Professional Documents
Culture Documents
Updates: Quentin's Repo Docker Hub
Updates: Quentin's Repo Docker Hub
Updates
10 Apr 2018 – Thanks to comments from Quentin and TJ I’ve added the access-control line to the server
config. Also check out Quentin’s repo (and Docker Hub) for putting Unbound into a Docker container.
Note
[1] Almost 4 seconds is ridiculous, but that’s what I’m getting with a Pi on a WiFi link to a US cable
connection. From my home network it’s more like 160ms. I suspect that Spectrum might
be tarpitting TCP to 1.1.1.1
Related
10 Responses to “Howto: secure your DNS with a Raspberry Pi, Unbound and Cloudflare 1.1.1.1”
Hey, thanks for the tutorial ! I’m trying to connect to my Raspberry Pi directly from my Windows 10
computer. So I set the DNS server to the LAN IP address of my Raspberry Pi but it seems like it tries to
connect on port 53 UDP only (which fails) and not 53 TCP. Any idea how to resolve this ? Thanks!
Reply
The clients should be connecting on 53 UDP, so that’s fine, but a firewall (on the Pi) could be
standing between the Windows PC and the Pi. Are you using nslookup on the PC to test (using
‘server yo.ur.pi.ip’ so that’s). You can also use netstat on the Pi to see the incoming
connections.
Reply
Hi Chris, thanks for your reply ! Hopefully I won’t go too much out of scope from the
Raspberry Pi ! I’m trying to run unbound on a Docker container (based on Alpine, quite
simple) to connect to Cloudflare 1.1.1.1 over TLS. Using nslookup.exe, when I enter
`server 192.168.1.210` (IP of my Docker host – NAS machine) I obtain :
and I would obtain a “DNS request timed out.” if the container is not running, as
expected. That’s promising. On the other hand, when configuring it in the Internet
Protocol Version 4 (TCP/IPv4) of the Ethernet adapter properties in Windows 10, I still
obtain the error “Your DNS server might be unavailable”. If the container is not
running, I obtain the expected error “The DNS server isn’t responding”.
server:
verbosity: 5
qname-minimisation: yes
do-tcp: yes
prefetch: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip4: yes
do-ip6: yes
interface: 0.0.0.0
forward-zone:
name: “.”
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-ssl-upstream: yes
Docker adds some complexity around port mapping, but looking at your Dockerfile and
docker-compose.yml you have that all figured out.
1. Throw dig (and bash) into the container, and get a shell to it and test from within
2. Test from the Pi itself
3. Test from beyond the Pi
One of the other comments noted that they had to add an ‘access-control:
th.ey.re.net/CIDR’ which wasn’t needed for my testing, but that might also be worth a
shot.
Hi Chris, thanks again for the help. It’s now working and was indeed caused by the
access-control setting in unbound.conf. Thanks to TJ for the help as well ! Now the
container is fully working with “access-control: 0.0.0.0/0”.
Cool – I’m glad to hear you got it working. I’ve backported that line into the post and
noted your repo in an update. Will you be putting it on Docker Hub (as I can link to that
too and provide an example Docker run line)?
It’s at https://hub.docker.com/r/qmcgaw/cloudflare-dns-server
Note that 0.0.0.0/0 might be too permissive, I will test with more restrictive
configurations.
Thank you for the nice writeup. FWIW, I had to add an access control to the unbound configuration file
to get it to work with my local network clients (I think unbound blocks everything but localhost by
default). I added the following to unbound_srv.conf (my local network is 10.0.0.0/24) and it worked:
access-control: 10.0.0.0/24 allow
Again – thanks for taking the time to write this up – very helpful.
Reply
Leave a Reply
subscribe
Default
feed link
Subscribe
in a reader
search
Search...
