Is it a bad idea to run unbound on TrueNAS

[glen4cindy]

I've just spun up TrueNAS for the first time so I'm completely new to it. I've never used a NAS device before in a home setting.

I've got my system running on a 6 Core Ryzen 5 with 16 GB of RAM and currently 3 500 GB hard drives.

I'm running TrueNAS-SCALE-22.02.4 and just deployed Truecharts PiHole.

Several older threads mentioned not running unbound on FreeNAS and suggested the reason that it wasn't meant for anything other than storage and that things like unbound should be run in a jail.

TrueNAS seems to be a bit different and those threads were pretty old.

Is it acceptable practice to install unbound using the guide on the Pi-Hole website?

Thanks in advance.

 

[jgreco]

I've just spun up TrueNAS for the first time so I'm completely new to it. I've never used a NAS device before in a home setting.

I've got my system running on a 6 Core Ryzen 5 with 16 GB of RAM and currently 3 500 GB hard drives.

I'm running TrueNAS-SCALE-22.02.4 and just deployed Truecharts PiHole.

Several older threads mentioned not running unbound on FreeNAS and suggested the reason that it wasn't meant for anything other than storage and that things like unbound should be run in a jail.

TrueNAS seems to be a bit different and those threads were pretty old.

Is it acceptable practice to install unbound using the guide on the Pi-Hole website?

Thanks in advance.

No, it's not. TrueNAS is an appliance and is not intended to be a general purpose Linux host for your hacking pleasure. You are expected to use either a virtual machine or a container (the Linux re-imagining of FreeBSD jails) to run these workloads, if you must. If you make changes to TrueNAS itself, expect that things might not work correctly, either immediately or down the road when you update or have to reinstall for some reason. Additionally, TrueNAS will have no way to be able to manage Unbound.

You will find many "old threads" around here, some a decade old, offering information that is still reasonably accurate and useful today. It may be a mistake to assume that a thread's age results in the advice becoming senile. There will be some cases where that isn't true, certainly, but better to be conservative.

 

[glen4cindy]

No, it's not. TrueNAS is an appliance and is not intended to be a general purpose Linux host for your hacking pleasure. You are expected to use either a virtual machine or a container (the Linux re-imagining of FreeBSD jails) to run these workloads, if you must. If you make changes to TrueNAS itself, expect that things might not work correctly, either immediately or down the road when you update or have to reinstall for some reason. Additionally, TrueNAS will have no way to be able to manage Unbound.

You will find many "old threads" around here, some a decade old, offering information that is still reasonably accurate and useful today. It may be a mistake to assume that a thread's age results in the advice becoming senile. There will be some cases where that isn't true, certainly, but better to be conservative.

Thanks for this great information. "TrueNAS is an appliance...." is the language I was looking for when I was writing my post.

Jails it is.

 

[jgreco]

On Scale, "jails" are containers. There may already be a workable nameserver of some sort offered by TrueCharts, I don't know, since I roll in the FreeBSD direction myself. If you have some specific reason for specifying "Unbound" rather than other options such as ISC BIND, that might artificially constrain your potential solution set.

 

[glen4cindy]

On Scale, "jails" are containers. There may already be a workable nameserver of some sort offered by TrueCharts, I don't know, since I roll in the FreeBSD direction myself. If you have some specific reason for specifying "Unbound" rather than other options such as ISC BIND, that might artificially constrain your potential solution set.

I don't suppose I have a specific reason other than I had set unbound up with Pi-Hole under my current configuration before moving it to TrueNAS.
It's my understanding that using unbound helps keep you safer from DNS spoofing and keeps the non-authoritative DNS servers from compiling lists of my browsing history. I could be mistaken about this but that was the information I used when setting up unbound in the first place.

 

[jgreco]

It's my understanding that using unbound helps keep you safer from DNS spoofing

It does not. DNSSEC keeps you safer from DNS spoofing. Unbound can do DNSSEC, but that is not something it has an exclusive market on. ISC BIND does DNSSEC too, for example.

keeps the non-authoritative DNS servers from compiling lists of my browsing history.

