1. tion thing.

Updates
10 Apr 2018 – Thanks to comments from Quentin and TJ I’ve added the access-control line to the server
config. Also check out Quentin’s repo (and Docker Hub) for putting Unbound into a Docker container.

Note
[1] Almost 4 seconds is ridiculous, but that’s what I’m getting with a Pi on a WiFi link to a US cable
connection. From my home network it’s more like 160ms. I suspect that Spectrum might
be tarpitting TCP to 1.1.1.1

Related

Using 1.1.1.1In "howto"

Forwarding DNS queries to AWS VPC resolversIn "CohesiveFT"

Replacing Active Directory DNS with BIND on OpenWRTIn "networking"

Filed under: howto, networking, Raspberry Pi | 10 Comments

Tags: 1.1.1.1, CloudFlare, DNS, privacy, Raspberry Pi, tls, Unbound

10 Responses to “Howto: secure your DNS with a Raspberry Pi, Unbound and Cloudflare 1.1.1.1”

Feed for this Entry Trackback Address

1. 1Quentin on April 9, 2018 said:

Hey, thanks for the tutorial ! I’m trying to connect to my Raspberry Pi directly from my Windows 10
computer. So I set the DNS server to the LAN IP address of my Raspberry Pi but it seems like it tries to
connect on port 53 UDP only (which fails) and not 53 TCP. Any idea how to resolve this ? Thanks!

Reply

o 2Chris Swan on April 9, 2018 said:

The clients should be connecting on 53 UDP, so that’s fine, but a firewall (on the Pi) could be
standing between the Windows PC and the Pi. Are you using nslookup on the PC to test (using
‘server yo.ur.pi.ip’ so that’s). You can also use netstat on the Pi to see the incoming
connections.
Reply

 3qmcgaw on April 10, 2018 said:

Hi Chris, thanks for your reply ! Hopefully I won’t go too much out of scope from the
Raspberry Pi ! I’m trying to run unbound on a Docker container (based on Alpine, quite
simple) to connect to Cloudflare 1.1.1.1 over TLS. Using nslookup.exe, when I enter
`server 192.168.1.210` (IP of my Docker host – NAS machine) I obtain :

Default Server: [192.168.1.210]

Address: 192.168.1.210

and I would obtain a “DNS request timed out.” if the container is not running, as
expected. That’s promising. On the other hand, when configuring it in the Internet
Protocol Version 4 (TCP/IPv4) of the Ethernet adapter properties in Windows 10, I still
obtain the error “Your DNS server might be unavailable”. If the container is not
running, I obtain the expected error “The DNS server isn’t responding”.

My unbound configuration is:

server:
verbosity: 5
qname-minimisation: yes
do-tcp: yes
prefetch: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip4: yes
do-ip6: yes
interface: 0.0.0.0
forward-zone:
name: “.”
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-ssl-upstream: yes

The repository is available at https://github.com/qdm12/cloudflare-dns-server if you

want to have a look. Thanks !
 4Chris Swan on April 10, 2018 said:

Docker adds some complexity around port mapping, but looking at your Dockerfile and
docker-compose.yml you have that all figured out.

So it becomes the usual step by step troubleshooting process…

1. Throw dig (and bash) into the container, and get a shell to it and test from within
2. Test from the Pi itself
3. Test from beyond the Pi

One of the other comments noted that they had to add an ‘access-control:
th.ey.re.net/CIDR’ which wasn’t needed for my testing, but that might also be worth a
shot.

 5qmcgaw on April 10, 2018 said:

Hi Chris, thanks again for the help. It’s now working and was indeed caused by the
access-control setting in unbound.conf. Thanks to TJ for the help as well ! Now the
container is fully working with “access-control: 0.0.0.0/0”.

 6Chris Swan on April 10, 2018 said:

Cool – I’m glad to hear you got it working. I’ve backported that line into the post and
noted your repo in an update. Will you be putting it on Docker Hub (as I can link to that
too and provide an example Docker run line)?

 7qmcgaw on April 10, 2018 said:

It’s at https://hub.docker.com/r/qmcgaw/cloudflare-dns-server

Note that 0.0.0.0/0 might be too permissive, I will test with more restrictive
configurations.

 8Chris Swan on April 10, 2018 said:

 0.0.0.0/0 is a good match for the interface: 0.0.0.0, and yes it’s permissive, but if
somebody’s opening up their Pi to the outside world then this parameter isn’t what
they should be depending on for access control.

2. 9TJ on April 10, 2018 said:

Thank you for the nice writeup. FWIW, I had to add an access control to the unbound configuration file
to get it to work with my local network clients (I think unbound blocks everything but localhost by
default). I added the following to unbound_srv.conf (my local network is 10.0.0.0/24) and it worked:
access-control: 10.0.0.0/24 allow

Again – thanks for taking the time to write this up – very helpful.

