Many years ago I used to have a home server. It was connected to elxwifi, a metropolitan area network built on WiFi, and also to the Internet.
It was hosting my blog and a few more things, so it kind of made sense to provide some services to the local network. Like a good firewall with QoS –back then residential connections didn’t have much upload bandwidth–, HTTP proxy for caching, and a DNS resolver.
I was reading the other day how reCAPTCHA has wasted 819 million hours of human time and led to billions of dollars in profits by helping Google in their tracking business.
Re-captcha takes a pixel by pixel fingerprint of your browser, a realtime map of everything you do on the internet.
And Cloudflare Protection achieves a similar goal: when you are forced to “prove that you are human” is just because they don’t have enough tracking information about you, so… you could be a bot. Because that is what differentiates humans from robots these days?
For whatever reason it bothered me that Mozilla uses DNS over HTTPS with Cloudflare, and although they have a clear privacy policy, big tech has exhausted any trust left in me.
And what about my Internet provider’s DNS resolver? Well, my provider –like many others– implements a DNS hijacking service, so if you try to resolve in your browser a domain that doesn’t exist, they redirect you to a landing page they own. This can be disabled, but we are back to trust –why is this opt-out?–.
I don’t have a 7x24 server at home, so today I’m not going to implement this for my whole local network, but I fancied the experiment with my machine.
Please take into account that this might not be a good idea for you. My PC never leaves my desk and it always uses my home connection, so the use case is not the same as if I was using a laptop on a coffee shop’s free WiFi. I would say using Mozilla’s DoH may be your best option!
I installed Unbound:
Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards.
My OS is Debian 12, so I just run:
sudo apt install unbound
The configuration is in /etc/unbound and there is a full commented example in /usr/share/doc/unbound/examples/unbound.conf.
I recommend reading the base configuration, but essentially Debian enables remote control in localhost that is handy to check stats and manage the service using the unbound-control tool as root.
I added a local.conf file in /etc/unbound/unbound.conf.d:
server:
username: "unbound"
directory: "/etc/unbound"
do-ip6: no
interface: 127.0.0.1
port: 53
cache-max-ttl: 14400
cache-min-ttl: 1800
hide-identity: yes
hide-version: yes
I can’t remember if I had to do anything else, but it is managed by systemd, so you can run the usual commands, starting with systemctl status unbound.
Then I had to make two changes to use the new resolver:
- In Network Manager, I edited my wired connection –yes, I don’t use WiFi in this machine–, setting method “Automatic (DHCP) addresses only” and in DNS servers “127.0.0.1”. Then restart the connection to apply the changes. When all is done, your
/etc/resolv.confshould be like this:
# Generated by NetworkManager
nameserver 127.0.0.1
- In Firefox, open settings and search for “DNS”. In “Enable DNS over HTTPS using”, select “Off, use your default DNS resolver”.
And that should be all.
I don’t have any scientific proof, but browsing feels snappier, and I guess it makes sense because for cached name resolutions there is no need to go to Cloudflare at all!
After a bit of browsing you can run unbound-control stats_noreset (the regular stats clears them), and get something like:
thread0.num.queries=26297
thread0.num.queries_ip_ratelimited=0
thread0.num.cachehits=13232
thread0.num.cachemiss=13065
...
There is no need to be an expert to more or less understand what these mean.
It was all very easy, and it took much more time writing this post than setting it up. This could be a good service to offer the local network, so perhaps I have found finally a good use for one of my Raspberry Pis!