Unbound as recursive DNS
Last updated
Last updated
DNS spoofing is one of the most popular cyber attacks. Although reputation DNS servers providers are greatly secure and well maintained, they are also worthy targets for any attackers. Once compromised, millions would be affected.
In addition, privacy is another thing I concerns. There are now more and more DNS upstream servers out there, and even though they are advertised free and private servers, I can not be so sure that my family privacy are left untouched.
Running a small DNS server within my OPNsense mini PC is quite convenient and can greatly reduce my concerns as mentioned.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are both encrypt DNS message to provide more privacy and security.
The difference between is their port number, DoH use port 443 while DoT use port 853. In my opinion, I prefer using DoT over DoH because it is easier to monitor DNS traffic.
Prefetch Support: This help improve performance.
Hardening DNSSEC: This option allow validate DNS queries with DNSSEC
Qname Minimization: This minimize the amount of information sent to upstream servers.
DNS-over-TLS: (optional) This improves privacy from being seen by ISP and attackers. However, there is a trade off, and it is changing Unbound from pure recursive resolver to DNS forwarder. For me, I do not enable DoT and keep Unbound as a recursive DNS.
Lastly, I setup Unbound as my recursive DNS and a upstream DNS for my Pi-hole sinkhole.
