Unbound
-
Hi guys am I right on the following
Using unbound in pfSense, so not any providers/servers for DNS like Cloudflare, Quad9 or Google, the DNS traffic is/cannot be encrypted, but it is authenticated with DNSSEC ,so the reply I get/receive is validated as being the answer that was sent and thus my ISP can see my DNS requests.
So using unbound, I cannot use encrypted DNS/TLS and if I want to, I will have to set it up in let's say my browser like FF (which is much discussion about).
Cheers Qinn
-
Hi,
Using unbound in pfSense, so not any providers/servers for DNS like Cloudflare, Quad9 or Google, the DNS traffic is/cannot be encrypted, but it is authenticated with DNSSEC ,so the reply I get/receive is validated as being the answer that was sent and thus my ISP can see my DNS requests.
Requests over port 53 (UDP and TCP) are 'in clear', that is, visible on 'the wire'.
When you visit a site that support DNSSEC, the answers on your DNS requests will be validated by unbound.
That is, if DNSSEC is available, it should match. If not, no answers.
Sites (nameservers) that do not support DNSSEC will be handled as normally.So using unbound, I cannot use encrypted DNS/TLS
Oh, yes you can.
In that case your DNS requests will be encrypted up until the DNS server to where you forwarding to. They will know about your request - and if the have to resolve, that will go 'non encrypted' up from there - but, no one will know it was "you" that was asking ....
DNSSEC has no sense when you forward, you will have to trust the forwarder.I will have to set it up in let's say my browser like FF
That's another issue. This browser option bypasses your local DNS caches and resolvers all together.
It will be using TLS, true. -
I am confused, as DNS is a bit out of my wheel house, so using the resolver in pfSense meaning unbound is effectively using the DNS of your internet service provider?
-
Noop.
These ( DNS of your internet service provider ) or 8.8.8.8 or 1.1.1.1 or whatever, by default, unbound doesn't care.
Open up a console or SSH, and type
drill -T facebook.com
unbound goes to one of the 13 root servers, asking for a .com server, then it finds .com, and goes to one of the two name servers of facebook.com, and from them (one of) it retrieves an A record (the IPv4).
unbound, by defaut, use the main index of the Internet : the root servers.
Not some DNS cache. -
Thanks @Gertjan and I tested it in pfS....
drill -T facebook.com com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. facebook.com. 172800 IN NS a.ns.facebook.com. facebook.com. 172800 IN NS b.ns.facebook.com. facebook.com. 300 IN A 157.240.201.35
.....and the above is what I expected connecting to a root server in this case "f.gtld-servers.net", but any idea why does this test site reports that dns is from my ISP?
http://www.whatsmydnsserver.com/
Stupid Stupid I think I found out why I got mixed up, this site returns my pfSense WAN IP as DNS and relates that to my ISP
btw ...is there any similar Linux command that I can use as dig +trace doesn't work the same on Freebsd as with Linux and drill doesn't work on my Linux distro
-
This post is deleted!