Forums

Any comments like on opt-in or opt-out...

DoH?

Sorry your right, so let met enlighten, Firefox is now actively rolling out dns over https (DoH) https://support.mozi...lication-dnsnet. The dns server they prefer will not be the one from your provider, but cloudflare in FF. Although encrypting your dns requests seems a good thing, like in for instance reducing the risk of a man-in-the-middle attack, letting your browser choosing a dns for you might not be, as it provides this server with a huge amount of data.

Ah, I was thinking Homer Simpson.

 

I'll won't use it, as I use both a local DNS server (for local/internal domains) and a local hosts file to be able to override DNS (when I'm testing). Apart from all the privacy concerns, but that is currently already an issue with using Google or Cloudflare DNS....

LoL,

I don't see the advantage there? Replacing one villain by another?

 

MITM attack is prevented by DNSSEC but it's just as popular as IPv6 

 

Best way is to run your own DNS server and have it bypass your provider's DNS server, make it query the root servers.

 

On the other hand, I myself am not very secretive about what DNS records I am fetching. You should know that about 75% of all DNS requests are not under your control but are e.g. a result of fetching a HTML page which contains lots of referrals to third parties (think spammers, trackers, etc). So one can never be held responsible for obtaining a certain DNS record.

 

Best way is to run your own DNS server and have it bypass your provider's DNS server, make it query the root servers.

 

 

 

That is my conclusion also, after considering the following:

 

With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing

 

So I use unbound, this way you avoid upstream providers completely and this local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent.

 

Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it’s been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated.

 

So for these reasons, I prefer unbound to encrypted DNS:

1. No upstream DNS provider has your DNS history.
2. The results are unfiltered.
3. You have equal assurance that the DNS traffic has not been altered in transit.
4. There is no less privacy from the ISP.
5. Generally faster.
6. I have complete control over my DNS resolver.

The last one I think is the most important to me, and for those who want privacy, I would recommend a VPN service