Question about Unbound + Pi-Hole via Optimized Software

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
User avatar
dwr
Posts: 77
Joined: Thu Feb 18, 2021 3:46 am

Question about Unbound + Pi-Hole via Optimized Software

Post by dwr »

Greetings,

A few weeks back I decided to switch from Ad-Guard Home to Pi-Hole, but this time I decided to give Unbound a shot as well.

After figuring out that Unbound wasn't actually working, I was able to troubleshoot the issue and find that I needed to add

Code: Select all

127.0.0.1#5335
in Pi-Holes Custom Upstream DNS Server.

Once I got that running, I decided to do a little exploring on multiple forums to see if there was a way to test if Unbound was working because I was not able to figure out how to pull up any Unbound info or interface to show me statistics. I found some CLI commands such as

Code: Select all

dig
which based on Pi-Hole's documentation on testing, everything looked OK. I also found the following websites to validate Unbound:

- UnboundTest.com
- Root Canary - Test
- Internet.nl - Connection Test

...with the following results:

Code: Select all

UnboundTest.com

Query results for CAA pi-hole.net

Response:
;; opcode: QUERY, status: NOERROR, id: 36865
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pi-hole.net.	IN	 CAA

;; ANSWER SECTION:
pi-hole.net.	0	IN	CAA	0 iodef "mailto:thebridge@pi-hole.net"
pi-hole.net.	0	IN	CAA	0 issue "comodoca.com"
pi-hole.net.	0	IN	CAA	0 issue "godaddy.com"
pi-hole.net.	0	IN	CAA	0 issuewild "letsencrypt.org"
pi-hole.net.	0	IN	CAA	0 issue "letsencrypt.org"

----- Unbound logs -----
Apr 10 17:30:44 unbound[1251242:0] notice: init module 0: validator
Apr 10 17:30:44 unbound[1251242:0] notice: init module 1: iterator
Apr 10 17:30:44 unbound[1251242:0] info: start of service (unbound 1.12.0).
Apr 10 17:30:45 unbound[1251242:0] info: 127.0.0.1 pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: priming . IN NS
Apr 10 17:30:45 unbound[1251242:0] info: response for . NS IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 192.33.4.12#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: priming successful for . NS IN
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 192.33.4.12#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was REFERRAL
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <net.> 192.42.93.30#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was REFERRAL
Apr 10 17:30:45 unbound[1251242:0] info: response for pi-hole.net. CAA IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <pi-hole.net.> 2a06:fb00:1::2:96#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: prime trust anchor
Apr 10 17:30:45 unbound[1251242:0] info: generate keytag query _ta-4f66. NULL IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving _ta-4f66. NULL IN
Apr 10 17:30:45 unbound[1251242:0] info: response for . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <.> 2001:7fd::1#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: validate keys with anchor(DS): sec_status_secure
Apr 10 17:30:45 unbound[1251242:0] info: Successfully primed trust anchor . DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: validated DS net. DS IN
Apr 10 17:30:45 unbound[1251242:0] info: resolving net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: response for net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: reply from <net.> 192.31.80.30#53
Apr 10 17:30:45 unbound[1251242:0] info: query response was ANSWER
Apr 10 17:30:45 unbound[1251242:0] info: validated DNSKEY net. DNSKEY IN
Apr 10 17:30:45 unbound[1251242:0] info: NSEC3s for the referral proved no DS.
Apr 10 17:30:45 unbound[1251242:0] info: Verified that unsigned response is INSECURE
Root Canary - Test
Image

Internet.nl - Connection Test
Image
Image
Image

So, with that information, I have a few questions:
  • Based on the above info, does it look like Unbound is working properly? (Note: I have IPv6 turned off at the Router & Pi-Hole Level)
  • Does anyone know if there is some type of GUI or CLI where I can check Unbound Stats? I attempted to run PADD on a different Pi that has a touchscreen attached to it, but I was unable to successfully get it running - I assume it has to be installed and used on the same Pi that Pi-Hole and Unbound are running on, but I do not want to use this touchscreen solely for PADD viewing.
  • I am not very well versed on encryption protocols, but I assume running Unbound is better than not. Is there any other software that the community recommends to increase the security of my network other than Unbound? DNS-over-TLS, No-IP, Let's Encrypt, Fail2Ban, HAProxy, HTTPS, TLS, SSL, etc...
  • I am also finding myself having to SSH into my Pi to restart Unbound every once in a while... not sure why, but does anyone know of issues with Unbound that would cause the service to "corrupt" itself and stop working?
Thanks in advance!
User avatar
Joulinar
Posts: 5688
Joined: Sat Nov 16, 2019 12:49 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by Joulinar »

let me try to answer you questions one by one
Based on the above info, does it look like Unbound is working properly?
Basically, if unbound would not be working, your DNS resolution would fail and you would have issues to reach the internet ;)

Another test could be to install tcpdump. This way you could watch the DNS traffic from clients to Pihole, Pihole to unbound and unbound to upstream DNS server

