just wanted to thank you for this, I've fiddled around with raspberryPi for the past year (mainly for the mental exercise and to learn...) security is always my first priority and with this lesson on how to set up dns over tls I fill a lot more confident to take my DNS live...
This was an excellent video, really clearly and efficiently explained, great job. It is a fantastic idea showing all four windows at once and zooming between them, this is something a lot of tutorial/explanation videos could learn a lot from, it's a lot less jarring to watch than someone constantly alt-tabbing between windows and gives you a good overview for if you need to pause and think about it all. Anyway, making a dry topic like this really interesting is hard work - you're a great teacher and wanted to pass on some well deserved praise!
for those who are completely new to this what I mean by taking it live I mean taking it live in my own home network, your already secure be default because it's NAT & firewall protected INSIDE your home router but it never hurts to go the extra mile...
what a great video! thanks for that! do you plan to teach how to configure LAN DoH using Nginx? I've been looking for a way to set this up all over the internet, but no success
Thank you very much for the video. Helped me a lot to understand the unbound+ DoT thing. I'm just curious, I wonder what is your mother language. Never heard such an accent.
@hz777 Can you do a follow up video on this discussing some of the nuances a bit further? That was surprising unbound vs unbound DoT. Also, the speed information was interesting, that would be another neat follow up. Great videos!
@@philiptalbert458 Regarding unbound+DoT, I personally think the different behavior makes sense, because I am not optimistic about connecting to DNS name servers with TLS as an end user. And regarding the performance impact, I think it's a penalty to pay to run recursive resolver at home. There might be some minor tweaks about how to make Pi-hole work better with unbound, but I don't think we can eliminate the extra time used when running unbound.
@@philiptalbert458 Do you refer to the behavior of connecting to upstream resolver instead of name servers after enabling DoT? If so, first I don't think it's an issue, and second I don't think it has anything to do with cache.
@@hz777 I was referring to the penalty / extra time from your previous statement. My understanding was there was little penalty with pihole + unbound once cached. How do you have your DNS setup?
This was a great video explaining the topics, thanks! I'm curious if you're planning a follow-up on how to enable DoT/DoH while maintaining the recursive lookup to root server. That's the next step I'd like to take, but I believe to do that, you must have a valid public certificate on the unbound server for the root servers to respond, right?
I am not aware of a way to communicate with root DNS server with TLS, and I am not surprised about that. The root DNS serves were not designed to work with "secured" communications with home users.
Hey any chance you'll do a video on IPv6 and Ubiquiti? In terms of setting up and using ipv6 from ISP? The considerations, whether its worth it or not, etc.
wondering the same thing...using TLS with unbound. Is that a thing? I guess I could just try it by replacing the google DNS with the local IP and port 5353.
Could you do a video on how to configure UDM Pro to use PiHole with unbound? I’ve seen videos on how to setup PiHole and unbound but no videos show what settings inside the UDM Pro to make. There are setting for each VLAN network, WAN or LAN DNS setting but can’t figure it out. I think the PiHole needs to be on its own VLAN but does it’s DHCP manual DNS settings stay blank or does it use the same upstream say Cloudflare DNS same as it’s set inside PiHole? Sorta confused on all that.
In my understanding, dns shield is for udmp when it acts as a dns client, so it may not be related to unbound or pi-hole. I may work on a separate video on dns shield, just by using UniFi routers.
Thank you for the video, I have done all the steps, my unbound conf looks fine, however in wireshark i don't see TLS to the google/cloudflare, it looks like its not working properly, my device DNS is set to the pihole IP, any ideas?, also i tested a non-cached domain
@@hz777 I have the upstream set similar to you, its just one server, For the Wireshark i tested it on a pc in the LAN which has pihole set as only DNS server, that makes sense, how do I see it from WAN level? sorry for this question Just need a way to confirm its working
@shadow8637 my lab environment is behind another router which connects to internet, so I can easily setup Wireshark on wan. If you cannot run Wireshark on wan, if you use Unifi router, you can ssh to it then run tcpdump to capture wan traffic; or you can run Wireshark in the machine where you run unbound, but make sure you capture the correct interface.
