I decided to use Unbound exclusively and setup DNS over TLS towards NextDNS. No hostnames but it works flawlessly with all the benefits that won't work with the other setups.
Quote from: securid on December 23, 2023, 08:37:45 amI decided to use Unbound exclusively and setup DNS over TLS towards NextDNS. No hostnames but it works flawlessly with all the benefits that won't work with the other setups.Could you please check with dnscheck.tools if you experience any dns leaks? Maybe also try it several times, sometimes I see only NextDNS server but most of the time I can also see cloudflare as well as opendns servers… I am not sure about if I have something misconfigured. I have created a post here in the forum but so far no one responded. Since you are using NextDNS exactly as I did I would be interested to see if this behaviour like me. Thanks!!
If you use the above linked software, you don't have to worry about any of the above concerns. It will also automatically take care of local PTR/A resolution for all your LAN hostnames (through discovery via arp, mdns, ptr probes and DHCP leases file parsing), and you can delegate queries from subnets, MAC addresses or for custom TLDs to your local unbound instance if you want this. Or do it the other way around and keep running unbound on UDP 53, and use ctrld as the upstream although you will lose the device identification data in this mode.
Quote from: tabsats on December 25, 2023, 11:58:52 amQuote from: securid on December 23, 2023, 08:37:45 amI decided to use Unbound exclusively and setup DNS over TLS towards NextDNS. No hostnames but it works flawlessly with all the benefits that won't work with the other setups.Could you please check with dnscheck.tools if you experience any dns leaks? Maybe also try it several times, sometimes I see only NextDNS server but most of the time I can also see cloudflare as well as opendns servers… I am not sure about if I have something misconfigured. I have created a post here in the forum but so far no one responded. Since you are using NextDNS exactly as I did I would be interested to see if this behaviour like me. Thanks!!Impossible because I "catch & redirect" DNS through a NAT rule back to OPNsense. Unless some client (like mobile devices) connects through "secure DNS", basically DNS over TLS or HTTPS. I'm not sure if I could catch those but my own devices don't do that so its only guest devices and I don't care enough.
Yes, its the same on my setup, catch and redirect DNS through a NAT rule. I didn’t understand what’s impossible? To check if you have any leaks or that leaks should be impossible?
These days, redirecting 53 is definitely not enough to force your DNS server. You need to block 853 out. And block DoH via (of course incomplete and ever growing) DNS blocklists. And then people use other non-standard ports for DNS.
I block all destination ports except what I deem necessary. If a client requires a non-standard port, I open that through a separate rule for that client.
Quote from: yegor on December 25, 2023, 08:01:01 pmIf you use the above linked software, you don't have to worry about any of the above concerns. It will also automatically take care of local PTR/A resolution for all your LAN hostnames (through discovery via arp, mdns, ptr probes and DHCP leases file parsing), and you can delegate queries from subnets, MAC addresses or for custom TLDs to your local unbound instance if you want this. Or do it the other way around and keep running unbound on UDP 53, and use ctrld as the upstream although you will lose the device identification data in this mode.It does all the automatic DHCP registering with PTR as well? I didn't read that in the documentation, that is neat!But still it requires manual CLI configuration for host overrides, aliases and other manual config, right?