Mini PC Part 8: Unbound – More DNS Privacy for Your Pi-Hole Setup

📅 January 17, 2024
“Pi-Hole is blocking ads, but how do I know the given DNS request is for an authentic site? I want more protection and privacy!”

You cannot possibly know for certain. All you can do is trust, trust, and again trust your upstream DNS provider that you are not redirected to a phishing/malware site due to DNS poisoning or other such tricks that can happen.

Most of the time, things are fine, and this is not an issue for most internet surfers. If you want to check a banking site, then that is where you end up. If you want to watch online videos, you usually arrive at the sites you expect…or do you?

Some of us want to be certain, and that is where Unbound enters the picture.

This was surprisingly easy to setup on a local Pi-Hole mini PC — in fact, easier than setting up Pi-Hole itself, and given the added benefits, it is hard to argue against using Unbound. Here are my results.

What is Unbound?

Unbound is a recursive DNS resolver that you host locally on the same system as Pi-Hole to prevent spoofed DNS requests from happening. Each time you visit a domain, Unbound polls the root DNS servers directly instead of relying upon the cached results of an ISP or other upstream DNS provider, such as Cloudflare or Google.

Pi-Hole and Unbound Interaction.

How can you be certain that your ISP, Cloudflare, or Google (to name a few) have not been compromised via DNS poisoning or targeted attacks by hackers or governments to redirect you to sites that you think are genuine but actually are not? Unbound helps protect against this vulnerability.

“Is DNS traffic encrypted?”

No, at least not with the default Unbound installation. By default, Unbound does not encrypt DNS traffic using DoT (DNS over TLS) or DoH (DNS over HTTPS), but it can by setting up DoT/DoH separately after Unbound as been installed. We will cover only the basic Unbound setup without DoT or DoH in this article. Those technologies are topics of their own.

“Will it make my DNS request private and impossible for others, like my ISP, to see what sites I am visiting?”

I cannot find a conclusive answer to this question due to conflicting information. Some sources say yes, others say kind of yes, and others say no. Looking at the way Unbound operates, the privacy aspect appears to be partially true. Yes, Unbound increases privacy by making it harder for a single third party to spy on the domains you visit, but it does not appear to be a 100% obfuscation or hiding technique as far as I can tell based upon various sources.

Unbound offers some level of privacy because it avoids/reduces consolidation. Unbound polls individual DNS servers to obtain the final IP address when resolving a domain name. Contrast this with a normal DNS request where the entire domain is passed to an upstream DNS provider, such as Cloudflare, your ISP, or Google. That entity needs to know the entire domain name in order to resolve it, and thus, it knows what site you are visiting from a single choke point. A single DNS entity can know every site you visit and log that information for years. It can know more about your web browsing interests and habits than you do yourself.

With Unbound, resolution is handled in parts so no single DNS entity sees the entire domain name — at least, that is the theory. First, the root domain is resolved, then the TLD (top-level domain), and so on. This requires polling individual servers so no single DNS server sees the full picture — again, in theory. I could be wrong since I do not have access to the inner workings of super secret organizations who have discovered ways around this. Just trying to assemble a working hypothesis based upon conflicting information.

But one thing is certain, Unbound prevents DNS poisoning because it contacts the original DNS authorities. However, nothing is guaranteed, so if those are compromised in some way, then Unbound is compromised too. Then again, if a top-level DNS server is compromised, chances are good that the entire Internet will realize it when people scream in horror if they cannot access their favorite cat videos and food pictures on media sites.

“Will my DNS lookups be faster?”

Usually, no, but it depends upon caching.

Since Unbound is contacting the root DNS servers directly on its own to get an IP address, this can add some delay when visiting sites for the first time after installing Unbound. I definitely noticed a very short delay when visiting new domains, but it is not that much. The most I have had to wait is one or two seconds at the most.

However, DNS records are cached in both Pi-Hole and Unbound, so once a domain has been cached, it will be retrieved from your local cache instead of performing the entire lookup process again. For repeated visits to the same domains, I saw a slight speedup due to the caching. Nothing major, and most of the time I could not tell a difference in web access speed usage when using Unbound.

“So, why bother with Unbound if everyday usage seems pretty much the same as without it?”

Reason 1 – Added privacy

From what I can tell from online sources and documentation, Unbound by itself does not 100% hide your DNS requests from prying eyes “out there,” but it does make it harder to track and collate by a single source who normally can see the entire domain when providing a cached reply. Of course, if you are the kind who does not care about privacy, then this is meaningless to you.