Code: Select all

tcpdump -i any -c500 -nn port 53
this could be a larger output, depending on number of devices in your network. It will stop after 500 lines captured.
Does anyone know if there is some type of GUI or CLI where I can check Unbound Stats?
To view some unbound statistics, you would need to install some additional tool. There are 2 options descripted on unbound documentation https://nlnetlabs.nl/documentation/unbo ... tatistics/
I am not very well versed on encryption protocols, but I assume running Unbound is better than not.
you can activate DoT quite easily on unbound. just follow the instructions on our online docs https://dietpi.com/docs/software/dns_servers/#unbound
I am also finding myself having to SSH into my Pi to restart Unbound every once in a while
usually this should not happen. In this case it would be needed to investigate what cause unbound to fail.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
WarHawk
Posts: 774
Joined: Thu Jul 20, 2017 8:55 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by WarHawk »

This guy has a pretty good walkthru explanation

https://www.youtube.com/watch?v=FnFtWsZ8IP0

Down in the information provides links and a few config files that work
User avatar
Joulinar
Posts: 5688
Joined: Sat Nov 16, 2019 12:49 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by Joulinar »

Well you can have a look to our blog as well. https://dietpi.com/blog/?p=564
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
WarHawk
Posts: 774
Joined: Thu Jul 20, 2017 8:55 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by WarHawk »

Joulinar wrote: Sun Apr 11, 2021 5:03 am Well you can have a look to our blog as well. https://dietpi.com/blog/?p=564
Very nice!
User avatar
MichaIng
Site Admin
Posts: 3266
Joined: Sat Nov 18, 2017 6:21 pm

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by MichaIng »

Note that DoT, DoH, DNSCrypt etc, while encrypting your DNS requests, break the initial intention of Unbound to skip a pubic DNS provider, as discussed in our docs as well.

No-IP is a dynamic DNS provider, which you can use to get a static hostname/domain for your dynamic public IP, but it has nothing to do with security. Once you have a static domain, Let's Encrypt can be used to get TLS (successor of deprecated SSL) certificates to access your website via HTTPS, if you have one.

Fail2ban is especially highly recommended when you open/forward the SSH port publicly, to protect it from brute-force attacks. It can be configured to protect any other application with login interface, if that application has no internal protection/login limits already.

HAProxy is a load balancer, which has nothing to do with security, but it can split website request across multiple webservers/machines if a single one could not handle the traffic online. In case of home networks it's instead mostly used as regular proxy to e.g. forwards HTTP traffic from port 80/443 to internal applications that listen on other ports. AFAIK, if no real webserver is required, HAProxy is the more lightweight option.
User avatar
dwr
Posts: 77
Joined: Thu Feb 18, 2021 3:46 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by dwr »

MichaIng wrote: Wed Apr 14, 2021 12:28 am Note that DoT, DoH, DNSCrypt etc, while encrypting your DNS requests, break the initial intention of Unbound to skip a pubic DNS provider, as discussed in our docs as well.
Can you expand on this? I do not understand what you mean by "[it will] break the initial intention of Unbound to skip a public dns provider..."

And thanks to everyone for their responses - I have been traveling recently and haven't had a free moment to really do anything. I'll be checking out those docs once I get back to the home base.
User avatar
Joulinar
Posts: 5688
Joined: Sat Nov 16, 2019 12:49 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by Joulinar »

By default unbound is not using any public DNS provider as it is using the global DNS root server. This will increase your privacy as you will not be tracked by a DNS provider or your ISP. However your DNS traffic will be unencrypted, which is the standard in most cases if you use standard configurations on your router etc.

However you could encrypt DNS as well. Similar to http where the encryption is HTTPS. In DNS world you have 2 possibilities. DoT or DoH. At the moment unbound is supporting DoT. The benefit is, you DNS traffic will be encrypted and can not be read by someone like your ISP. Downside, you would need a public DNS provider who support encryption. This will work against the idea to use the root DNS provider.

Hope this explains it a little bit.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 3266
Joined: Sat Nov 18, 2017 6:21 pm

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by MichaIng »

Or in a scheme:

Unbound as recursive DNS resolver (default):

Code: Select all

       53         53
client => Unbound => DNS root servers
  • Both unencrypted traffic on port 53, hence a man-in-the-middle or ISP could theoretically read it.

Unbound with DoT:

Code: Select all

       53         853                    53
client => Unbound => public DNS provider => DNS root servers
  • Encrypted traffic between Unbound and the public DNS provider, so your ISP cannot read.
  • But one party more involved that doesn't even need to be sneaky to read your traffic, and still two unencrypted requests between the client and Unbound and from the public DNS provider to DNS root servers, as DNS natively is unencrypted on port 53.
User avatar
Joulinar
Posts: 5688
Joined: Sat Nov 16, 2019 12:49 am

Re: Question about Unbound + Pi-Hole via Optimized Software

Post by Joulinar »

it depends on personal requirements. In all causes, there will be someone who could read the DNS request. :)
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply