redundant except for the nice dashboards, but I can live without those.

On the forward-facing side Unbound can now support DNS over TLS, and since you can enter multiple forward TLS resolvers in the Custom Options box, I don't think I understand what extra value there is by introducing Stubby to the resolver chain.

Does Stubby bring anything vitally important to the mix or is it just easier to leave it right out and run Unbound by itself?

Koldnitz:
I personally could not get unbound to do both encryption and validation of the DoT servers.

Encryption was no problem
https://sahlitech.com/opnsense-setup-unbound-dns/

forward-ssl-upstream:yes
forward-addr: 1.1.1.1@853   #CloudFlare

but ...

When I put this:

forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#one.one.one.one (as an example)

from https://calomel.org/unbound_dns.html (unbound tutorial on calomel.org) I could not get anything to work.  I never even saw the error in my logs (I am sure this was due to me not understanding where to look) and I could not find any information on why this does not work.

TLDR: As soon as I added the bit following # symbol all DNS stopped.

After doing lot of googling / lurking on these forums you find a few posts where people say this functionality does not work yet with the unbound in Opnsense, but other people claim it does, both on this forum in tutorials, and all over the web, so your mileage may vary.

Stubby works for me, it is supposedly is more efficient (reuses TLS connections) than unbound, and it incorporates TLS 1.3.

The main thing for me again is the fact that it fully works.

If you can get unbound to work fully (i.e. it will verify the dns server is who it says it is, ie it works with the bit after the # above) I do not see the point in adding stubby.

Cheers,

Navigation

[0] Message Index

[*] Previous page

Go to full version