Unbound

Qinn

Hi guys am I right on the following

Using unbound in pfSense, so not any providers/servers for DNS like Cloudflare, Quad9 or Google, the DNS traffic is/cannot be encrypted, but it is authenticated with DNSSEC ,so the reply I get/receive is validated as being the answer that was sent and thus my ISP can see my DNS requests.

So using unbound, I cannot use encrypted DNS/TLS and if I want to, I will have to set it up in let's say my browser like FF (which is much discussion about).

Cheers Qinn

Gertjan

Hi,

@Qinn said in Unbound:

Using unbound in pfSense, so not any providers/servers for DNS like Cloudflare, Quad9 or Google, the DNS traffic is/cannot be encrypted, but it is authenticated with DNSSEC ,so the reply I get/receive is validated as being the answer that was sent and thus my ISP can see my DNS requests.

Requests over port 53 (UDP and TCP) are 'in clear', that is, visible on 'the wire'.
When you visit a site that support DNSSEC, the answers on your DNS requests will be validated by unbound.
That is, if DNSSEC is available, it should match. If not, no answers.
Sites (nameservers) that do not support DNSSEC will be handled as normally.

@Qinn said in Unbound:

So using unbound, I cannot use encrypted DNS/TLS

Oh, yes you can.
In that case your DNS requests will be encrypted up until the DNS server to where you forwarding to. They will know about your request - and if the have to resolve, that will go 'non encrypted' up from there - but, no one will know it was "you" that was asking ....
DNSSEC has no sense when you forward, you will have to trust the forwarder.

@Qinn said in Unbound:

I will have to set it up in let's say my browser like FF

That's another issue. This browser option bypasses your local DNS caches and resolvers all together.
It will be using TLS, true.

Qinn

I am confused, as DNS is a bit out of my wheel house, so using the resolver in pfSense meaning unbound is effectively using the DNS of your internet service provider?

Gertjan

Noop.

These ( DNS of your internet service provider ) or 8.8.8.8 or 1.1.1.1 or whatever, by default, unbound doesn't care.

Open up a console or SSH, and type

drill -T  facebook.com

unbound goes to one of the 13 root servers, asking for a .com server, then it finds .com, and goes to one of the two name servers of facebook.com, and from them (one of) it retrieves an A record (the IPv4).

unbound, by defaut, use the main index of the Internet : the root servers.
Not some DNS cache.

Qinn

Thanks @Gertjan and I tested it in pfS....

 drill -T facebook.com
com.    172800  IN      NS      f.gtld-servers.net.
com.    172800  IN      NS      h.gtld-servers.net.
com.    172800  IN      NS      k.gtld-servers.net.
com.    172800  IN      NS      a.gtld-servers.net.
com.    172800  IN      NS      c.gtld-servers.net.
com.    172800  IN      NS      b.gtld-servers.net.
com.    172800  IN      NS      e.gtld-servers.net.
com.    172800  IN      NS      d.gtld-servers.net.
com.    172800  IN      NS      g.gtld-servers.net.
com.    172800  IN      NS      l.gtld-servers.net.
com.    172800  IN      NS      i.gtld-servers.net.
com.    172800  IN      NS      j.gtld-servers.net.
com.    172800  IN      NS      m.gtld-servers.net.
facebook.com.   172800  IN      NS      a.ns.facebook.com.
facebook.com.   172800  IN      NS      b.ns.facebook.com.
facebook.com.   300     IN      A       157.240.201.35

.....and the above is what I expected connecting to a root server in this case "f.gtld-servers.net", but any idea why does this test site reports that dns is from my ISP?

http://www.whatsmydnsserver.com/

Stupid Stupid I think I found out why I got mixed up, this site returns my pfSense WAN IP as DNS and relates that to my ISP

btw ...is there any similar Linux command that I can use as dig +trace doesn't work the same on Freebsd as with Linux and drill doesn't work on my Linux distro

Qinn

This post is deleted!