Switched back to Unbound, External DNS Servers Still Used?



  • I've recently learned about Unbound actually was and how it compares to other DNS servers, but I haven't been able to find the answer to this question I have.

    I used to use OpenDNS, but I no longer really need to use parental controls, which was main reason for it. Plus, I finally setup pfBlockerNG, so after doing that, I noticed that OpenDNS doesn't block much of anything at all. Plus, I'm trying to better secure and privatize my Internet usage. So I'm canning OpenDNS. I turned off the "DNS Query Forwarding" so Unbound would just handle things instead of sending DNS requests upstream to OpenDNS. It's working fine. OpenDNS stats show no requests.

    My question is.. Should I just remove the external DNS servers (OpenDNS) from the General Settings tab? I'm a bit confused as to how Unbound would be able to continue resolving DNS requests without contacting external servers. I tried new sites I've never been to that wouldn't be in cache and it still seems to not request anything from OpenDNS. Can someone clarify for me if I still need these external servers set up? If so, I want to change them to Cloudflare or Google, so in case requests need to be made, they no longer happen with OpenDNS. Thanks.



  • @iceman24 said in Switched back to Unbound, External DNS Servers Still Used?:

    I'm a bit confused as to how Unbound would be able to continue resolving DNS requests without contacting external servers.

    See the manual (or the official unbound manual)

    These so called root DNS Servers are known (build in or compiled in) into every DNS server/resolver. Unbound uses one of these 13 'root' dns servers to do any DNS lookup.
    This method always works - out of the box.

    You can remove any external DNS IP's. They are not needed anymore.
    The default

    0_1552297850308_845adf3e-6f83-4b77-978b-7b895a725d2d-image.png
    will do just fine.

    edit : here it is : https://en.wikipedia.org/wiki/Domain_Name_System#/media/File:Example_of_an_iterative_DNS_resolver.svg
    From https://en.wikipedia.org/wiki/Domain_Name_System

    @iceman24 said in Switched back to Unbound, External DNS Servers Still Used?:

    Can someone clarify for me if I still need these external servers set up?

    Ah, that question. See it like this : why does someone want to transmit all his personal events to Facebook ?, Twitter ?, Linkedin ?, Instagram ? etc. I don't know.
    I guess those 'big' guys never offered me this contract : "give me all your network search traffic, we will pay you x $ a month for it - and we promise you that we will not reveal all that info to no-one ( and if we do we'll send over our PDG to the Senat to explain why we are not faulty, that the others are nasty, etc etc) ".

    Please do understand me : I love Google. They already have, I guess, all my 'search' requests. I never found a valid reason why they should have all my DNS requests too.



  • @gertjan Thanks for the very informative answer. I now understand what I need to know, so out goes OpenDNS and I'll let Unbound use the root servers as needed.

    That brings me to another question though, as I thought I was going to have to leave some external DNS servers in there, especially before I learned what Unbound actually was. I was going to switch to DNS over TLS or something similar, but if just using Unbound for DNS requests, no external servers would be used, so what is the point then? I feel the answer is that they aren't needed and that only people without Unbound (which may be most considering you need pfSense, a Pi-Hole, or something similar), have a need for securing their DNS traffic.

    With that being said, should I just forget DNS over TLS since I'm using Unbound and don't rely on external DNS servers?



  • When you use unbound to forward, you could as well using the Forwarder (also known with the name dnsmasq, that's the program being used).
    Both have the possibility to use TLS to forward to an upstream resolver. This resolver could be your ISP DSN (resolver) or any public known resolver like 8.8.8.8, Cloudfare, etc.
    Mind you, only the connection between your pfSense and this upstream resolver will be tunneled (encrypted). Resolving afterwards will be done the old fashioned 'clear' way. The thing that will be different : the DNS resolve requests will be send over the Internet, and it's your resolver of choice, say 8.8.8.8, that's asking for it. As soon as the answers comes back, 8.8.8.8 will send it over to you. No one will know what you requested - except you and ... 8.8.8.8.

    @iceman24 said in Switched back to Unbound, External DNS Servers Still Used?:

    I'm using Unbound and don't rely on external DNS servers?

    Well, unbound relies on a boatload of external DNS servers.
    It will always use one of the root servers - one of the TLD servers, one of the name servers of the zone your asking for. It's a good thing these answers are cached ^^



  • Thanks, but I'm still confused about what to do here. From what you said, it seems as if I have the choice of choosing to let pfSense Unbound use either the "root" external DNS servers, that of which it chooses, or I can choose. Is that right?

    In addition, if I choose, I can encrypt the DNS connection. If I let it just use whatever root servers, is that then unencrypted? Is there a way to encrypt the root servers?

    Between choosing my own DNS servers without encryption vs letting it use the root servers (assuming that's unencrypted), is there an advantage to just letting it use the root servers?

    Last question. Even if I choose my own DNS servers, it only actually contacts them if the result is not cached? I ask because even though that seems like the case, OpenDNS handled every query, many of which were cached.


Log in to reply