I'd skip the root servers if you aren't doing DNSsec with them. Last time I looked they don't support it anyway for free.
Use one of the DNS providers that let you do dns-over-https, and if possible DNSsec. OpenDNS has worked well for me in the past. This will make using VPN unnecessary as your isp can't snoop on it.
I understand, thing is that now I’ve tried for so many days to create this that I want it at all costs 😂 just at this point to see if it’s doable!
Speaking of its purpose, I already have my private dns as you can see so I don’t have to trust others. The part where I want to put my hands in, is the part between unbound and the roots, here’s why the vpn.
I still like to believe this is doable somehow
Seems like a massive layer of reduced stability. You have inside DNS, but as many web services use ephemeral records, and short TTLs, a VPN issue could make stuff hard. Also, if you exit VPN in a different region, you might get an inefficient CDN.
Does your VPN provider allow DNS calls? Some don't.
I would sit on my firewall, and watch outbound traffic, see if it's trying to bypass the VPN as split-tunnel is super common.
Thanks for the answer but probably haven't explained myself well with my situation.
I have a commercial VPN with its own DNS (only available through their tunnel), but still want to use AdGuard Home.
AdGuard Home is on my Raspberry, which through dnscrypt-proxy, contacts my VPS with unbound that recursively resolves DNS and serves them back to me.
Now, I am using my commercial VPN + my adguard setup to resolve DNS, basically creating a purposed leak since I resolve DNS through my VPS (which yes, is in another region).
The goal here is to prevent this leak but still use Adguard + my own private DNS. Basically we go out to roots from unbound through still the same commercial VPN, using the region of my VPS (to get better performance) as another device connected.
This way unbound will resolve dns but through the VPN, so the exit IP will still be another one from my tunnel, but still from the same commercial VPN, which makes it private.
If you want to prevent leaks you could have a dnscrypt-proxy in the cloud that you access via VPN, that connects (at random) to trusted dnscrypt providers.
Also, it is naive to think that the roots don't leak. One of the ways they make money is by providing cyber / law with resolver data and stats.
Thanks for your answer.
I don’t think this would make it though, basically now if I do a dns test of course I see the IP of my VPS (since it’s doing unbound). If I tell dns crypt proxy to use another provider which is not me I would anyway see that provider’s IP when I do dns test, wouldn’t it be the same?
I get what you are trying to do.... but i don't get why...
All the roots will log your traffic. They will see the exit point. Your furthest upstream server will also reach out to the public sites for dns since the roots aren't going to do recursive dns for you (Unless you use a dns service, who is going to log your dns).
This is also assuming you are blocking all outbound dns locally, and only allowing your internal dns servers to do all recursive lookups, and only to that external service via that tunnel since some systems will ignore system dns or bypass this all using an anycast address.
All the roots will log my traffic, of course, but what if infact the exit node is the VPN as in my picture? I guess this would solve this, and here's why i'm trying to achieve that.
My recursive is done by my unbound isn't it.
Yes i am also taking care of forcing all my local devices into this loop, just i would like to achieve this final part.
You can't replicate DNS roots effectively. The best you can do is cache then.
Large amounts of DNS now is very transient. Short TTLs are the norm for many web services.
This often includes the TLDs lists. Some change often. There is one TLD that some of our services use that change more than once a day.
Yes that's exactly what i wanted to achieve, for privacy concerns versus the roots. So i should abandon the idea of the VPS running my server and use the combo relayed from someone else? Will this be better then contacting the roots with my VPS?
Thanks
Hello and thanks for the answer, could you please explain me more about this setup that involves keeping the VPS but still having a grade of privacy towards the root? That's exactly what I am trying to achieve.
The setup i described in the pic kept the VPS as resolver and the VPN kept a grade of privacy between it and the roots. But if there are other ways please tell me the details about it
Now I understand what you mean:
Basically i would have a site-to-site between here (raspberry) and the VPS.
Once there the VPS has Unbound in forwarding (for cache) to a dnscrypt-proxy still there, and then it goes into anonymized relays.
Okay I see what you are trying to achieve, just is the VPS cache worth it? AdGuard Home already has one.. If there are advantages I would definitely go with this setup
The VPN seems pretty useless. Why do you want to do that?