Forgive me for the possibly stupid question, but perhaps I did not understand a concept properly. Why use onbound if we are then going to call the google service (8.8.8)? Doesn't this way we only make use of the cache function of the unbound DNS? If we use onbound do we not also want to be independent of google, cloudfire etc.? ? Again, this is a clarification I do not understand. Thank you very much
if you refer to the last part of the video about DoH, the reason to use unbound is to simplify the DoH settings. Think about it, if just using a standard windows/mac machine, how do you want to configure DoH for DNS? There are other ways but they are not as easy as unbound.
@@hz777 Thanks!! What do you think would be the best solution to use for more privacy? Pihole + Ubound + DoH or Pihole + Ubound? Bearing in mind that if I use Pihole + Ubound + DoH I am still giving information to google (8.8.8) or cloudfire (1.1.1), ... Is there no way to use encryption and be independent of third party providers?
They both have different pros and cons, so there is no perfect solution. I am not aware of a better DIY solution. Apple's private relay is better but needs subscription.
just wanted to thank you for this, I've fiddled around with raspberryPi for the past year (mainly for the mental exercise and to learn...) security is always my first priority and with this lesson on how to set up dns over tls I fill a lot more confident to take my DNS live...
This was an excellent video, really clearly and efficiently explained, great job. It is a fantastic idea showing all four windows at once and zooming between them, this is something a lot of tutorial/explanation videos could learn a lot from, it's a lot less jarring to watch than someone constantly alt-tabbing between windows and gives you a good overview for if you need to pause and think about it all. Anyway, making a dry topic like this really interesting is hard work - you're a great teacher and wanted to pass on some well deserved praise!
Good video mate! Really well explained, learnt heaps!
Absolute beautiful video man. Haven’t seen such an in depth explanations thanks man. Plz make vid on self hosted vpn as well. ❤
for those who are completely new to this what I mean by taking it live I mean taking it live in my own home network, your already secure be default because it's NAT & firewall protected INSIDE your home router but it never hurts to go the extra mile...
what a great video! thanks for that!
do you plan to teach how to configure LAN DoH using Nginx?
I've been looking for a way to set this up all over the internet, but no success
It is in my backlogs, which keep accumulating in my folders...
Thank you very much for the video. Helped me a lot to understand the unbound+ DoT thing.
I'm just curious, I wonder what is your mother language. Never heard such an accent.
In the world where AI generated videos are going to be everywhere, a rare accent means the video is less likely to be fake:D
Thank you so much!! Great video!
@hz777 Can you do a follow up video on this discussing some of the nuances a bit further? That was surprising unbound vs unbound DoT. Also, the speed information was interesting, that would be another neat follow up. Great videos!
@@philiptalbert458 Regarding unbound+DoT, I personally think the different behavior makes sense, because I am not optimistic about connecting to DNS name servers with TLS as an end user. And regarding the performance impact, I think it's a penalty to pay to run recursive resolver at home. There might be some minor tweaks about how to make Pi-hole work better with unbound, but I don't think we can eliminate the extra time used when running unbound.
@@hz777 is this only an issue when not cached?
@@philiptalbert458 Do you refer to the behavior of connecting to upstream resolver instead of name servers after enabling DoT? If so, first I don't think it's an issue, and second I don't think it has anything to do with cache.
@@hz777 I was referring to the penalty / extra time from your previous statement. My understanding was there was little penalty with pihole + unbound once cached. How do you have your DNS setup?
This was a great video explaining the topics, thanks! I'm curious if you're planning a follow-up on how to enable DoT/DoH while maintaining the recursive lookup to root server. That's the next step I'd like to take, but I believe to do that, you must have a valid public certificate on the unbound server for the root servers to respond, right?
I think that that is not possible. With the root servers there is no way to encrypt the queries.
