This was an excellent video, really clearly and efficiently explained, great job. It is a fantastic idea showing all four windows at once and zooming between them, this is something a lot of tutorial/explanation videos could learn a lot from, it's a lot less jarring to watch than someone constantly alt-tabbing between windows and gives you a good overview for if you need to pause and think about it all. Anyway, making a dry topic like this really interesting is hard work - you're a great teacher and wanted to pass on some well deserved praise!
just wanted to thank you for this, I've fiddled around with raspberryPi for the past year (mainly for the mental exercise and to learn...) security is always my first priority and with this lesson on how to set up dns over tls I fill a lot more confident to take my DNS live...
for those who are completely new to this what I mean by taking it live I mean taking it live in my own home network, your already secure be default because it's NAT & firewall protected INSIDE your home router but it never hurts to go the extra mile...
what a great video! thanks for that! do you plan to teach how to configure LAN DoH using Nginx? I've been looking for a way to set this up all over the internet, but no success
Thank you very much for the video. Helped me a lot to understand the unbound+ DoT thing. I'm just curious, I wonder what is your mother language. Never heard such an accent.
I was playing around with this today, and it seemed setting it up as you have it in your video stopped my local DNS on pihole from working. I did seem to track it down to the tcp upstream option. When I was looking at unbounds documents this is set to no by default, I'm not going to say I'm smart enough to know why or why not I would want that on. Any thoughts?
@@hz777 I was going in and commenting things off to see what did finally allow my local DNS and when I did, everything started working again. Now that I knew tls was a thing in unbound I went looking for other examples and they didn't have the first 2 lines in his example. just the location of the certs and the forward zone. Again I really barely understand this stuff, so I'm not really sure what each of these things are doing for the whole process.
Are you sure your certificate setting is correct? Other than that, I cannot think of other reasons. RUclips chat is not good for trouble shooting. Good luck!
Great explanation, perfect level of detail. Using Wireshark for cross checking was awesome! May I ask what you using for your VMs? I noticed you are using MacOS so I was wondering what you are using to spin up your Debian and Kali VMs?
This was a great video explaining the topics, thanks! I'm curious if you're planning a follow-up on how to enable DoT/DoH while maintaining the recursive lookup to root server. That's the next step I'd like to take, but I believe to do that, you must have a valid public certificate on the unbound server for the root servers to respond, right?
I am not aware of a way to communicate with root DNS server with TLS, and I am not surprised about that. The root DNS serves were not designed to work with "secured" communications with home users.
Could you do a video on how to configure UDM Pro to use PiHole with unbound? I’ve seen videos on how to setup PiHole and unbound but no videos show what settings inside the UDM Pro to make. There are setting for each VLAN network, WAN or LAN DNS setting but can’t figure it out. I think the PiHole needs to be on its own VLAN but does it’s DHCP manual DNS settings stay blank or does it use the same upstream say Cloudflare DNS same as it’s set inside PiHole? Sorta confused on all that.
Hey any chance you'll do a video on IPv6 and Ubiquiti? In terms of setting up and using ipv6 from ISP? The considerations, whether its worth it or not, etc.
In my understanding, dns shield is for udmp when it acts as a dns client, so it may not be related to unbound or pi-hole. I may work on a separate video on dns shield, just by using UniFi routers.
@hz777 Can you do a follow up video on this discussing some of the nuances a bit further? That was surprising unbound vs unbound DoT. Also, the speed information was interesting, that would be another neat follow up. Great videos!
@@philiptalbert458 Regarding unbound+DoT, I personally think the different behavior makes sense, because I am not optimistic about connecting to DNS name servers with TLS as an end user. And regarding the performance impact, I think it's a penalty to pay to run recursive resolver at home. There might be some minor tweaks about how to make Pi-hole work better with unbound, but I don't think we can eliminate the extra time used when running unbound.
@@philiptalbert458 Do you refer to the behavior of connecting to upstream resolver instead of name servers after enabling DoT? If so, first I don't think it's an issue, and second I don't think it has anything to do with cache.
@@hz777 I was referring to the penalty / extra time from your previous statement. My understanding was there was little penalty with pihole + unbound once cached. How do you have your DNS setup?
Forgive me for the possibly stupid question, but perhaps I did not understand a concept properly. Why use onbound if we are then going to call the google service (8.8.8)? Doesn't this way we only make use of the cache function of the unbound DNS? If we use onbound do we not also want to be independent of google, cloudfire etc.? ? Again, this is a clarification I do not understand. Thank you very much
if you refer to the last part of the video about DoH, the reason to use unbound is to simplify the DoH settings. Think about it, if just using a standard windows/mac machine, how do you want to configure DoH for DNS? There are other ways but they are not as easy as unbound.