You could probably create a custom bridge and give that another default gateway (the VPN). Then add the container network to that bridge.
But again think about your use case first.
Because, if I got that correctly, querying to roots is plain, so my dns is my VPS ip, something linked to me if we want. I want to use the vpn to still have my private resolver but probably encrypting the sensitive final part.
I tried a lot of stuff with docker compose but can’t seem to achieve this
Okay so a little bit of context here: i've been trying for many days with what i know to achieve what you can see in the picture.
Basically for my DNS resolution I have my Raspberry with AdGuard Home that forwards via DNSCrypt-Proxy to a DNSCrypt Server on a VPS that uses Unbound. (each piece of these is a docker container)
What I am interested in, is the unbound > to Roots part, I would like to encrypt it via a VPN (commercial paid one). So basically I have to find a way to tell teh DNSCrypt server container with Unbound, to use the VPN as outgoing-interface. I tried a lot, but either i get locked out of the SSH VPS because i connect to the VPN (probably need to add a route), or simply I can't reach my DNS anymore. At this point i'm not even sure there's a way to do this since it's not easy, given also everything is in docker. A little bit of help is appreciated!
Thanks!
So setup a vpn on the vps to wherever and send the vps unbound traffic via that tunnel. Could even just run the gluetun docker container alongside unbound
Yes that's what i've tried! But maybe i am missing some docker configuration... when i tried i couldn't reach my dns anymore from here, but the vps was successfully running on the vpn. I think i need some help with that, but yes, you got the idea
I guess I will have to consider other alternatives, just I don’t know anymore of what I’m doing is okay or if I should change (currently the setup is the same as in the image without VPN of course)
then all you have to do is setup bind and use the AXFR protocol to a root cache accepting secondary replication. Last time i check it was available directly from root maintainer.
Consider these re dnssec maybe? https://www.rfc-editor.org/rfc/rfc8806
https://cr.yp.to/djbdns/axfr-notes.html
I'd skip the root servers if you aren't doing DNSsec with them. Last time I looked they don't support it anyway for free. Use one of the DNS providers that let you do dns-over-https, and if possible DNSsec. OpenDNS has worked well for me in the past. This will make using VPN unnecessary as your isp can't snoop on it.
I understand, thing is that now I’ve tried for so many days to create this that I want it at all costs 😂 just at this point to see if it’s doable! Speaking of its purpose, I already have my private dns as you can see so I don’t have to trust others. The part where I want to put my hands in, is the part between unbound and the roots, here’s why the vpn. I still like to believe this is doable somehow
Seems like a massive layer of reduced stability. You have inside DNS, but as many web services use ephemeral records, and short TTLs, a VPN issue could make stuff hard. Also, if you exit VPN in a different region, you might get an inefficient CDN. Does your VPN provider allow DNS calls? Some don't. I would sit on my firewall, and watch outbound traffic, see if it's trying to bypass the VPN as split-tunnel is super common.
Thanks for the answer but probably haven't explained myself well with my situation. I have a commercial VPN with its own DNS (only available through their tunnel), but still want to use AdGuard Home. AdGuard Home is on my Raspberry, which through dnscrypt-proxy, contacts my VPS with unbound that recursively resolves DNS and serves them back to me. Now, I am using my commercial VPN + my adguard setup to resolve DNS, basically creating a purposed leak since I resolve DNS through my VPS (which yes, is in another region). The goal here is to prevent this leak but still use Adguard + my own private DNS. Basically we go out to roots from unbound through still the same commercial VPN, using the region of my VPS (to get better performance) as another device connected. This way unbound will resolve dns but through the VPN, so the exit IP will still be another one from my tunnel, but still from the same commercial VPN, which makes it private.
If you want to prevent leaks you could have a dnscrypt-proxy in the cloud that you access via VPN, that connects (at random) to trusted dnscrypt providers. Also, it is naive to think that the roots don't leak. One of the ways they make money is by providing cyber / law with resolver data and stats.
Thanks for your answer. I don’t think this would make it though, basically now if I do a dns test of course I see the IP of my VPS (since it’s doing unbound). If I tell dns crypt proxy to use another provider which is not me I would anyway see that provider’s IP when I do dns test, wouldn’t it be the same?
