avatarLife-is-short--so--enjoy-it

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3200

Abstract

</li><li>If NOT found in AdGuard DNS Cache, AdGuard ( <b>DNS Proxy</b> ) asks the DNS requests to the upstream public DNS servers ( Recursive DNS: Question — Answer ) through DNS over HTTPS. ( Secure than DNS over Plain )</li><li>AdGuard ( <b>DNS Proxy</b> ) gets the DNS Answers from the upstream public DNS servers through DNS over HTTPS. And, AdGuard caches the DNS Answers into AdGuard DNS Cache. And, AdGuard returns the DNS Answers to the Local Client.</li></ol><figure id="857d"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*O-xxWwl2seN3EtwQEs-kDw.png"><figcaption>AdGuard: Local DNS Resolver with upstream DNS servers through DNS over HTTPS ( DoH )</figcaption></figure><h1 id="5a80">DNS traffic between AdGuard and upstream public DNS servers</h1><p id="9678">As described in the previous section, the DNS traffic between AdGuard and upstream public DNS servers are secured by using <b>DNS over HTTPS</b>.</p><p id="3222">I secure the DNS traffic to prevent any malicious monitoring or actions by any parties when the DNS requests go through Public Network ( Internet )</p><p id="7e1b">The DNS traffic from AdGuard is encrypted and reached to the upstream public DNS servers. And, the upstream DNS servers decrypts the traffic when the traffic is received.</p><p id="21a1">And, the upstream public DNS servers encrypt the traffic before sending back the DNS traffic to AdGuard.</p><figure id="e650"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*8Rh1fRLe215C2_L4.png"><figcaption>src: source: <a href="https://www.cloudflare.com/learning/dns/dns-over-tls/">https://www.cloudflare.com/learning/dns/dns-over-tls/</a></figcaption></figure><h1 id="00aa">Question: Do I trust the upstream public DNS servers ( DNS Resolver )?</h1><p id="c85e">The DNS traffic between AdGuard and the upstream public DNS servers are secured by DNS over HTTPS.</p><p id="0c4c">About the DNS requests, only I and the upstream DNS servers know about it. Yes, there is more than me who know about the DNS requests.</p><p id="8edf">The collected DNS requests by the upstream DNS servers can be used for some other purpose like building the Persona about me. ( it’s a extreme case, but it’s the reality. )</p><h2 id="1007">What if I trust the the upstream public DNS servers?</h2><p id="4ce6">Then, the “Current HomeLab DNS Resolution Design” that I shared is good enough for HomeLab.</p><h2 id="7d2b">What if I DO NOT trust the the upstream public DNS servers?</h2><p id="42b2">Then, I need a replacement service that does the same things that the upstream DNS servers do. And, <b>Unbound DNS is one of them</b>.</p><h1 id="2746">New DNS Resolution Design with Unbound DNS</h1><p id="0848">The <a href="https://nlnetlabs.nl/projects/unbound/about/">Unbound DNS</a> can be used as the upstream DNS servers instead of Google DNS, Cloudflare DNS, Quad9 DNS, and other public DNS servers.</p><p id="da5f">The Unbound DNS is in my Local Network ( in my control ) and it won’t share my DNS requests history ( Increased Privacy ).</p><p id="5039">Let me go through the new design.</p><ul><li>Using AdGuard as <b>DNS Proxy.</b> ( purely blocking DNS or content filtering . DNS cahce is dis # Options abled. )</li><li>Using DNS over Plain between Local Clients and AdGuard ( Local Network )</li><li>Using DNS over Plain between AdGuard and upstream <b>private</b> DNS server ( Unbound DNS )</li><li>Using DNS Cache in Unbound DNS.</li><li>Using DNS over HTTP when Unbound DNS does Iterative DNS queries.</li></ul><p id="882b">If you are intested in these topics below, you can read this article. — <a href="https://www.cloudflare.com/learning/dns/dns-server-types/">https://www.cloudflare.com/learning/dns/dns-server-types/</a></p><ul><li>What is a DNS root nameserver?</li><li>What is a TLD nameserver?</li><li>What is an authoritative nameserver?</li></ul><p id="225e">BTW, this is what I found in Pi-Hole community when it explains about Unbound DNS. I replaced the Pi-Hole to AdGuard. 😃 ( src: <a href="https://docs.pi-hole.net/guides/dns/unbound/">https://docs.pi-hole.net/guides/dns/unbound/</a> )</p><ol><li>Your client asks the AdGuard Who is <b>AdGuard.net</b>?</li><li>Your AdGuard will check its cache and reply if the answer is already known. ( in AdGuard DNS Cache )</li><li>Your AdGuard will check the blocking lists and reply if the domain is blocked.</li><li>Since neither 2. nor 3. is true in our example, the AdGuard delegates the request to the (local) recursive DNS resolver. ( which is Unbound DNS )</li><li>Your recursive server ( Unbound DNS ) will send a query to the <b>DNS root servers</b>: “Who is handling .net?”</li><li>The root server answers with a referral to the TLD servers for .net.</li><li>Your recursive server ( Unbound DNS ) will send a query to one of the TLD DNS servers for .net: “Who is handling AdGuard.net?”</li><li>The TLD server answers with a referral to the authoritative name servers for AdGuard.net.</li><li>Your recursive server ( Unbound DNS ) will send a query to the authoritative name servers: “What is the IP of AdGuard.net?”</li><li>The authoritative server will answer with the IP address of the domain AdGuard.net.</li><li>Your recursive server ( Unbound DNS ) will send the reply to your AdGuard which will, in turn, reply to your client and tell it the answer to its request.</li><li>Lastly, your AdGuard will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.</li></ol><figure id="7b1a"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5sJWoPrN8bPsu5DCKzYxGw.png"><figcaption>AdGuard: Unbound DNS replaces public DNS servers in the upstream</figcaption></figure><div id="12bf" class="link-block"> <a href="https://readmedium.com/homelab-adguard-how-to-secure-dns-requests-to-upstream-dns-10c5ee6a392e"> <div> <div> <h2>HomeLab: AdGuard: How to Secure DNS requests to Upstream DNS servers</h2> <div><h3>The DNS requests to Upstream DNS can be secured to protect our privacy.</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*OhNLHVmhioDQHK4gE5qnHA.jpeg)"></div> </div> </div> </a> </div></article></body>

