Changing the DNS provider

[Inxsible]

Hi,

I currently use Unbound in Resolver mode. I have DNSSEC enabled in it's configuration. I use a 19+ host overrides to access my LAN-only services like vaultwarden, nextcloud etc. I also use all the Unbound blocklists (except Blocklist.site Youtube) to block ads etc. and have whitelisted alt*.gstatic.com because without it, my chromebooks just kept losing the Wifi connection.

I had some time to tinker and I thought I'd try and setup up DOH or DOT and I went down the rabbit hole to learn about AdGuard Home, NextDNS and all their history about AGH being Russian but operating in Cyprus and both having a 300K query limit on the free account etc etc.

I liked that people consistently mentioned that AGH and NextDNS ad-blocking is better than Unbound. It's also easier to maintain the blocklists and UI is better too. Also Unbound takes a long time to restart if and when I make any changes say adding a new host override or changing blocklists or just any other maintenance, so switching might be a good idea for me.

I also read that some ISPs are forwarding the DNS query requests to their own DNS servers irrespective of which server you have set up --https://www.reddit.com/r/pihole/comments/ue08c9/comment/i6ka8mv/?utm_source=share&utm_medium=web2x&context=3 . So I did a DNS Leak Test and sure enough, I see a Comcast DNS server being used rather than my local Opnsense firewall. Weirdly, running the same test in Chrome tells me I used Comcast DNS, but in Firefox it tells me I am using Cloudflare -- so I am even more confused, but that is for another topic I guess.

My assumption is that using a local resolver is better than a forwarder to keep your latency lower (which is why I opted for Unbound rather than dnsmasq in the first place)and also for privacy

The rabbit hole that I went through led me to read a lot of things and i have some questions based on what I read:

• By Using NextDNS or AdGuard Home, aren't you giving that privacy up to either of them?
• I have seen some posts indicating using NextDNS servers in the Unbound configuration as upstream. Doesn't that make unbound act as a forwarder rather than a resolver?
• If you are implementing #2 above, What's the point of using Unbound rather than dnsmasq
• AGH can use NextDNS as upstream servers and vice-a versa ---What's the point of doing that? Why not use just one of them?
• I am a little concerned by the 300K limit on both AGH and NextDNS -- Between the kids' tablets, our phones, TV, work laptop, and my servers, I don't know how soon I will cross the 300K limit. Caching seems to be the solution, yes, but again with Unbound or with dnsmasq? How would dnsmasq or Unbound work in conjunction with NextDNS/AdGuard Home?
• Is using NextDNS/AGH on the opnsense box better than a separate VM/Container (I have a local proxmox server)? My current opnsense system (J3355) goes to 100% cPU when loading the Dashboard, but after a couple of seconds hovers at 3% CPU and 60% RAM, but I can add another 4GB stick if RAM is a concern

Please spread your knowledge of DNS and it's workings and enlighten me.

Thank you,

[Patrick M. Hausen]

AdGuard Home is a local recursive DNS server with filter lists. No information is given to anyone and there is no limit I was aware of. You are probably confusing AdGuard Home with AdGuard DNS.

[Inxsible]

AdGuard Home is a local recursive DNS server with filter lists. No information is given to anyone and there is no limit I was aware of. You are probably confusing AdGuard Home with AdGuard DNS.

Possibly. I read so much over the last 24 hours, that I could have easily confused the two.

So AGH is a self-hosted resolver and AdGuardDNS has a 300K limit? Which upstream DNS does AGH use by default then?

[Patrick M. Hausen]

So AGH is a self-hosted resolver and AdGuardDNS has a 300K limit? Which upstream DNS does AGH use by default then?

I don't know about AdGuard DNS. I do not use upstream servers. AdGuard Home uses whatever you point it to, e.g. a local BIND or Unbound installation. BIND in my case.

You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?

Here's a description of the process I wrote some time ago:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462

[Inxsible]

You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?

Wrong choice of term on my part I guess. I just meant, does it work as forwarder with an upstream server. And yes, i am aware that a resolver is not the only thing that is needed. It, of course, needs to contact other root servers until it builds it cache and still continues doing so for all the cache-misses.

[Patrick M. Hausen]

AdGuard Home does accept recursive queries - of course - but cannot do the recursion on its own starting at the root servers. It needs another server to forward to.

I like to setup both AGH and BIND to listen on localhost only with AGH forwarding to BIND. Then in VLANs with ad blocking I port forward/NAT 53/UDP+TCP to AGH and in VLANs without ad blocking directly to BIND bypassing AGH.