Reason 2 – Protection against DNS poisoning

Unbound’s strength is how it polls the original DNS servers instead of relying upon a DNS cache provided by an ISP, Cloudflare, Google, or any of the many big-name DNS servers that cache hordes of DNS requests and return cached results. You are at their mercy and trusting that their DNS records have not been compromised.

With Unbound, you become your own DNS provider, and so, it cannot be corrupted unless the top-level DNS servers are corrupted. There is no man-in-the-middle attack going on with a local installation of Unbound.

Reason 3 – DNS Caching

Yes, Pi-Hole caches DNS requests, and when combined with Unbound’s caching, this can help speed up web site access a little. Personally, I would not install Unbound solely for DNS caching since Pi-Hole does it anyway, but caching is always good. DNS caching is stored locally.

Unbound Installation

Unbound works transparently in the background. Just set it up and go.

Step 1: Install Unbound

I installed Unbound on the same Quieter2Q mini PC as Pi-Hole running Ubuntu Server 22.04, and it worked perfectly. Installation was a breeze.

sudo apt install unbound

In my case, that also installed the root hints file (information about how to find the DNS root servers) automatically.

Step 2: Configure Unbound

This is a text file that is most likely nonexistent or empty.

sudo xed /etc/unbound/unbound.conf.d/pi-hole.conf

Open the above files as root and copy and paste this text into it:

server:
    verbosity: 0
    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes 
    do-ip6: no
    prefer-ip6: no 
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no 
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1
    so-rcvbuf: 1m
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

This is the default setup found on any Unbound tutorial minus the comments, which are worth reading in detail. They have been omitted for brevity.

Step 3 : Test

Restart the Unbound service

sudo service unbound restart

systemctl status unbound

dig will test if unbound is working or not. Open a terminal in Linux (on which Unbound and Pi-Hole are installed).

dig pi-hole.net @127.0.0.1 -p 5335

You should see something like this. If so, great! Unbound is working.

The first time you run this command, there should be a short delay, but subsequent runs should be instant because the results are being returned from the local cache. In my case, it worked perfectly the first time, and I never encountered any errors.

Unbound listens on port 5335 by default (review the configuration file above), which is why we see the -p 5335 command line option. 127.0.0.1 is the local machine running Pi-Hole and Unbound. This means we now have a local DNS resolver working.

Step 4: Configure Pi-Hole

With Unbound working, set up Pi-Hole to pass upstream DNS queries to Unbound instead of whatever DNS server was configured before. In Pi-Hole, go to the Settings > DNS page. Set Custom 1 (IPv4) to:

127.0.0.1#5335

In Pi-Hole’s DNS configuration page, uncheck all IPv4/IPv6 options since they are not needed anymore.

Click Save at the bottom of the page to save the new settings in Pi-Hole. Unbound will now be used as Pi-Hole’s upstream DNS server.

Whenever you configure devices, point them to Pi-Hole as before, not Unbound.

When Pi-Hole resolves a DNS request, the query log will show answered by localhost#5335. This means Pi-Hole is consulting Unbound to resolve a DNS request.

“Where do I configure my local ISP DNS in Unbound?”

You don’t. Unbound contacts root DNS servers directly. The whole point of Unbound is to bypass the ISP DNS cache, Cloudflare, Google, or whatever DNS server you might be using. This is why there is no option to set up your local ISP DNS address in the Unbound configuration.

“How does Unbound know where to find the root DNS servers?”

This is handled by the root hints file that was installed with Unbound. This file is automatically updated when you update your Linux system when Unbound is installed.

Controlling/Viewing Unbound

The command unbound-control will show a list of commands you can use to monitor your Unbound installation.

unbound-control

unbound-control default listing.

To view statistics without resetting them, run this:

sudo unbound-control stats_noreset

(Be careful using the stats command, and make sure to include sudo.)

During everyday usage, I never need to use unbound-control other than the view statistics using stats_noreset.

Unbound Performance

Unbound works great. I have been running it on a Quieter2Q with Pi-Hole, and it works like a charm. There is no system overheating or slowdown. Unbound is lightweight, requires minimal resources, and incurs no performance hit form what I have measured.

If Unbound is not to your liking, it can always be uninstalled, and DNS resolution can be returned to whatever you were using before in Pi-Hole.

Additional Information

• Pi-Hole documentation has a very good installation tutorial that is worth reading for more details.
• Unleashing the Power of Unbound is a more descriptive tutorial in common language.
• Installing Unbound for Pi-Hole should also provide more information for additional reading to help get started.

…and if you want a terse, technical description of Unbound, the man page is available.

man unbound

Conclusion

Unbound has proven to be so useful for my uses, that it is now a part of every Pi-Hole installation because of its simplicity and the benefits it offers with no performance cost.

Have fun!