HomeLab: AdGuard: The One Reason to Use Unbound DNS ( IMHO )

Researched about Unbound DNS, what it does, and when I want to use it.

HomeLab: The One Reason to Use Unbound DNS with AdGuard

Previous Post about AdGuard

Intro

Since I’ve done lots of reading and researches about AdGuard, I have had more chances to see how other people use and setup AdGuard in their HomeLab.

Recently, I saw some GitHub projects and Reddit posts that talked about Unbound DNS + AdGuard. I got curious, so researched about it.

In short, I found the one reason ( or one functionality ) that get me think to adopt Unbound DNS into my HomeLab DNS Resolution Design.

What is AdGuard exactly?

First, what is AdGuard ( more precisely AdGuard Home )?

In short, AdGuard Home is a DNS proxy which can block by DNS, maintain DNS cache, and answer to DNS requests ( or queries ) by using the configured upstream DNS servers if AdGuard doesn’t have the requested DNS in its Cache.

AdGuard Home is basically a DNS proxy that sends your DNS queries to the upstream servers. You can specify multiple upstream servers in AdGuard Home settings, or you can even specify a DNS server that will be used to resolve specific domains.

If you keep this field empty, AdGuard Home will use Quad9 by default. But you may switch to any other server you like. — ref: https://adguard.com/en/blog/in-depth-review-adguard-home.html

Current HomeLab DNS Resolution Design

Let me share my current DNS Resolution Design.

  • Using AdGuard as DNS Proxy ( DNS Cache, Blocking by DNS )
  • Using DNS over Plain between Local Clients and AdGuard ( Local Network )
  • Using DNS over HTTPS between AdGuard and upstream public DNS servers

The overall steps how DNS requests are resolved in my Local Network is like below.

  1. When a Local Client asks DNS requests, the DNS requests go to AdGuard ( DNS Proxy ) through DNS over Plain ( not secure, but it’s ok since it’s in Local Network ).
  2. AdGuard ( DNS Proxy ) returns DNS Answers to the Local Client if they are in AdGuard DNS Cache.
  3. If NOT found in AdGuard DNS Cache, AdGuard ( DNS Proxy ) asks the DNS requests to the upstream public DNS servers ( Recursive DNS: Question — Answer ) through DNS over HTTPS. ( Secure than DNS over Plain )
  4. AdGuard ( DNS Proxy ) gets the DNS Answers from the upstream public DNS servers through DNS over HTTPS. And, AdGuard caches the DNS Answers into AdGuard DNS Cache. And, AdGuard returns the DNS Answers to the Local Client.
AdGuard: Local DNS Resolver with upstream DNS servers through DNS over HTTPS ( DoH )

DNS traffic between AdGuard and upstream public DNS servers

As described in the previous section, the DNS traffic between AdGuard and upstream public DNS servers are secured by using DNS over HTTPS.

