DNS (root name server) question

[RamSense]

Dear community,

I got interested with the DNS subject after reading a post and answer from @pmhausen
https://forum.opnsense.org/index.php?topic=30514.0

I am running opnsense -> adguard home port 53 - upstream opnsense unbound port 5353 -> DNS TSL servers like 1.1.1.1 853 (cloudflare DoT)

Do I understand it correctly that with Bind added (opnsense unbound -> opnsense bind), you can have your own dns without having to use upstream 1.1.1.1 853? And that Bind will check with the root name servers or functions as a root name server on its own?

So if that is correct, you as a user will have more privacy with dns this way because you will no longer use cloudflare, e.g. 1.1.1.1?
And with bind, can you still use DoT from adguard home / unbound to bind or with bind?

I am trying to learn more about Bind/unbound and DNS and how to run it with the least outside dns queries. I think it sounds more secure having your own root name server and ads more privacy?

Thank you in advance for your help

[Patrick M. Hausen]

Unbound can go directly to the root servers and recurse from there if you do not specify any upstream server. No need to use BIND. I use BIND simply because I do not like Unbound. 25 years with BIND ... plus I need secondary zones.

[RamSense]

Thank you for your fast answer and info!

Are there any negative effects/aspects of not using any upstream servers and using the root servers directly?
Why otherwise use upstream servers? Using only root sounds like the most secure and privacy option?

Are there more benefits for using Bind over Unbound except being able to add secondary zones?

[Patrick M. Hausen]

Because people go bonkers over "but it's uNeNcRyPteD!!!" these days. So yes, DoT is encrypted. But who's more likely to spy on you? That billion dollar US company running 1.1.1.1 or your local ISP? But I wrote all that in the other DNS thread, already.

Other benefits: primary zones? Only BIND has proper zone management at all. I think Unbound "overrides" are pretty clumsy. OTOH BIND is not integrated with DHCP in OPNsense, currently. Your choice/preference, really.

[RamSense]

yes that makes perfect sense indeed. Although Cloudflare states that they don't log...
So over to not using any upstream servers :-)
Curious if it differs speed wise...

So the only step left is the Root Servers. Should it be possible for opnsense to act as a Root Server on its own?
That way you keep the complete link self hosted??

[Patrick M. Hausen]

The root servers serve the addresses of all the nameservers for all the TLDs. You cannot self-host that. They are literally the root of the world wide distributed DNS tree.

I explained the entire process here a while ago:
https://forum.opnsense.org/index.php?topic=24783.msg118859#msg118859

[cookiemonster]

If you allow me, I agree with the logic. Skip one or another company and go straight to the root servers. No need to trust anyone in the middle.
But I do prefer to go encrypted while accepting the limitation of not going to them. So I went to what for me is a suitable compromise: spread the queries to a few resolvers (yes, the ones going direct skips) and keep encryption.
I run stubby on OPN and there I chose my DoT-enabled public servers. Yes, I am chosing to trust those as middle ones but multiple ones. What's the point? There is no single entity that profiles my dns traffic.
Can it be done as well in Unbound? I don't know. I like command line, so I stuck with a command line recursor.
So in short, not a counter to the argument, only an additional option.

[RamSense]

Thanks to you both for the added info.
@pmhausen, good post and i'm getting to understand the dns process more now. But still got a learning curve left :-)
I follow the

If you run your own resolver, the root nameservers see your requests for the .com, .net, .de, ... nameservers.
The .org nameservers see your requests for opnsense.org.
The opnsense.org nameservers see your request for forum.opnsense.org.

but all requests will be made plain through the used ISP, when not using any upstreams? like when i check dnsleaktest.com, i only see my ISP now. I am trying to understand how that is related to "root nameservers see your requests for the .com, .net, .de, ... nameservers.", as your ISP sees it all (unencrypted) also?


@cookiemonster, I do not know stubby yet. But as I read your post it looks like it does something like "root nameservers see your requests for the .com, .net, .de, ... nameservers."  with a twist by just using a different upstream server for each lookup? So if you add like 10 upstreams, one upstream only get 1 in 10 requests to handle(?) and you can use DOT?