Reply

1. Cambridge Analytica – JamesBook

« Using 1.1.1.1

Leave a Reply

 subscribe

Default
feed link

Subscribe
in a reader

 search

Search...

Go

 raspberry
pi
downloads

Pi Chimney
 top posts
o Making an
image file
from an SD
card on
Windows
o Howto -
Factory Reset
iLO 4 on HP
Microserver
Gen8
o Bionix - a
primer
o Bionics - a
primer
o Raspberry Pi
GPIO Joystick
o Howto:
secure your
DNS with a
Raspberry Pi,
Unbound and
Cloudflare
1.1.1.1
o Self
Encrypting
Drives
o Apache 2.2 on
Ubuntu 14.04
o Howto
stunnel from
HTTPS to
HTTPS
o Forwarding
DNS queries
to AWS VPC
resolvers
 recent
posts
o Howto:
secure your
DNS with a
Raspberry Pi,
Unbound and
Cloudflare 1.1
.1.1
o Using 1.1.1.1
o T-Shirt Sizes
and
the Copyclou
d
o My MBA
o Being an
Engineer and
a Leader
 recent
comments
 andyjp
b on S
unday
Roast
Chris
Swan o
n Howt
o:
secure
your
DNS
with
a…
qmcga
w
on Ho
wto:
secure
your
DNS
with
a…
Chris
Swan o
n Howt
o:
secure
your
DNS
with
a…
qmcga
w
on Ho
wto:
secure
your
DNS
with
a…

 pinboar
d.in
bookmarks
o The F-35 Is a
$1.4 Trillion
Dollar
 National
Disaster
o The story of
ispc: Origins
o Practical
example of
security
bolted in
o The UK
Refused To
Raid A
Company
Suspected Of
Money
Laundering,
Citing Its Tory
Donations
o Bodil vindaloo
o Oracle owns
“JavaScript”,
so Apple is
taking down
my app
o Why
immigration
is broken
o Why is the
kernel
community
replacing
iptables with
BPF
o Microsoft IoT
security
principles
o the Origins of
Opera and
the Future of
Programming
 twitter
updates
o You know
that #Mendaci
ousMay's
'hostile
environment'
Home Office
run amok has
gone way,
way too far
when white
peop…twitter
.com/i/web/s
tatus/9…2 ho
urs ago
o RT @jonlis1:
For all May’s
slippery
language and
deceitful
politics, PM
 woefully
transparent.
Her Britain is
a 1950s Home
Counties
theme
pa… 3 hours a
go
o RT
@botchagalup
e: My
thoughts on
DevSecOps -
devsecopsday
s.com/article
s/its-
j…6 hours ago
o RT
@pswidlicki:
What
happened to
Global Britain
asks the
Spectator?
Simples, it
never existed
in any
tangible
sense, it was
a self-
construc… 6 h
ours ago
o RT @jack:
Most of my
meetings are
now Google
doc-based,
starting with
10-minutes of
reading and
commenting
directly in the
doc. This
practi… 6 hou
rs ago
 blogroll
o 451 CAOS
Theory
o Adam
Bosworth’s
Weblog
o Andrew
McAfee
o Behavioural
Investing
o CapitalSCF
o Carpe Visum
o causticTech
o Charles Stross
o confused of
calcutta
o Cory
Doctorow
o Craig Murray
o Dan
Creswell’s
Weblog
o Dark Reading
o Dilbert Blog
o DJW
o Doc Searls
o Don Box’s
Spoutlet
o Dopplr
o Eben Moglen
o Enhyper
o Financial
Cryptography
o Fred Destin
o Freedom to
Tinker
o Graham
Glass, etc.
o Greg Matter
o Hugh Grant
o Internet
Alchemy
o Invisible
Things
o James
Strachan’s
Weblog
o John Merrells
o Jon Udel
o Justice
League
o Kim Cameron
o Lambda the
Ultimate –
Programming
Languages
Weblog
o Light Blue
Touchpaper
o Loosely
Coupled
weblog
o Luke
Hutteman’s
Weblog
o Marc
Andreeson
o Nick Selby
o ongoing
o Otaku,
Cedric’s
weblog
o Park
Paradigm
o Paul Graham
o Phil Becker
o Pi4Tech
o PJKtech
o Radovan
Janecek:
Nothing
Impersonal
o rants
o Richard
Monson-
Haefel
o SAAS
o Schneier on
Security
o Service
Oriented
Enterprise
o Simon
Phipps’s Blog
o techno.blog(“
Dion”)
o The BileBlog
o THE GRID
BLOG
o Tim Oren’s
Due Diligence
o timbl’s blog
o virtualization.
info
o WebMink
o WebServices.
org
o XKCD
 categories

Categories