@@hz777 Thanks!! What do you think would be the best solution to use for more privacy? Pihole + Ubound + DoH or Pihole + Ubound? Bearing in mind that if I use Pihole + Ubound + DoH I am still giving information to google (8.8.8) or cloudfire (1.1.1), ... Is there no way to use encryption and be independent of third party providers?
They both have different pros and cons, so there is no perfect solution. I am not aware of a better DIY solution. Apple's private relay is better but needs subscription.
Thank you for the video, I have done all the steps, my unbound conf looks fine, however in wireshark i don't see TLS to the google/cloudflare, it looks like its not working properly, my device DNS is set to the pihole IP, any ideas?, also i tested a non-cached domain
@@hz777 I have the upstream set similar to you, its just one server, For the Wireshark i tested it on a pc in the LAN which has pihole set as only DNS server, that makes sense, how do I see it from WAN level? sorry for this question Just need a way to confirm its working
@shadow8637 my lab environment is behind another router which connects to internet, so I can easily setup Wireshark on wan. If you cannot run Wireshark on wan, if you use Unifi router, you can ssh to it then run tcpdump to capture wan traffic; or you can run Wireshark in the machine where you run unbound, but make sure you capture the correct interface.
This was an excellent video, really clearly and efficiently explained, great job. It is a fantastic idea showing all four windows at once and zooming between them, this is something a lot of tutorial/explanation videos could learn a lot from, it's a lot less jarring to watch than someone constantly alt-tabbing between windows and gives you a good overview for if you need to pause and think about it all. Anyway, making a dry topic like this really interesting is hard work - you're a great teacher and wanted to pass on some well deserved praise!
Good video very informative and well presented. I understood the concept and application easily. 🙏
just wanted to thank you for this, I've fiddled around with raspberryPi for the past year (mainly for the mental exercise and to learn...) security is always my first priority and with this lesson on how to set up dns over tls I fill a lot more confident to take my DNS live...
Good video mate! Really well explained, learnt heaps!
for those who are completely new to this what I mean by taking it live I mean taking it live in my own home network, your already secure be default because it's NAT & firewall protected INSIDE your home router but it never hurts to go the extra mile...
what a great video! thanks for that!
do you plan to teach how to configure LAN DoH using Nginx?
I've been looking for a way to set this up all over the internet, but no success
It is in my backlogs, which keep accumulating in my folders...
Thank you!
This video was really informative and structured really well. The diagrams definitely helped! You've earnt yourself a subscriber
Thanks!
Thank you very much for the video. Helped me a lot to understand the unbound+ DoT thing.
I'm just curious, I wonder what is your mother language. Never heard such an accent.
In the world where AI generated videos are going to be everywhere, a rare accent means the video is less likely to be fake:D
I was playing around with this today, and it seemed setting it up as you have it in your video stopped my local DNS on pihole from working. I did seem to track it down to the tcp upstream option. When I was looking at unbounds documents this is set to no by default, I'm not going to say I'm smart enough to know why or why not I would want that on. Any thoughts?
I don't think in TLS scenario the tcpupstream matters. I don't think it's the cause for your problem.
@@hz777 I was going in and commenting things off to see what did finally allow my local DNS and when I did, everything started working again. Now that I knew tls was a thing in unbound I went looking for other examples and they didn't have the first 2 lines in his example. just the location of the certs and the forward zone.
Again I really barely understand this stuff, so I'm not really sure what each of these things are doing for the whole process.
Are you sure your certificate setting is correct? Other than that, I cannot think of other reasons. RUclips chat is not good for trouble shooting. Good luck!
Great explanation, perfect level of detail. Using Wireshark for cross checking was awesome! May I ask what you using for your VMs? I noticed you are using MacOS so I was wondering what you are using to spin up your Debian and Kali VMs?
ESXi
@@hz777 thanks, do you have any videos going over the setup of Wireshark?
General setup? No. But I do have a video about wifi frame capturing.
@@hz777 nice! thanks, will check it out ;)
This was a great video explaining the topics, thanks! I'm curious if you're planning a follow-up on how to enable DoT/DoH while maintaining the recursive lookup to root server. That's the next step I'd like to take, but I believe to do that, you must have a valid public certificate on the unbound server for the root servers to respond, right?
I think that that is not possible. With the root servers there is no way to encrypt the queries.
I am not aware of a way to communicate with root DNS server with TLS, and I am not surprised about that. The root DNS serves were not designed to work with "secured" communications with home users.
@@hz777any workarounds to still use a recursive resolver? Maybe on a separate device?
Recursive and encrypted? I don't think it's possible.