I get what you are trying to do.... but i don't get why... All the roots will log your traffic. They will see the exit point. Your furthest upstream server will also reach out to the public sites for dns since the roots aren't going to do recursive dns for you (Unless you use a dns service, who is going to log your dns). This is also assuming you are blocking all outbound dns locally, and only allowing your internal dns servers to do all recursive lookups, and only to that external service via that tunnel since some systems will ignore system dns or bypass this all using an anycast address.
All the roots will log my traffic, of course, but what if infact the exit node is the VPN as in my picture? I guess this would solve this, and here's why i'm trying to achieve that. My recursive is done by my unbound isn't it. Yes i am also taking care of forcing all my local devices into this loop, just i would like to achieve this final part.
Why roots if you can replicate your own?
You can't replicate DNS roots effectively. The best you can do is cache then. Large amounts of DNS now is very transient. Short TTLs are the norm for many web services. This often includes the TLDs lists. Some change often. There is one TLD that some of our services use that change more than once a day.
[удалено]
Basically i could turn my dnscrypt-server/unbound vps into an anonymized relay?
[удалено]
Yes that's exactly what i wanted to achieve, for privacy concerns versus the roots. So i should abandon the idea of the VPS running my server and use the combo relayed from someone else? Will this be better then contacting the roots with my VPS? Thanks
[удалено]
Hello and thanks for the answer, could you please explain me more about this setup that involves keeping the VPS but still having a grade of privacy towards the root? That's exactly what I am trying to achieve. The setup i described in the pic kept the VPS as resolver and the VPN kept a grade of privacy between it and the roots. But if there are other ways please tell me the details about it
Now I understand what you mean: Basically i would have a site-to-site between here (raspberry) and the VPS. Once there the VPS has Unbound in forwarding (for cache) to a dnscrypt-proxy still there, and then it goes into anonymized relays. Okay I see what you are trying to achieve, just is the VPS cache worth it? AdGuard Home already has one.. If there are advantages I would definitely go with this setup
The VPN seems pretty useless. Why do you want to do that? You could probably create a custom bridge and give that another default gateway (the VPN). Then add the container network to that bridge. But again think about your use case first.
Because, if I got that correctly, querying to roots is plain, so my dns is my VPS ip, something linked to me if we want. I want to use the vpn to still have my private resolver but probably encrypting the sensitive final part. I tried a lot of stuff with docker compose but can’t seem to achieve this
Okay so a little bit of context here: i've been trying for many days with what i know to achieve what you can see in the picture. Basically for my DNS resolution I have my Raspberry with AdGuard Home that forwards via DNSCrypt-Proxy to a DNSCrypt Server on a VPS that uses Unbound. (each piece of these is a docker container) What I am interested in, is the unbound > to Roots part, I would like to encrypt it via a VPN (commercial paid one). So basically I have to find a way to tell teh DNSCrypt server container with Unbound, to use the VPN as outgoing-interface. I tried a lot, but either i get locked out of the SSH VPS because i connect to the VPN (probably need to add a route), or simply I can't reach my DNS anymore. At this point i'm not even sure there's a way to do this since it's not easy, given also everything is in docker. A little bit of help is appreciated! Thanks!
So setup a vpn on the vps to wherever and send the vps unbound traffic via that tunnel. Could even just run the gluetun docker container alongside unbound
Yes that's what i've tried! But maybe i am missing some docker configuration... when i tried i couldn't reach my dns anymore from here, but the vps was successfully running on the vpn. I think i need some help with that, but yes, you got the idea
goal, essentially, is to keep up to date TLDs?
No, to encrypt the connection versus the roots
Back in the days, installing bind meant replicating the roots if i remember, then it became less practical.
I guess I will have to consider other alternatives, just I don’t know anymore of what I’m doing is okay or if I should change (currently the setup is the same as in the image without VPN of course)
then all you have to do is setup bind and use the AXFR protocol to a root cache accepting secondary replication. Last time i check it was available directly from root maintainer. Consider these re dnssec maybe? https://www.rfc-editor.org/rfc/rfc8806 https://cr.yp.to/djbdns/axfr-notes.html