r/pihole u/[deleted] Jan 25 '20

How do I verify if Unbound is working?

I have been using Cloudflare DOH on my pihole for a while, but decided to try Unbound today. While on Cloudflare, I visit one of these sites:

  • ipleak.net
  • dnsleaktest.com
  • 1.1.1.1/help

These will show that I am using Cloudflare DOH.

However, I am unsure how to verify Unbound. When I visit these sites, they show my ISP's IP address as DNS resolver. Is that expected?

I also tried the Unbound DNSSEC test validation mentioned here and these tests pass:

``` root@raspberrypi:/home/pi# dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20657 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;sigfail.verteiltesysteme.net. IN A

;; Query time: 1039 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Sat Jan 25 10:29:11 GMT 2020 ;; MSG SIZE rcvd: 57

root@raspberrypi:/home/pi# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> sigok.verteiltesysteme.net @127.0.0.1 -p 5353 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46527 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A

;; ANSWER SECTION: sigok.verteiltesysteme.net. 7 IN A 134.91.78.139

;; Query time: 0 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Sat Jan 25 10:29:21 GMT 2020 ;; MSG SIZE rcvd: 71 ```

I am primarily trying to understand if I should be seeing ISP's IP as DNS resolvers.

4 Upvotes

76% Upvoted

6

u/jfb-pihole Team Jan 25 '20

When I visit these sites, they show my ISP's IP address as DNS resolver. Is that expected?

They should show your public IP, because that's where the resolver is running.

Those tests both passed. Unbound is working.

1

u/[deleted] Jan 25 '20

This is good to know, thank you!

Related question; will my ISP be receiving these queries? One of my goals was to prevent my ISP from logging more DNS queries that I make, so, was using Cloudflare DOH.

Plus, my understanding of Unbound earlier was that, the requests will be resolved locally using response from the authoritative server. Thus eliminating my ISP as the middle man.

5

u/jfb-pihole Team Jan 25 '20

will my ISP be receiving these queries?

They will not be receiving the queries for resolution, but they will see the DNS traffic to/from the nameservers.

One of my goals was to prevent my ISP from logging more DNS queries that I make

Your DNS queries from unbound go in bits and pieces to the various nameservers. Your ISP can log it all, or none of it. But, regardless of whether you hide your DNS traffic from your ISP, once you have the IP of the domain you want to visit, you ask the ISP in clear text for that IP. With this information, the ISP can quickly figure out where you are browsing. The only way to hide your browsing from your ISP is to use a VPN service, but then you need to trust them instead of your ISP.

my understanding of Unbound earlier was that, the requests will be resolved locally using response from the authoritative server. Thus eliminating my ISP as the middle man.

Your ISP was never the middle man, unless you were using their DNS server or if they were intercepting and interfering with your DNS requests.

Unbound asks directly the various levels of nameservers to get the IP of the domain you want to visit. What has been cut out here is the third party DNS service you were using in the past; in your case Cloudflare. Now, instead of Cloudflare finding the IP for you, your unbound instance is doing this for you. Cloudflare will no longer haave your DNS history - that's who you have cut out of the process.

1

u/[deleted] Jan 25 '20

Amazing, thank you for the detailed explanation! I understand much better now.

1

u/CrzyOilman Apr 16 '20

Hello, why then cloudflare is kind of insisting on both secure dns over ssl and dnssec? What’s the point of that?

1

u/jfb-pihole Team Apr 16 '20

why then cloudflare is kind of insisting on both secure dns over ssl and dnssec?

Where is Cloudflare insisting on DNSSEC?

1

u/AwardRevolutionary28 Oct 10 '22

One question, sorry for reopening this thread but I've been fixing around with unbound. Everything is set up but in dnsleak i see my publik ip adress. Is that safe for me, is there a way to mask it?

1

u/jfb-pihole Team Oct 10 '22

Is that safe for me,

That is the IP of your DNS server. Pretty much any site you visit knows your IP address.

1

u/AwardRevolutionary28 Oct 10 '22

Oh so for instance if i have cloudflare DNS, they will still know my public ip or what's called

1

u/jfb-pihole Team Oct 10 '22

they will still know my public ip

Who is they? Cloudflare or a website you visit? The answer is yes in both cases.

1

u/AwardRevolutionary28 Oct 10 '22