@@hz777 in that case would lt be more efficient to run nginx for Doh + unbound without DoT?
Could you do a video on how to configure UDM Pro to use PiHole with unbound? I’ve seen videos on how to setup PiHole and unbound but no videos show what settings inside the UDM Pro to make. There are setting for each VLAN network, WAN or LAN DNS setting but can’t figure it out. I think the PiHole needs to be on its own VLAN but does it’s DHCP manual DNS settings stay blank or does it use the same upstream say Cloudflare DNS same as it’s set inside PiHole? Sorta confused on all that.
In this video I did not include UniFi on purpose, otherwise it will be too long. Yes, the topic is in my pipeline.
That’s awesome, thank you so much. Love your content and keep it up!
Hey any chance you'll do a video on IPv6 and Ubiquiti? In terms of setting up and using ipv6 from ISP? The considerations, whether its worth it or not, etc.
My ISP has not rolled out ipv6 yet. I heard they started in some other areas recently. Hope mine will be supported soon.
Next time, show how DNS Shield(DoH) works on UDM Pro/SE and if it works out of the box at all.
Just by using udmp? It's not supported.
@@hz777 UniFi OS 3.2.7 added support for DoH, which is called DNS Shield.
In my understanding, dns shield is for udmp when it acts as a dns client, so it may not be related to unbound or pi-hole. I may work on a separate video on dns shield, just by using UniFi routers.
@@hz777 Yes, I know. I meant to show people that DoH is available in UDM since version 3.2.7.
Thank you so much!! Great video!
@hz777 Can you do a follow up video on this discussing some of the nuances a bit further? That was surprising unbound vs unbound DoT. Also, the speed information was interesting, that would be another neat follow up. Great videos!
@@philiptalbert458 Regarding unbound+DoT, I personally think the different behavior makes sense, because I am not optimistic about connecting to DNS name servers with TLS as an end user. And regarding the performance impact, I think it's a penalty to pay to run recursive resolver at home. There might be some minor tweaks about how to make Pi-hole work better with unbound, but I don't think we can eliminate the extra time used when running unbound.
@@hz777 is this only an issue when not cached?
@@philiptalbert458 Do you refer to the behavior of connecting to upstream resolver instead of name servers after enabling DoT? If so, first I don't think it's an issue, and second I don't think it has anything to do with cache.
@@hz777 I was referring to the penalty / extra time from your previous statement. My understanding was there was little penalty with pihole + unbound once cached. How do you have your DNS setup?
Forgive me for the possibly stupid question, but perhaps I did not understand a concept properly.
Why use onbound if we are then going to call the google service (8.8.8)?
Doesn't this way we only make use of the cache function of the unbound DNS?
If we use onbound do we not also want to be independent of google, cloudfire etc.? ?
Again, this is a clarification I do not understand.
Thank you very much
if you refer to the last part of the video about DoH, the reason to use unbound is to simplify the DoH settings. Think about it, if just using a standard windows/mac machine, how do you want to configure DoH for DNS? There are other ways but they are not as easy as unbound.
@@hz777 Thanks!! What do you think would be the best solution to use for more privacy? Pihole + Ubound + DoH or Pihole + Ubound?
Bearing in mind that if I use Pihole + Ubound + DoH I am still giving information to google (8.8.8) or cloudfire (1.1.1), ...
Is there no way to use encryption and be independent of third party providers?
@@hz777 Forgive me if I am unclear insult me but I am a beginner
They both have different pros and cons, so there is no perfect solution. I am not aware of a better DIY solution. Apple's private relay is better but needs subscription.
@@hz777 thanks
Thank you for the video, I have done all the steps, my unbound conf looks fine, however in wireshark i don't see TLS to the google/cloudflare, it looks like its not working properly, my device DNS is set to the pihole IP, any ideas?, also i tested a non-cached domain
Did you point phhole's upsteam server to unbound? That's the only thing I can think of.
BTW, where do you run Wireshark? The tls packets are only in WAN.
@@hz777 I have the upstream set similar to you, its just one server,
For the Wireshark i tested it on a pc in the LAN which has pihole set as only DNS server, that makes sense, how do I see it from WAN level? sorry for this question
Just need a way to confirm its working
@shadow8637 my lab environment is behind another router which connects to internet, so I can easily setup Wireshark on wan.
If you cannot run Wireshark on wan, if you use Unifi router, you can ssh to it then run tcpdump to capture wan traffic; or you can run Wireshark in the machine where you run unbound, but make sure you capture the correct interface.
Thanks for the great video, but I wanted to ask, is this method better than just using cloudflared DoH with pihole?
I personally like the DoH way, but some people prefer to have everything under their own control, hence this video.
Thanks!