[Patrick M. Hausen]

@RamSense you started this thread after you read (and cited in your initial post) that other one where I explained privacy concerns in DNS.

And there I already clearly stated that without an upstream server your ISP does not see your DNS requests as requests going to their recursive DNS. But of course your ISP is theoretically able to sniff all your network traffic and read anything unencrypted. Only that this action would violate several laws.

OTOH when using 1.1.1.1 or 8.8.8.8 you are specifically handing all your DNS request to a single entity.

I am far more concerned about the latter than about German Telekom blatantly violating German and European law. I pretty much trust they do not.

Since when have ISPs become the major threat? Many are small/medium independent companies. The threat are Google, Facebook, Cloudflare and the like. Re-centralising a distributed system like DNS is a road to hell.

[cookiemonster]

I am completely on the same page with Patrick. I am lucky I live in the UK and although unfortunately now outside the EU, I also trust less the big mega companies where their model is to monetise the data, than other parties but I don't like the idea of plain dns. That's just me. If anyone was to profile my traffic, it'd the most boring profile ever. I just don't like the premise. Having said that, in the UK the GDPR is still in play, so a big disincentive for isps to sniff traffic.
To your question, in stubby you put in your config which DoT resolvers to send your encrypted dns queries to and configure as round robin or orderd by preference and if first one fails, try the second, etc. They are not root servers, just that the root servers don't support TLS so stubby is on my end, the DoT resolvers at the other end and they do the query for me before returning it encrypted.
have a look here https://dnsprivacy.org/dns_privacy_daemon_-_stubby/about_stubby/
.
ps. If you add these to Unbound, it'll do the same thing that stubby does, but stubby has more options that Unbound lacks at present.
Admittedly overcomplicated but I'm happy with this setup. No UI for stubby by the way.

[RamSense]

@pmhausen, your ISP does not see your DNS requests as requests going to their recursive DNS. that's the part I did not understand completely. That's why I did the dnsleaktest.com and was surprised to see my isp as only dns, where my thinking was to see several root servers mentioned there instead. So it is that the unbound looking for root servers is going through the isp recursive dns, and they can read it all if they sniff this request, but are not allowed by law?

@cookiemonster thank you for the link about stubby and info about unbound. And with unbound, when you add several DoT servers, unbound automatically uses them all in a round robin way? I did not know that.

[Patrick M. Hausen]

That's why I did the dnsleaktest.com and was surprised to see my isp as only dns, where my thinking was to see several root servers mentioned there instead. So it is that the unbound looking for root servers is going through the isp recursive dns

No, it does not. If there is no upstream DNS configured, Unbound does not use it. Possibly you get your IPS's DNS server via PPPoE or DHCP? You need to disable that feature in the OPNsense config:

System > Settings > General > Allow DNS server list to be overridden by DHCP/PPP on WAN

The dnsleaktest output should look like this:


This means I'm using only my OPNsense firewall here at the office. The IP address is the IP address my ISP gives me. And of course the ISP is listed as Deutsche Telekom AG - that's their IP address. But nowhere does it say I was using their recursive DNS server.

dnsleaktest would never list the root nameservers, because they do not perform recursive queries on your behalf. They only return information they are authoritative for. Like the IP addresses of the .org or .com or .de nameservers.

[RamSense]

ah now i see it. The IP mentioned in the dnsleaktest.com is my own IP, and after that the ISP is added in the hostname and my to fast conclusion i was using ISP dns....I read that line to fast.

And with unbound using cache, the root server requests will drop much lower, so that lowers the potential sniffing also a bit (i think)

[RamSense]

I just discovered that my isp has DoT server. What is your advice if your isp has a dns DoT service?
Use unbound with no upstream and unencrypted to root servers as you stated before
Or using encrypted isp DoT?

N.B. I think i got it now... DoT ISP -> handing over all dns to your isp (privacy?) vs unbound no upstreams, directly to root servers, you have isp privacy (only when your isp snifs dns your privacy is los, but not allowed by law).
There is only 1 way better, that is when you are able to use DoT to root servers... but that is not there (yet?)