unbound - desktop computer

fernandel

fernandel

Hi!

I am using very long time Unbound from ports as DNS over TLS, recursive caching DNS, TCP port 853.
Is it important or is it to much that I have it on desktop laptop or I can just put preferred name server in resolv.conf?

Thank you.
 
so your resolv.conf is pointing at the local unbound server to do DNS? Nothing wrong with that, your system is doing all the DNS lookups directly. I'm assuming you are only using unbound for DNS resolution not answering DNS queries. It means a little more load locally, but maybe a little more security because you depend only on yourself. Local unbound means noone upstream is caching your lookups.

Having an external server in resolv.conf means you need to have enough internet to get there do the lookup and come back.

All of that, I really don't know what is preferable: do all your own DNS lookups or let someone like OpenDNS/Google do it. I tend to do a bit of both.
 
mer said:
so your resolv.conf is pointing at the local unbound server to do DNS? Nothing wrong with that, your system is doing all the DNS lookups directly. I'm assuming you are only using unbound for DNS resolution not answering DNS queries. It means a little more load locally, but maybe a little more security because you depend only on yourself. Local unbound means noone upstream is caching your lookups.

Having an external server in resolv.conf means you need to have enough internet to get there do the lookup and come back.

All of that, I really don't know what is preferable: do all your own DNS lookups or let someone like OpenDNS/Google do it. I tend to do a bit of both.
Click to expand...
Its my resolv.conf:
nameserver 127.0.0.1
options edns0
and in unbound.conf I have
Code: 
 forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-first: no
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
not just this but this is on the end.
 
mer said:
Local unbound means noone upstream is caching your lookups.
Click to expand...
Upstream there are fishermen from the special services with their protocols. :)

I haven't noticed any benefit on my home PC.
I don't see any speed increase visually. Maybe something arrives milliseconds faster.
I used a caching DNS on the gateway, at the enterprise, on 100 PCs.
The gateway was assembled on a regular PC based on OPNSense.
I guess that security is important to you. Then tell me, what kind of gateway is between you and your
provider?

If the twisted pair just goes straight to your PC, then this is one scheme.
If between your provider and the household there is a gateway based on OpenBSD, IPFire, etc.,
then this is a different scheme. I think it is more expedient to install a caching DNS on the gateway.
If your gateway is a regular TP-Link, D-Link routers (which are broken by the hundreds of thousands all over the world),
then it is better to replace them.
I do not use home and budget routers. It's better to assemble it yourself on the basis of Alpine or FreeBSD.
The hardware is a regular used PC.
I go through 9.9.9.9
They still see me. I don't really worry about it.
Read about SORM systems on free. There are analogues in all countries. They know everything about us: who, where, when, why.
There are a lot of myths about "individual security".
If people are caught on the Tor network output nodes (this is the 3rd output level), then I will simply keep quiet about the open network.
 
Ahh, so I think technically "caching forwarding DNS server". Lookups hit local unbound, if it has it responds, else forward to external servers. Responses from external servers stay cached in local unbound so "the next one" gets served from local.
That's a pretty standard configuration for a lot of people, makes the second lookup a little quicker. I've seen that on a lot of "firewall" type devices, all things behind it query the filewall, the firewall sends them out as needed. Advantage of scale the firewall caches every thing from the systems behind so they all benefit from the cache.

So going back to the original question, I think "sixes and threes" or "six of one and half a dozen of the other". On a workstation, single user, very little real difference between the two configurations (my opinion). If IP addresses are being served via DHCP, you can have a lot of control over which DNS servers each client talks to.

To me DNS is always:
Do I just use external servers?
Do I use a local resolver that forwards to external servers?
Do I use a local resolver that always does complete resolution?

Arguments can be made for/against each point, what may be best for me may not be best for you.

What USerID says is similar, maybe a bit more than what I'm saying here.
 
Yes, and also - people who set up a "safe" DNS often encountered instability in its operation. Therefore, when analyzing the operation of the gateway, the first thing they did was disable the DNS over TLS.
All this is available in huge quantities on the OPNSense gateway forum.
 
You must log in or register to reply here.
Back
Top