Go
raspberry
pi
downloads
Pi Chimney
top posts
o Making an
image file
from an SD
card on
Windows
o Howto -
Factory Reset
iLO 4 on HP
Microserver
Gen8
o Bionix - a
primer
o Bionics - a
primer
o Raspberry Pi
GPIO Joystick
o Howto:
secure your
DNS with a
Raspberry Pi,
Unbound and
Cloudflare
1.1.1.1
o Self
Encrypting
Drives
o Apache 2.2 on
Ubuntu 14.04
o Howto
stunnel from
HTTPS to
HTTPS
o Forwarding
DNS queries
to AWS VPC
resolvers
recent
posts
o Howto:
secure your
DNS with a
Raspberry Pi,
Unbound and
Cloudflare 1.1
.1.1
o Using 1.1.1.1
o T-Shirt Sizes
and
the Copyclou
d
o My MBA
o Being an
Engineer and
a Leader
recent
comments
andyjp
b on S
unday
Roast
Chris
Swan o
n Howt
o:
secure
your
DNS
with
a…
qmcga
w
on Ho
wto:
secure
your
DNS
with
a…
Chris
Swan o
n Howt
o:
secure
your
DNS
with
a…
qmcga
w
on Ho
wto:
secure
your
DNS
with
a…
pinboar
d.in
bookmarks
o The F-35 Is a
$1.4 Trillion
Dollar
National
Disaster
o The story of
ispc: Origins
o Practical
example of
security
bolted in
o The UK
Refused To
Raid A
Company
Suspected Of
Money
Laundering,
Citing Its Tory
Donations
o Bodil vindaloo
o Oracle owns
“JavaScript”,
so Apple is
taking down
my app
o Why
immigration
is broken
o Why is the
kernel
community
replacing
iptables with
BPF
o Microsoft IoT
security
principles
o the Origins of
Opera and
the Future of
Programming
twitter
updates
o You know
that #Mendaci
ousMay's
'hostile
environment'
Home Office
run amok has
gone way,
way too far
when white
peop…twitter
.com/i/web/s
tatus/9…2 ho
urs ago
o RT @jonlis1:
For all May’s
slippery
language and
deceitful
politics, PM
woefully
transparent.
Her Britain is
a 1950s Home
Counties
theme
pa… 3 hours a
go
o RT
@botchagalup
e: My
thoughts on
DevSecOps -
devsecopsday
s.com/article
s/its-
j…6 hours ago
o RT
@pswidlicki:
What
happened to
Global Britain
asks the
Spectator?
Simples, it
never existed
in any
tangible
sense, it was
a self-
construc… 6 h
ours ago
o RT @jack:
Most of my
meetings are
now Google
doc-based,
starting with
10-minutes of
reading and
commenting
directly in the
doc. This
practi… 6 hou
rs ago
blogroll
o 451 CAOS
Theory
o Adam
Bosworth’s
Weblog
o Andrew
McAfee
o Behavioural
Investing
o CapitalSCF
o Carpe Visum
o causticTech
o Charles Stross
o confused of
calcutta
o Cory
Doctorow
o Craig Murray
o Dan
Creswell’s
Weblog
o Dark Reading
o Dilbert Blog
o DJW
o Doc Searls
o Don Box’s
Spoutlet
o Dopplr
o Eben Moglen
o Enhyper
o Financial
Cryptography
o Fred Destin
o Freedom to
Tinker
o Graham
Glass, etc.
o Greg Matter
o Hugh Grant
o Internet
Alchemy
o Invisible
Things
o James
Strachan’s
Weblog
o John Merrells
o Jon Udel
o Justice
League
o Kim Cameron
o Lambda the
Ultimate –
Programming
Languages
Weblog
o Light Blue
Touchpaper
o Loosely
Coupled
weblog
o Luke
Hutteman’s
Weblog
o Marc
Andreeson
o Nick Selby
o ongoing
o Otaku,
Cedric’s
weblog
o Park
Paradigm
o Paul Graham
o Phil Becker
o Pi4Tech
o PJKtech
o Radovan
Janecek:
Nothing
Impersonal
o rants
o Richard
Monson-
Haefel
o SAAS
o Schneier on
Security
o Service
Oriented
Enterprise
o Simon
Phipps’s Blog
o techno.blog(“
Dion”)
o The BileBlog
o THE GRID
BLOG
o Tim Oren’s
Due Diligence
o timbl’s blog
o virtualization.
info
o WebMink
o WebServices.
org
o XKCD
categories
Categories