Oh okay so in term of the safety, it doesn't differ if I use my own dns shows in dns leak or the cloudflare?

1

u/jfb-pihole Team Oct 11 '22

in term of the safety, it doesn’t differ if I use my own dns shows in dns leak or the cloudflare?

Correct.

1

u/eclectic-bar Nov 29 '22

If you need separation between your personal IP address and both the DNS servers queried and the web sites you go to, it is possible, but a little trickier than just having a pi-hole locally. You may find it's not necessary... after all, your IP address is probably assigned from a bank of IPv4 addresses, and may change if you restart the router or lose connectivity for a while. So it's loosely tied to you, but not strongly coupled. Your browser probably gives away a lot more information. And if you're just dodging ads, a browser plugin or two and a DNS sink are probably all you need.

Some ways to add layers of privacy though, if you require them:

  • a cloud VPN (who you also have to trust). Your traffic would be encrypted en route to their network, and would exit from one of their IP addresses. You'll find there are more challenges like "click all the bicycles."
  • encrypted DNS between you (or your unbound server) and a DNS service you trust more than your ISP, or google's public DNS, etc.
  • Set up your own VPN, or proxy server, or a virtual machine used for web surfing, on a cloud service (a local proxy would not mask your IP and approximate location, hence the cloud service such as Digital Ocean, Linode, AWS, Google Cloud, Azure, etc. You have to place a certain amount of trust the cloud service of course, but they're more geared toward protecting data than free consumer services.
  • Same as above, but using another location, such as a business, colocation facility, or a data center that rents out servers. That location's IP address would appear in logs in place of yours. Of course, your IP address might be in the location's logs, depending on what is logged.
  • Route traffic through Tor, if you trust the Tor network, which you shouldn't. Also, it's slow and you'll be challenged a lot with "find the bicycle," if not dropped until you find a new exit node. Nonetheless it's a tool to know about.

Several of these are not practical for everyday shopping for t-shirts or whatever, clearly. Also somewhat tangential to pi-hole, but related in that they're concerned with privacy generally. And related in that they demonstrate what pi-hole isn't for. Maybe it will help you decide which use cases to look to pi-hole for, and which to explore other security and privacy tools.

If you become engaged in research or security work that requires complete separation of your normal traffic from your work, the above list is a good start. Or if you're trying to test your own security from an external address, or tighten up information security while traveling in insecure locations, etc. For sinkholing ads and maintaining an easy blacklist/whitelist, pi-hole is a good choice.

2

u/saint-lascivious Jan 25 '20

Is that expected?

Yes.

1

u/lockh33d Apr 13 '23

I have an exact same question, except my result is slightly different. I have PiHole with Unbound setup, but when I go to https://www.dnsleaktest.com the result shows me two DNS servers:

  1. IP of my ISP's DNS server (which I did not define anywhere in PiHole or Unbound, but is probably sent to my router when it gets its public IP through DHCP)
  2. my public IP

Does that mean Unbound is working, or is still my ISP's DNS server being used?

1

u/jfb-pihole Team Apr 13 '23

Does that mean Unbound is working

Yes. Unbound is running at your public IP address when checked by this tool.

1

u/lockh33d Apr 13 '23

But if it is set as my sole DNS, then my my ISP's DNS IP shows up?

1

u/jfb-pihole Team Apr 13 '23

The test site may also associate your public IP with the ISP DNS address.

Do you have IPv6 enabled on your router? This can provide a bypass path around Pi-hole.

1

u/lockh33d Apr 13 '23

As far as I can tell, it doesn't. It is running OpenWRT v22.
WAN interface is getting IP by DHCP, and that likely includes DNS address, but the LAN interface has DNS set up to PiHole and nothing else.

1

u/jfb-pihole Team Apr 13 '23

I don't believe it is unusual for your ISPs IP to show up when you run unbound on a device at your IP.

2

u/lockh33d Apr 28 '23

It is unusual. It is called DNS leak and I fixed it by forcing DNSmasq to use only my PiHole as DNS. Testing now shows only my IP as the DNS.

1

u/SonThanh2005 Sep 16 '23

i have seen everyone said that when visit these sites it will show Public IP as DNS resolver
but these sites still tell me that im using Cloudflare DNS
is it normal ?