Unbound
DoH
Our great sponsors
Unbound | DoH | |
---|---|---|
40 | 18 | |
2,777 | 52 | |
3.2% | - | |
9.4 | 1.2 | |
7 days ago | 12 months ago | |
C | PHP | |
BSD 3-clause "New" or "Revised" License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Unbound
-
Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
dnsmasq and unbound are impacted to
https://github.com/NLnetLabs/unbound/releases/tag/release-1....
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/20...
As are any other DNSSEC validators that followed the specifications.
Bind9 has its problems but this is not its fault this time.
-
Encrypted Client Hello – the last puzzle piece to privacy
Are you familiar with https://pi-hole.net/ ?
In my house I want DNS resolution to be performed by my own DNS resolver (https://github.com/NLnetLabs/unbound), after I block ad domains.
DoH circumvents that.
-
F5 Forward Proxy DNS resolvers CNAME limit
So yep it's an unbound thing: https://github.com/NLnetLabs/unbound/issues/438 there was a PR to allow a user to change the depth of a chase. I doubt F5 would have that version of unbound in any current software but support may be able to check or look at a lab 17.1 to see what version it is--you could then manually edit the conf file but it wouldn't persist through upgrades..
-
DNS Resolver does not return correct responses for all queries
That's confirms in issue#362 I found.
-
What upstream dns resolvers do you use?
The last time I checked, Unbound does not support upstream DoH. You can configure it to reply to DoH requests from clients, but you can't use it to forward queries to another DoH provider like Cloudflare or Quad9. Has that changed? The pull request has been open for 3 years.
-
Can unbound operate in iterative mode?
And, while the documentation for unbound.conf doesn’t say a whole lot about the iterator module specifically as far as I can tell, the code says:
-
Running PiHole on a second server
Gravity-Sync won't do that. But searching around on GH, I found this : https://github.com/NLnetLabs/unbound/blob/master/contrib/unbound_cache.sh
- DNS Delegation - How to DNSSEC?
-
pfBlockerNG-devel v3.1.0_7 / v3.1.0_14
Version 1.15.0 Configure line: --with-libexpat=/usr/local --with-ssl=/usr --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pythonmodule=yes --with-pyunbound=yes ac_cv_path_SWIG=/usr/local/bin/swig LDFLAGS=-L/usr/local/lib --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.3 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1n-freebsd 15 Mar 2022 Linked modules: dns64 python respip validator iterator BSD licensed, see LICENSE in source package for details. Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
-
Anyone know of some open-source or community based name-servers?
"Unbound" for example https://github.com/NLnetLabs/unbound
DoH
-
Encrypted DNS, what's the point?
Even those who weren't interested in self-hosting might spend a couple of minutes hosting their own DNS proxy since it's much more flexible and don't require root or dedicated port (at least with DoH).
- I have a feeling 1.1.1.1 + WARP isn't gonna last long
-
AdGuard Home and dealing with DoH
To inject a little paranoia, DoH spec and implementation don't actually require the providers to only use /dns-query, it's possible (and very simple) to create an innocuous-looking website with /supersecretdns serving DoH, or directly on the homepage itself (the request for DoH vs regular webpage has different header), but if your kids are already that proficient, no way to stop them aside from plugging off the router.
-
Preparing for when NextDNS gets blocked
Get a PHP hosting (dime a dozen these days), and proxying on PHP is also seamless, pretty much any website can have a secret URL that serves DoH.
-
Tiny script for DoH proxy
https://github.com/NotMikeDEV/DoH/blob/master/dns.php handles both POST & GET. Yours only work with the POST, used by Chrome & Firefox, but not AdGuard.
-
Is there any issue with playing DoH DNS roulette?
If you are paranoid about a particular DNS server knowing your requests (but not paranoid enough to just use Tor entirely), the alternative will be just running a recursive resolver where you're running that PHP file. This exposes your server IP to the nameserver, but that's it, no extra third parties are involved. Or take it to the next level by running Tor there and forwarding plain DNS requests through it.
-
Anyone know of a free service I can host a custom dns on
DoH can be somewhat protected with a secret path, you can even create one for free on Cloudflare Worker or any PHP hosting, but only Windows 11, iOS, macOS, and browsers support it natively. DoT is supported by Android natively but hiding the custom domain is more complex (you'll need wildcard cert, which requires manual record update with LetsEncrypt every 90 days), and if someone snoops on your traffic since they can see the domain for the DoT.
- Dirt simple PHP script to run DNS over HTTPS (DoH) on almost any hosting
- Is there any DoH add-on for WordPress?
-
My ISP starts hijacking dns servers so unbound stopped working
That relies on a list of known DoH providers. Private DoH server won't be in the list, which can be very easily made on any PHP hosting or even just a Cloudflare Worker.
What are some alternatives?
Bind - Mirror of https://gitlab.isc.org/isc-projects/bind9, please submit issues and PR/MRs in the GitLab. Any issues and PRs opened here will be closed without a comment.
docker-cloudflared - Cloudflared proxy-dns Docker image
PowerDNS - PowerDNS Authoritative, PowerDNS Recursor, dnsdist
encrypted-dns - DNS over HTTPS config profiles for iOS & macOS
Knot Resolver - Knot Resolver - resolve DNS names like it's 2024
bebasdns - Membantumu berselancar dengan aman dan tidak terbatas!.
Knot DNS - A mirrored repository
dnsproxy - Simple DNS proxy with DoH, DoT, DoQ and DNSCrypt support
dnsmasq - mirror of dnsmasq (git://thekelleys.org.uk/dnsmasq.git ). This account is NOT maintained by dnsmasq developers. I am happy to give account to them. Please feel free to contact me. 1584171677[at]qq[dot]com
doh-cf-workers - DNS-over-HTTPS proxy on Cloudflare Workers
nextdns - NextDNS CLI client (DoH Proxy)
docker-bind - Bind (bind9) caching DNS server on Alpine or Debian with wild-card domain support [multi-arch]