Hi & Good Day to All!,
using unbound together with pihole seems to make browsing websites a bit snappier compared to just using plain isp supplied router/modem..., however, i just realized something on my setup and it is botherning me for a bit of time now... though, all seems working without issues...
please take note that i have 'disabled' "HTTPS DNS Proxy"
reference config(s):
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option noresolv '1'
option port '53'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option doh_backup_noresolv '1'
list doh_backup_server '127.0.0.1#1053'
list doh_backup_server '::1#1053'
list doh_server '127.0.0.1#5053'
list doh_server '127.0.0.1#5054'
list server '127.0.0.1#1053'
list server '::1#1053'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'vlan10'
option interface 'vlan10'
option start '100'
option limit '149'
option leasetime '12h'
config dhcp 'core'
option interface 'core'
option start '100'
option limit '149'
option leasetime '12h'
option ignore '1'
config dhcp 'multi'
option interface 'multi'
option start '1'
option limit '1'
option leasetime '12h'
config dhcp 'vlan11'
option interface 'vlan11'
option start '100'
option limit '149'
option leasetime '12h'
list dhcp_option '6,172.27.11.253'
config dhcp 'temp'
option interface 'temp'
option start '100'
option limit '149'
option leasetime '12h'
/etc/config/unbound
config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '0'
option add_wan_fqdn '0'
option dhcp_link 'none'
option dhcp4_slaac6 '0'
option dns64 '0'
option dns64_prefix '64:ff9b::/96'
option domain 'lan'
option domain_type 'refuse'
option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
option listen_port '1053'
option localservice '1'
option manual_conf '0'
option num_threads '3'
option protocol 'default'
option query_minimize '0'
option query_min_strict '0'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'default'
option resource 'default'
option root_age '9'
option ttl_min '120'
option ttl_neg_max '1000'
option unbound_control '1'
option validator '0'
option validator_ntp '1'
option verbosity '1'
list iface_trig 'lan'
list iface_trig 'wan'
list iface_wan 'wan'
#list domain_insecure 'ntp.example.com'
config zone 'auth_icann'
# cache the root zone all at once to speed up recursion
option enabled '0'
option fallback '1'
option url_dir 'https://www.internic.net/domain/'
option zone_type 'auth_zone'
list server 'lax.xfr.dns.icann.org'
list server 'iad.xfr.dns.icann.org'
list zone_name '.'
list zone_name 'arpa.'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone 'fwd_isp'
# forward ISP account management to DHCP announced DNS servers
option enabled '0'
option fallback '1'
option resolv_conf '1'
option zone_type 'forward_zone'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'zvlan10'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan10'
config zone
option name 'zvlan11'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan11'
config zone
option name 'ztemp'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'temp'
config zone
option name 'zmulti'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'multi'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'modem'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'zvlan10'
option dest 'wan'
config zone
option name 'zcore'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'core'
config forwarding
option src 'zmulti'
option dest 'wan'
config forwarding
option src 'zvlan11'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'Intercept-DNS'
option family 'ipv4'
option src 'zvlan11'
option src_dport '53'
config forwarding
option src 'ztemp'
option dest 'wan'
my question is about how DNS traverses my network to outside and how can i improve and/or correct my setup & ultimately to have better understanding about DNS
i have followed installing unbound using (serial dnsmasq option)
since i have option 6 setup, every lan devices now has the the DNS ip of pi-hole & use it as the DNS. DNS leak test only points to one ip that is my router & ads are almost non-existent...
my confusion starts here...
after a device starts to query about dns...
-: is dnsmasq (53) in OpenWRT still used by the lan clients?
-: does dnsmasq silently transfer it to pihole?
-: or does it goes to dnsmasq then to unbound then to pihole?
-: does the client goes directly to pihole bypassing dnsmasq & unbound?
-: or something else?
after it arrives to pihole and pihole does its stuff...
-: it goes out directly to the inter-webs since pihole is also using unbound?
-: it goes to OpenWRT's unbound, then OpenWRT's unbound goes to the inter-webs?
-: something else?
is my setup 'optimal'? i hope someone can shed light with my minor predicament.
i thank you for your time reading my post...