Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound won't help you if your goal is to protest an overreaching surveillance state. Unbound does support encrypted DNS but most of the authoritative nameservers won't so your queries will be made using plain unencrypted DNS on port 53 which is all too easy for anyone on the network path to see.

If you can setup Unbound to act as a forwarding resolver in front of an encrypted resolver you trust that would be better. I run a setup like this on my network only I use bind instead of Unbound and it serves internal DNS records for my LAN and forwards external queries to a local dnscrypt-proxy.

In reply to a post by smouty:

Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound will recursively query all servers from the authoritative servers upwards, and all stamped with your IP address. It's not "private" in the slightest.

In reply to a post by Oliver341:

In reply to a post by smouty:

Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound will recursively query all servers from the authoritative servers upwards, and all stamped with your IP address. It's not "private" in the slightest.

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place. Once queried, the request is served from cache.

I don't think there is a 'magic bullet' for total security yet so choose the best option for you.

Edited by smouty (Sun 12-Sep-21 07:56:24)

In reply to a post by smouty:

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place.

How is that a good thing? Rather than your IP address going to one place for DNS queries, it is sent all over the internet.

In reply to a post by Oliver341:

In reply to a post by smouty:

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place.

How is that a good thing? Rather than your IP address going to one place for DNS queries, it is sent all over the internet.

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

In reply to a post by smouty:

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

Yes you have choice of which DNS provider you use and you can review their privacy policy, ascertain your trust in them, etc.

Whereas with Unbound you are sending queries all over the place with your IP address with no knowledge of the various servers' data collection and sharing policies.

In reply to a post by Oliver341:

In reply to a post by smouty:

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

Yes you have choice of which DNS provider you use and you can review their privacy policy, ascertain your trust in them, etc.

Whereas with Unbound you are sending queries all over the place with your IP address with no knowledge of the various servers' data collection and sharing policies.

Just to turn this around a bit - What is the issue with sending queries 'all over the place' apart from what you have mentioned?

In reply to a post by smouty:

What is the issue with sending queries 'all over the place' apart from what you have mentioned?

Whether it's an "issue" or not entirely depends how how concerned you are about keeping your DNS queries private.

But aside from privacy, using a personal DNS sever negates the performance advantages of having a shared server with millions of cached queries, all other things being equal. With a shared server you are far more likely to request a record which someone else has already queried and cached in the DNS server, meaning the server does not have to perform queries to various servers before it returns the DNS record.

DNS over TLS (DoT) or DNS over HTTPS (DoH) is really to stop man-in-the-middle attacks, effectively to authenticate a response is genuine and not tampered with - think of it as if you're sending a letter with a tamper proof seal and requires a signature when delivered.

For privacy it's pretty useless as the encryption doesn't actually achieve anything. While men in the middle can't see the payload of the DNS request, they will see the IP address in the subsequent web request stream, even though they can't see what you're looking at on that site. It's like the letter above had an address in it, and you then send another parcel with a tamper proof seal requiring a signature to the address that was in the first letter... but the postie can now see the address!

For performance it's also slower in terms of latency. Both DoT and DoH use TCP not UDP like normal DNS, so this means an ACK packet needs to be sent back and forth basically meaning you need two 'pings' to the DNS server instead of one to get the response - so double the latency. Theoretically DoT is simpler - just a DNS request in a TLS stream - while DoH is a DNS request over HTTP over TLS - but in practice the differential is meaningless as there's so much more optimisation in both hardware and software for full HTTPS. But a normal DNS request will always be twice as fast as it requires half the packets. This is somewhat mediated with DoQ (DNS over QUIC, which is HTTPS but over UDP), but that's just a kludge looking for a problem.

The best as others have said is to use a VPN. Preferably to a server you control and therefore trust, but using a VPN service is OK. Most VPN technologies use UDP and have developed their own reliability techniques in the protocol, so therefore the 'best' option is to use bog standard DNS over a UDP-based VPN, ie like Wireguard or well set up OpenVPN.

If you're interested in the authentication side, there's another DNS feature that's called DNSSEC which is a set of extra DNS requests that normal DNS uses that effectively 'signs' the DNS request but is unencrypted (read above as to why encryption is pointless), so you can use the authenticating features of DoT/H with the speed of standard DNS. The downside is most consumer routers won't have the slightest clue how to use DNSSEC as they mainly use software called dnsmasq which will support DNSSEC, but it needs a friendly DNS server and a smart client to be set up to request and handle DNSSEC properly upstream (few do, least of all ISP DNS servers).

Instead, get a Raspberry Pi with PiHole and unbound set up as an All-Around DNS Solution and you get the full benefit of DNSSEC, a great ad blocker, and the benefit of speed of standard DNS. Set up unbound to query the entire DNS network from the root servers and switch on DNSSEC, and it will authenticate the entire chain then cache the lot (ie it'll be slow at first, then speed up dramatically). The same Pi if it's a Pi 4 can probably run the VPN too, but probably not to gigabit speeds.

This way you can watch your pr0n fast, ad-free (and therefore even faster) and have minimum latency skipping to the good bits 😎

Edit: grammar

Edited by zzing123 (Tue 14-Sep-21 01:36:57)