In my previous post about AdGuard Home, I didn’t fully explain something. When using AdGuard Home as your DNS server, it is true that your ISP cannot see your internet traffic. What I failed to mention was that, by default, AdGuard Home uses quad9 as it’s upstream DNS server. Now hold up, what is an upstream DNS server?
In this example, AdGuard Home is using CloudFlare as an upstream DNS provider. This means that instead of resolving the domain itself, the AdGuard Home server forwards that query to CloudFlare.
There is totally nothing wrong with this approach. In fact, it can lead to lower response times since CloudFlare has many servers positioned throughout the country.
However, this does allow CloudFlare to see our queries. So essentially we are removing Xfinity from the loop but we are adding CloudFlare.
Furthermore, from the point of an attacker, the DNS servers of larger providers are very worthwhile targets, as they only need to poison one DNS server, but millions of users might be affected. Instead of your bank's actual IP address, you could be sent to a phishing site hosted on some island.
https://docs.pi-hole.net/guides/dns/unbound/
So the possibility for vulnerability is apparent, how do we remedy this situation.
*Unbound enters the chat
Unbound is a recursive DNS resolver. This is how it works.
Your client asks the AdGuard Home server Who is google.com?
Your AdGuard Home server will check its cache and reply if the answer is already known.
Your AdGuard Home server will check the blocking lists and reply if the domain is blocked.
If neither 2. nor 3. is true, the AdGuard Home server delegates the request to the (local) recursive DNS resolver.
Your recursive server will send a query to the DNS root servers: "Who is handling .net?"
The root server answers with a referral to the TLD servers for .net.
Your recursive server will send a query to one of the TLD DNS servers for .net: "Who is handling google.com?"
The TLD server answers with a referral to the authoritative name servers for google.com.
Your recursive server will send a query to the authoritative name servers: "What is the IP of google.com?"
The authoritative server will answer with the IP address of the domain google.com.
Your recursive server will send the reply to your AdGuard Home server which will, in turn, reply to your client and tell it the answer to its request.
Lastly, your AdGuard Home server will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.
This method allows for fast, safe, and not as easily traced browsing. Let’s set up Unbound on AdGuard Home now.
Thanks to Tyler from CipherOps for creating this simple guide. Find his blog post here.
Install unbound with your package manager.
apt install unboundCreate the directory structure:
/etc/unbound/unbound.conf.dCreate the following file:
sudo nano /etc/unbound/unbound.conf.d/config.confPaste the following (only enable IPv6 if it is native to your network):
server:
interface: 127.0.0.1
port: 5335
do-ip6: no
do-ip4: yes
do-udp: yes
do-tcp: yes
# Set number of threads to use
num-threads: 4
# Hide DNS Server info
hide-identity: yes
hide-version: yes
# Limit DNS Fraud and use DNSSEC
harden-glue: yes
harden-dnssec-stripped: yes
harden-referral-path: yes
use-caps-for-id: yes
harden-algo-downgrade: yes
qname-minimisation: yes
aggressive-nsec: yes
rrset-roundrobin: yes
# Minimum lifetime of cache entries in seconds
cache-min-ttl: 300
# Configure TTL of Cache
cache-max-ttl: 14400
# Optimizations
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
serve-expired: yes
serve-expired-ttl: 3600
edns-buffer-size: 1232
prefetch: yes
prefetch-key: yes
unwanted-reply-threshold: 10000000
# Set cache size
rrset-cache-size: 256m
msg-cache-size: 128m
# increase buffer size so that no messages are lost in traffic spikes
so-rcvbuf: 1m
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10Restart unbound:
sudo systemctl restart unboundGo into your AdGuard Home admin panel and go to Settings -> DNS settings
In the Upstream DNS servers box you now put 127.0.0.1:5335 and apply.
And that’s it! You now have Unbound running as recursive DNS.
Thanks all,
Joe
Questions I have 2 Rasp Pi both running Adgaurd. Primary and secondary. Does it matter where I install unbound? Meaning could I create a VM and run it in there and point both adguard instances to it or does it need to be installed on the Rasp pi that has Adguard.
Questions I have 2 Rasp Pi both running Adgaurd. Primary and secondary. Does it matter where I install unbound? Meaning could I create a VM and run it in there and point both adguard instances to it or does it need to be installed on the Rasp pi that has Adguard.