.png)
I used to use the DNS servers provided by my ISP until I realized that they were using those nameservers to serve ads, block me from content they deemed inappropriate, and generally track my browsing habits. I went through a stage of trying different DNS providers to find those that were both safe and fast enough to use from my location. Mostly that was Cloudflare at 1.1.1.1, Google at 8.8.8.8, or Quad9 at 9.9.9.9.
But however much I trusted them, I was still limited to what they thought should be resolved, and they also didn't fit my needs for using local name resolution. The only way to achieve this was either to register and pay for multiple domain names or find a local solution that worked within my network. I've self-hosted my own DNS twice now, and by far the better experience has been from using Unbound. It's superior to the DNS cache found in most routers, and as it's part of OPNsense by default, it's easy to set up and utilize.
Related
How I made the ultimate firewall for my home with OPNsense
Armed with tons of security provisions, OPNsense is an amazing firewall OS for your home network
5 Enhanced privacy
It's always good to limit the amount of corporate tracking you are subject to
Because Unbound is a recursive DNS resolver, it doesn't rely on third-party services for resolution. That means it talks directly to the root nameservers, reducing the number of other points my browsing habits go to. It also means that Google, Cloudflare, or my ISP doesn't get to build a complete picture of me or my family, so they can't use it for advertising purposes. I've reported on enough aggregate data harvesting gone wrong situations to know that even if I don't actually mind the advertising, the data can easily be used for worse purposes, and that's why I like to limit it.
Unbound also has other privacy-focused features that make it awesome, like query name minimization, which only sends the necessary part of domain names to each level of the DNS server hierarchy, making it even harder for anyone to piece together a view of your browsing habits. Even compromising one nameserver wouldn't be enough; an attacker would need access to every part of the chain, which is almost impossible to achieve.
I also like limiting advertising on my home network, but not because I don't like advertising. I keep it enabled for my own devices, apart from known malicious sources. Still, I don't want my kid being bombarded by advertising while using the iPad, and device-level ad blocking is tricky on iPadOS. So I cut it off at the source, blocking ads to that IP address and MAC address.
Related
4 Faster DNS resolution
Local caching means the sites I visit frequently are faster to browse
Unbound doesn't just resolve DNS queries to the nameservers. It also maintains a local DNS cache for everything you browse. That means every subsequent DNS query doesn't even leave your network, as your browser queries Unbound, which returns the cached information your browser needs to connect to the remote server to get the website data.
That makes your browsing snappier, and because it's not relying on external servers, it'll feel that fast every time, and won't be slowed down by external factors. I'm not sure about you, but waiting for DNS resolution and the next browser page to load is one of my biggest annoyances. It's weird for me to think about it, because I started using the internet in dial-up days, when a webpage could take minutes to load. But now that I have a fiber gigabit connection, every little slowdown makes me unreasonably irritated, and I want to minimize that friction as much as possible.
Related
I hosted my own DNS server using my NAS, and you can too
Self-hosting a DNS server makes your searches faster and more secure.
3 Full customizability and flexibility
I like being able to use local name resolution without relying on external nameservers
While the privacy aspects of running Unbound are a nice bonus to me, they're not the main reason that I self-host my DNS in this way. If it were simply about privacy, I'd use Quad9, which is encrypted, doesn't store any information about DNS queries, and blocks only domains known to serve malware. It's the ability to use custom DNS entries for devices or services on my network, allowing me to use friendly names instead of IP addresses when accessing them.
That's handy enough for things like printers, but it really comes into its own when paired with IP cameras, Home Assistant-attached devices, and of course, my home lab. Being able to set up internal domains and subdomains is an absolute lifesaver to me, allowing me to access my home media server or other self-hosted apps even if the internet connection goes down. Because I'm not reliant on Cloudflare for the nameservers of those domains, I can still access them, keeping my family entertained when connectivity to the outside internet is down.
Plus, I can set up subdomains and other records for those services behind a reverse proxy, or load balancers, or whatever new tools I'm playing with in my home lab, without having to go into the domain registrar accounts I hold, and wait for record changes to propagate across the nameservers on the internet. When it's a nameserver on my router, the process is completed instantly, and any changes are immediately reflected.
Related
2 Because it makes my network more resilient
DNS resolution is no longer affected by external factors
I used to use Cloudflare for all my domain and nameserver needs, and while I still use them now, I vastly prefer to handle things in-house when it's services that are running on my home network. I have my Docker containers and VMs all mapped to local domain names from their IP and port pairings, which makes things easier to manage when setting up reverse proxies or any other tool that connects to them. However, it also means that if my internet connection fails, my home lab still remains operational. And it helps the health of the internet as a whole, because the more local DNS queries I make, the less strain on the main DNS resolvers.
And I'm not losing any security or speed to do so. I've got secondary DNS resolvers set up just in case my Unbound installation is unreachable, although since that lives in my router, I think I've got bigger problems when it goes down.
Related
10 ways to make your home network more resilient to outages
Nobody likes having their home network offline, especially if they work from home.
1 It's more secure
Thanks to DNSSEC validation, I'm protected from DNS spoofing and cache poisoning
Unbound's own docs cite this as the first reason why you'd want to use it, and while it's not a primary motivator for me, it's no less important. DNSSEC uses an authentication chain to ensure your DNS responses are from the authoritative nameserver you want, and not from a man-in-the-middle attack trying to steer you to another site.
Cache poisoning works by attackers putting incorrect data into the local DNS caching servers, and because they're closer to your machine, that's the data you get when making a DNS request. That's how the internet works underneath, and it's devastatingly simple to sidestep the security protections. But DNSSEC uses certification methods to show DNS servers haven't been modified, so that you can trust the results from it. It's not used by everyone still, but it should be in my opinion, and also in those of most of the cybersecurity community. To have it built into Unbound makes my web browsing that much safer.
Unbound DNS makes my network faster, more secure, and more flexible
While my primary reason for using Unbound is to facilitate my home lab experiments without relying on external nameservers, it's also a powerful tool for controlling all aspects of my home network. It's safer, more secure, and more private than using an external DNS resolver, and it keeps local services running even if my internet goes out.
English (US) ·