I secure the DNS traffic to prevent any malicious monitoring or actions by any parties when the DNS requests go through Public Network ( Internet )

The DNS traffic from AdGuard is encrypted and reached to the upstream public DNS servers. And, the upstream DNS servers decrypts the traffic when the traffic is received.

And, the upstream public DNS servers encrypt the traffic before sending back the DNS traffic to AdGuard.

src: source: https://www.cloudflare.com/learning/dns/dns-over-tls/

Question: Do I trust the upstream public DNS servers ( DNS Resolver )?

The DNS traffic between AdGuard and the upstream public DNS servers are secured by DNS over HTTPS.

About the DNS requests, only I and the upstream DNS servers know about it. Yes, there is more than me who know about the DNS requests.

The collected DNS requests by the upstream DNS servers can be used for some other purpose like building the Persona about me. ( it’s a extreme case, but it’s the reality. )

What if I trust the the upstream public DNS servers?

Then, the “Current HomeLab DNS Resolution Design” that I shared is good enough for HomeLab.

What if I DO NOT trust the the upstream public DNS servers?

Then, I need a replacement service that does the same things that the upstream DNS servers do. And, Unbound DNS is one of them.

New DNS Resolution Design with Unbound DNS

The Unbound DNS can be used as the upstream DNS servers instead of Google DNS, Cloudflare DNS, Quad9 DNS, and other public DNS servers.

The Unbound DNS is in my Local Network ( in my control ) and it won’t share my DNS requests history ( Increased Privacy ).

Let me go through the new design.

  • Using AdGuard as DNS Proxy. ( purely blocking DNS or content filtering . DNS cahce is disabled. )
  • Using DNS over Plain between Local Clients and AdGuard ( Local Network )
  • Using DNS over Plain between AdGuard and upstream private DNS server ( Unbound DNS )
  • Using DNS Cache in Unbound DNS.
  • Using DNS over HTTP when Unbound DNS does Iterative DNS queries.

If you are intested in these topics below, you can read this article. — https://www.cloudflare.com/learning/dns/dns-server-types/

  • What is a DNS root nameserver?
  • What is a TLD nameserver?
  • What is an authoritative nameserver?

BTW, this is what I found in Pi-Hole community when it explains about Unbound DNS. I replaced the Pi-Hole to AdGuard. 😃 ( src: https://docs.pi-hole.net/guides/dns/unbound/ )

  1. Your client asks the AdGuard Who is AdGuard.net?
  2. Your AdGuard will check its cache and reply if the answer is already known. ( in AdGuard DNS Cache )
  3. Your AdGuard will check the blocking lists and reply if the domain is blocked.
  4. Since neither 2. nor 3. is true in our example, the AdGuard delegates the request to the (local) recursive DNS resolver. ( which is Unbound DNS )
  5. Your recursive server ( Unbound DNS ) will send a query to the DNS root servers: “Who is handling .net?”
  6. The root server answers with a referral to the TLD servers for .net.
  7. Your recursive server ( Unbound DNS ) will send a query to one of the TLD DNS servers for .net: “Who is handling AdGuard.net?”
  8. The TLD server answers with a referral to the authoritative name servers for AdGuard.net.
  9. Your recursive server ( Unbound DNS ) will send a query to the authoritative name servers: “What is the IP of AdGuard.net?”
  10. The authoritative server will answer with the IP address of the domain AdGuard.net.
  11. Your recursive server ( Unbound DNS ) will send the reply to your AdGuard which will, in turn, reply to your client and tell it the answer to its request.
  12. Lastly, your AdGuard will save the answer in its cache to be able to respond faster if any of your clients queries the same domain again.
AdGuard: Unbound DNS replaces public DNS servers in the upstream
Adguard
DNS
Security
Homelab
Unbound Dns
Recommended from ReadMedium