I am not aware of a way to communicate with root DNS server with TLS, and I am not surprised about that. The root DNS serves were not designed to work with "secured" communications with home users.
Hey any chance you'll do a video on IPv6 and Ubiquiti? In terms of setting up and using ipv6 from ISP? The considerations, whether its worth it or not, etc.
My ISP has not rolled out ipv6 yet. I heard they started in some other areas recently. Hope mine will be supported soon.
Can you make a video on the left side of the dns over tls? Inside your home network. Or do you have any guides to do it
wondering the same thing...using TLS with unbound. Is that a thing? I guess I could just try it by replacing the google DNS with the local IP and port 5353.
Could you do a video on how to configure UDM Pro to use PiHole with unbound? I’ve seen videos on how to setup PiHole and unbound but no videos show what settings inside the UDM Pro to make. There are setting for each VLAN network, WAN or LAN DNS setting but can’t figure it out. I think the PiHole needs to be on its own VLAN but does it’s DHCP manual DNS settings stay blank or does it use the same upstream say Cloudflare DNS same as it’s set inside PiHole? Sorta confused on all that.
In this video I did not include UniFi on purpose, otherwise it will be too long. Yes, the topic is in my pipeline.
That’s awesome, thank you so much. Love your content and keep it up!
Next time, show how DNS Shield(DoH) works on UDM Pro/SE and if it works out of the box at all.
Just by using udmp? It's not supported.
@@hz777 UniFi OS 3.2.7 added support for DoH, which is called DNS Shield.
In my understanding, dns shield is for udmp when it acts as a dns client, so it may not be related to unbound or pi-hole. I may work on a separate video on dns shield, just by using UniFi routers.
@@hz777 Yes, I know. I meant to show people that DoH is available in UDM since version 3.2.7.
Thank you for the video, I have done all the steps, my unbound conf looks fine, however in wireshark i don't see TLS to the google/cloudflare, it looks like its not working properly, my device DNS is set to the pihole IP, any ideas?, also i tested a non-cached domain
Did you point phhole's upsteam server to unbound? That's the only thing I can think of.
BTW, where do you run Wireshark? The tls packets are only in WAN.
@@hz777 I have the upstream set similar to you, its just one server,
For the Wireshark i tested it on a pc in the LAN which has pihole set as only DNS server, that makes sense, how do I see it from WAN level? sorry for this question
Just need a way to confirm its working
@shadow8637 my lab environment is behind another router which connects to internet, so I can easily setup Wireshark on wan.
If you cannot run Wireshark on wan, if you use Unifi router, you can ssh to it then run tcpdump to capture wan traffic; or you can run Wireshark in the machine where you run unbound, but make sure you capture the correct interface.
Forgive me for the possibly stupid question, but perhaps I did not understand a concept properly.
Why use onbound if we are then going to call the google service (8.8.8)?
Doesn't this way we only make use of the cache function of the unbound DNS?
If we use onbound do we not also want to be independent of google, cloudfire etc.? ?
Again, this is a clarification I do not understand.
Thank you very much
if you refer to the last part of the video about DoH, the reason to use unbound is to simplify the DoH settings. Think about it, if just using a standard windows/mac machine, how do you want to configure DoH for DNS? There are other ways but they are not as easy as unbound.
@@hz777 Thanks!! What do you think would be the best solution to use for more privacy? Pihole + Ubound + DoH or Pihole + Ubound?
Bearing in mind that if I use Pihole + Ubound + DoH I am still giving information to google (8.8.8) or cloudfire (1.1.1), ...
Is there no way to use encryption and be independent of third party providers?
@@hz777 Forgive me if I am unclear insult me but I am a beginner
They both have different pros and cons, so there is no perfect solution. I am not aware of a better DIY solution. Apple's private relay is better but needs subscription.
@@hz777 thanks
Thanks for the great video, but I wanted to ask, is this method better than just using cloudflared DoH with pihole?
I personally like the DoH way, but some people prefer to have everything under their own control, hence this video.