This also solves the problem with AGH and CARP addresses (bug in the FreeBSD Golang port).

[Inxsible]

I don't know about AdGuard DNS. I do not use upstream servers. AdGuard Home uses whatever you point it to, e.g. a local BIND or Unbound installation. BIND in my case.

So if you are using your local BIND, then how does the ad-blocking of AdGuard Home help? I was under the impression that the using AdGuardDNS or NextDNS as the service is how the ads are blocked at the DNS level. Or is that an incorrect assumption?

[Patrick M. Hausen]

Client queries AdGuard Home, AdGuard Home queries BIND, AdGuard Home applies block lists to result, delivers result or 0.0.0.0 depending on blocklist entry.

Blocklist management, statistics, exceptions, all in a very nice and convenient UI with AGH.

[hushcoden]

You are aware that DNS "just works" without any upstream? And that running your local resolver in exactly this way is the best way to maximum privacy?

Here's a description of the process I wrote some time ago:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462

1. If I understood correctly, by enabling DoT, I enable a bunch of upstream servers whose owner has visibility of which pages I'm requesting/visiting, but my ISP just see encrypted packets, hence I'm transferring my 'privacy' from my ISP to that 3-party company, is that right?

2. If I just use Unbound, then it will query one of the root servers and at the end my client (i.e. laptop) will get the IP address requested: does it mean my ISP can see which pages I'm visiting?

Tia.

[Patrick M. Hausen]

1. Correct.
2. No, the ISP cannot see which DNS names you are resolving - at least not at the DNS level, if you are not using your ISP's resolvers.

The ISP can theoretically sniff all your unencrypted traffic including your self managed DNS queries.

I trust any European ISP bound by GDPR far more than any of the global DoT providers. Transport layer encryption of DNS queries is a strawman, IMHO.

And while we are at it: same for "VPN" for privacy. You are handing all your traffic to a single entity. Good luck with that. I can understand the desire to circumvent geoblocking, but VPNs do not enhance privacy.

[hushcoden]

Thanks for the clarification.

Disabling DoT and running DNS leak test I get as result I'm using my ISP DNS servers which I believe is expected, is that right?
I thought Unbound was taking care of querying root DNS servers without going through my ISP DNS servers, but I guess I misunderstood ?

If I don't want t use those DNS servers, is DoT the only possible alternative solution?

Tia.

[Patrick M. Hausen]

I am not using Unbound but BIND. That by default implements a full-featured resolver that does not use your ISPs resolvers as forwarders.

I would have a look at the Unbound config as it is written by the UI and if you find any upstream servers, then look for the options in System > Settings > General.

Unfortunately for historical reasons there are options that apply to DNS spread across various parts of the UI. Maybe someone who uses Unbound can assist.

What do you need to set in the UI to have Unbound work on its own without any forwarder?

HTH,
Patrick

[Inxsible]

What do you need to set in the UI to have Unbound work on its own without any forwarder?

1. Services --> Dnsmasq DNS
Enable Dnsmasq = False

2. Services --> Unbound DNS --> General
Enable Unbound = True

3. System --> Settings --> General
DNS Servers --- Do not list any DNS servers (since you don't want to use anything except your local DNS server)
DNS search domain -- Empty
DNS server options --
        Allow DNS server list to be overridden by DHCP/PPP on WAN -- Unchecked
       

[Inxsible]

Reverting back to my original questions:

• What's the advantage of using AdGuard Home over Unbound (when both are used as resolvers)
• Advantages/Disadvantages of AGH plugin on Opnsense(from mimugmail repo) vs a separate AGH VM/container?

[Patrick M. Hausen]

AdGuard Home needs an additional recursive resolver. It does filtering only.

The filter implementation in Unbound is a bit naive^H^H^H^H^Hstraightforward. Filter lists are pulled from their respective sources, translated into configuration statements, and loaded as unbound configuration.

This leads to two undesirable effects:

- the startup/restart time of Unbound can get really long
- if there is just a single syntax error in just one of the lists, Unbound will fail to start

AdGuard Home on the other hand is designed from the start as an ad filter and can easily cope with both issues.

And then: have you ever TRIED AdGuard Home? I mean Just look at the UI - isn't that huge feature by itself?

As for the second question - I don't know. Not needing a separate VM, possibly? Some people might have only one firewall device? What's the disadvantage of running AGH on your OPNsense? I don't see any.