Presumably you mean recursive DNS servers. Lots of DNS servers are non-authoritative; the .com servers, for example, which you rely on and cannot avoid, serve glue that serves to guide you to the proper authoritative servers for a 2LD zone in .com. This does not mean that any of these are "compiling lists of [your] browsing history." Those servers don't have an idea of the complete domain name you're asking for. That is more a function of using your ISP's DNS server, because they are ideally situated to tie your request (from your IP) to your identity (from your bill). They know what IP they assigned you, and indeed it has been (and probably still is) a thing that they are monetizing this data. Likewise, the Goog may be able to associate your usage of 8.8.8.8 with your Google identity by IP address.

The way you deal with this is to do as the designers intended, and run your own recursion DNS. But merely running Unbound or ISC BIND does not automatically and magically fix this. DNS requests are not encrypted, and can be snooped in-band, especially by your ISP.

This is one of the motivations behind DNS-over-HTTPS, which is another evil. Instead of trusting your lookups to be handled by your ISP, you're now outsourcing it to some random organization out on the Internet who probably has no business relationship with you; as the television station people will happily explain to you, you are the product. There's dumb and then there's dumber. But even here, this is not a "list of your browsing history" but rather just a list of domain names that were accessed while a web browser was rendering a page.

I could be mistaken about this but that was the information I used when setting up unbound in the first place.

Yeah, I know, there's a lot of lack of understanding about it all. The reason PiHole can work is because it is generally safe to throw advertising domain names into the void, generating a desirable form of lossy compression.

 

[indivision]

Several older threads mentioned not running unbound on FreeNAS and suggested the reason that it wasn't meant for anything other than storage and that things like unbound should be run in a jail.

Definitely don't want to try to run Unbound on the TrueNAS OS itself.

Personally, I run Unbound+Pihole on a pi. And then I use the Pihole application on TrueNAS as a backup DNS for when the primary one is upgrading. The TrueNAS application version does not include Unbound (and trying to add it would cause issues). But, for me, that is ok since its just a backup and handles few requests. The page for that chart appears under construction. But, you can start here and click around for more info: https://truecharts.org/docs/charts/stable/pihole/

If you are open to change, it sounds like there are some advantages to the Pihole alternative "Blocky". I believe that does include the Unbound features out of the box too. So, you might want to look at that also. From the same repo: https://truecharts.org/docs/charts/enterprise/blocky/

[The reason I have the main DNS separate on a pi is that if you run your DNS on your server your entire network becomes dependent on your server running. I didn't like that upgrading the server would cause every machine on network to lose internet. And a pi is inexpensive! :) ]

 

[axeleroy]

Hello!

As jgreco said, you should run unbound on a container (or a Charts app) instead of on TrueNAS directly.
I personally run PiHole and Unbound on my TrueNAS SCALE server, with the following setup:

1. I installed the Docker-Compose app from TrueCharts and logged into it with the following command:
   
   Code:

   k3s kubectl exec -n ix-docker-compose --stdin --tty docker-compose-0 -- /bin/bash

2. I then deployed the following stack using docker-compose:
   
   Code:

   version: '3'
   services:
     pihole:
       container_name: pihole
       image: pihole/pihole:2022.11
       depends_on:
         - unbound
       ports:
         - "<YOUR_FREENAS_IP>:53:53/tcp"
         - "<YOUR_FREENAS_IP>:53:53/udp"
         - "80:80/tcp"
       environment:
         TZ: "Europe/Paris"
         WEBPASSWORD: "<PASSWORD>"
         FTLCONF_LOCAL_IPV4: "<YOUR_FREENAS_IP>"
         FTLCONF_REPLY_ADDR4: "<YOUR_FREENAS_IP>"
         DNS1: "unbound"
         DNSMASQ_LISTENING: "all"
       volumes:
         - dnsmasq-d:/etc/dnsmasq.d
         - etc-pihole:/etc/pihole
       cap_add:
         - NET_ADMIN
         - CAP_NET_BIND_SERVICE
         - CAP_SYS_NICE
       restart: unless-stopped
       networks:
         - pihole-net
       dns:
        - 1.1.1.1
        - 127.0.0.1
   
     unbound:
       container_name: unbound
       image: klutchell/unbound:latest
       restart: unless-stopped
       networks:
         - pihole-net
       # volumes:
         # - unbound-config:/etc/unbound/custom.conf.d
   
   networks:
     pihole-net:
       name: pihole-net
    
   volumes:
     dnsmasq-d:
     etc-pihole:
     unbound-config:

   
   (note: I took inspiration from there, make changes it as you see fit)
   

Also, if you're new to Docker and docker-compose, I advice you to install Portainer which provides a nice GUI to manage container and stacks.