Unbound-anchor with VPN

Hi all,
I am new to Fedora and discovering it at the moment (v40).
One of the first things I did was to install a VPN for privacy. Got a dedicated application and am running it round the clock. As recommended, DNS resolution should be done by the VPN’s dns servers.
However, unbound comes with Fedora and some programmes try and resolve dns by quizzing 127.0.0.1 or 127.0.0.53, which I believe it is used by unbound-anchor. That would bypass my VPN’s dns resolving and I do not think I want to approve it, but the result is that some applications are blocked.
What should I do?
Thanks
Sal

Not necessary, it can also be routed over the VPN to any resolver close to the VPN endpoint, which works for most public DNS providers due to geobalancing.

Fedora is using systemd-resolved by default, not Unbound.

Import the VPN profile with NetworkManager and it should dynamically replace your upstream DNS with the ones specified in the VPN profile when you activate the VPN connection.

You can check the settings like this:

resolvectl --no-pager status

See also: DNS leak test

Thanks.

Not necessary, it can also be routed over the VPN to any resolver close to the VPN endpoint, which works for most public DNS providers due to geobalancing.

Yes but since I use a VPN, I do not want to stand out by using a DNS provider that is not my VPN provider. Good practice is to use to VPN’s DNS when using a VPN.

Fedora is using systemd-resolved by default, not Unbound.

I beg to differ. I did not install Unbound and I definitely see connection by Unbound-anchor.

resolvectl --no-pager status

When I do this, my VPN connection (wg0-[VPN]) gives the VPN’s DNS, but another (wlo1) does list public DNS servers (1.1.1.1, 8.8.8.8, etc.), which I want to make sure I am not using. Any way to remove them?

You’re more likely to stand out by not using a public DNS provider.

I think it is best to encrypt DNS traffic, leaving no chance of it being sniffed or spoofed by anyone, including the VPN provider, who might one day have some ulterior motive.

Please don’t confuse the unbound and unbound-anchor packages.

In fact, only the resolvers marked with +DefaultRoute are relevant unless a specific domain is used, but you can still override them entirely:

nmcli connection modify VPN_CON \
    ipv4.dns-priority -1 \
    ipv6.dns-priority -1
nmcli connection up VPN_CON

You’re more likely to stand out by not using a public DNS provider.

I’ll disagree with you on that one. Most users of a VPN (and those users can easily be tied to that VPN) will use the VPN’s DNS because that’s the default setting. So to blend with that crowd, you should not change your DNS settings and stick to the VPN’s DNS.

I think it is best to encrypt DNS traffic

Any good VPN provider also providing DNS encrypts DNS. And if you’re going to trust a VPN with your traffic, you can also trust them with DNS. You’re shifting the trust, but down the line you always have to trust someone.

Please don’t confuse the unbound and unbound-anchor packages.

Ah. Now there might be my mistake, thanks!

you can still override them entirely:

Thanks, I’ll get that a try.

1 Like

This is more of splitting trust than just shifting it.
As they say, you shouldn’t put all your eggs in one basket. :wink:

That’s something that I usually adhere to, but not in this very case. What exactly is the point of hiding your DNS from your VPN provider? Even if they don’t see your DNS requests, they can still see what websites you actually connect to. I mean, am I missing something here? If you trust the VPN with the connections themselves, then there is nothing more they get by knowing your DNS requests that they don’t already know. In this case, by “splitting trust”, you actually end up giving your data to two entities instead of one.