Hello,
Question already asked I guess but I have a Pi-Hole/Unbound instance and I would like to know if DNS-over-TLS or DNS-over/HTTPS is necessary for Unbound?
I only want to use my Unbound DNS server so is encrypting the requests necessary?
Thanks for your help
Its either one or the other.
If you are currently using Unbound as a recursive resolver, talking to the DNS rootservers, being independent from providers like Cloudflare, Google, etc for your privacy… then you cannot combine that with DoT/DoH. The rootservers dont support it.
If you want to give up that independy and privacy, then you can set Unbound to use DoT/DoH with a provider like Cloudflare.
Which of those options is more useful or “better” is entirely up to you. There is no one-fits-all. As so often, privacy, security and comfort are a compromise.
Keep in mind that even with Unbound as a recursive resolver and taking out the middleman (Cloudflare, Google, etc)… your ISP can still see exactly where you are browsing.
The same for the encrypted option. The ISP doesnt see the cleartext DNS queries, but if you follow them up with a direct access to a IP, they can very easily figure it out. If they want to.
By having default Unbound, you won’t need to trust DNS servers, but the downside is that even if you use a VPN for your browser, websites can find out your real IP, via “DNS leak”.
https://ipleak.net/ can detect the leak.
Basically, they use a random subdomain like qmzcdk132ojcfcfh64htrowegios.ipleak.net, monitor it and ask your browser to connect to it. Then they know the IP of the incoming DNS query, and since you’re the only one who passed a query to it, they know it’s you.
Check your Pihole logs and you’ll see what I mean.
If you want privacy from DNS servers + your ISP + websites, then you need to put your browser/PC AND Unbound behind a VPN.
neither is particularly useful from a privacy standpoint. the best option is in fact to run unbound alongside Pi-hole which it appears you are already doing
DOT and DOH prevent MitM attacks but do nothing for privacy so depending on your use case my above statement may not be true
A big thank you for all these comments, I am good in virtualization and docker but not enough in network and security.
I have created a virtual machine (wirehole) at home (on Proxmox VE) with :
- Unbound as recursive DNS,
- Pi-Hole with Unbound DNS (127.0.0.1#5335) and the default config of the Pi-Hole site,
- Wireguard as VPN server
All are installed manually without Docker.
Wireguard: in “AllowedIP”, I put “0.0.0.0/0, ::/0” and I put as DNS the one from Pi-Hole (10.0.0.3). I made sure that Pi-Hole only listens on wg0 and not eth0 but I still access with its ip address 192.168.0.58 (the one of the VM).
So when I connect in VPN, everything is filtered by Pi-Hole and the requests are resolved by Unbound but I have the impression that my configuration is far from being sufficient while all my traffic goes through the VPN.
Do you have any suggestions?
Aside, does anyone get legit SERVFAILs from Unbound daily?
I would like to know if DNS-over-TLS or DNS-over/HTTPS is necessary for Unbound?
It is not. You have the choice of running unbound as a recursive resolver (the way our guide sets it up) or as a forwarding resolver with or without encryption.
This content has been deleted due to an unfair Reddit suspension.
If you want to give up that independy and privacy, then you can set Unbound to use DoT/DoH with a provider like Cloudflare.
That’s a false dichotomy. You can use a caching/forwarding resolver, with encryption, and choose a privacy-respecting recursive resolver, instead of Cloudflare or Google.
Thanks for the information, what would be the solution in this case?
I use the following tools:
- Pi-Hole to block ads and telemetry,
- Unbound to have my own recursive DNS server,
- Wireguard as VPN server,
Even with these tools, ISPs can still track me? Is there a tool that can go further?
I understood that it was one or the other of course 
Thanks for your answer, so if I want to use an external DNS, it’s DOH or DOT but if I only want to use mine, no need
I understood everything
How do I verify that in Pi-hole?
They help prevent some websites from finding your IP, if you’re behind a VPN and using Unbound for DNS resolving.
cf: my other comment
and choose a privacy-respecting recursive resolver
Sure there are providers that are more privacy friendly than Google or Cloudflare. But none are the same as running your own recursive resolver. That was the point of the comparison.
choose a privacy-respecting recursive resolver
Who respects your privacy more than you do?
Yes they can.
The only two options to avoid your ISP from easily knowing what you are doing are
VPN tunnel for all your traffic. Typically a commercial VPN provider like NordVPN etc… Then your ISP only sees that you are connecting to them, but no unencrypted traffic. The downside is of course that you are shifting trust from one provider to another. If that is better or worse depends on yourself. Maybe your ISP is not trustworthy, or they alter/block some traffic. Or the VPN provider cannot be trusted and you give them your entire traffic and you even pay for it. Or you host your own VPN server in the cloud, connect there from your home through the tunnel, but then of course you trust whoever is hosting this.
TOR network. But that has a whole lot of other downsides.
It depends what you’re trying to solve.
If you’re trying to prevent your ISP and your government from tracking your illegal activities, you’re going to have a very hard time. TOR for the longest time was the best way, but the feds have shown they can still track you through it, it’s just more work. There really isn’t a sure-fire way to prevent them from tracking or pinpointing you. There’s always a trace back to you.
If you’re just trying to prevent your ISP from tracking you so they don’t sell your data to ad companies, then you’re probably doing it as good as possible. Just note, as other commenters said, you’re shifting the liability from your ISP to your VPN. I doubt either are trustworthy.
Or if you’re just trying to get around censorship in your country, your VPN is usually good enough too.
This is why we say it’s no one-size-fits-all.
Alternatively:
VM somewhere in the cloud to act as your DoH/DoT resolver, and acting as a recursive DNS client to obtain the responses for your DoH/DoT clients.
Your pihole will talk DoT/DoH to your resolver, hiding your DNS details from your ISP.
The cloud VM will of course be doing plain recursive DNS requests, so the question moves to whether you trust (or care about) the cloud VM provider respecting your privacy.
Or just drop the desire to do recursive DNS. There’s no practical day-to-day benefit in it for you, let’s be honest.
Run the DNS leak test, then search Pihole logs for ipleak.net
the only way to prevent a website getting your home ip is to route everything through a VPN. unless you’re doing that your browser will still access the site using your IP