Cloudflare DNS has DoH, but it’s Cloudflare so… ew. Is there one that is more privacy respecting and also has DNS over HTTPS?

  • @xe8
    link
    73 years ago

    I just set up Pi-hole / unbound on a raspberry pi zero w:

    https://docs.pi-hole.net/guides/dns/unbound/

    It’s not too difficult. All you need is the raspberry Pi zero W and a microSD card. You can power it via USB. You don’t even need to connect a monitor / keyboard for set up.

    • @fossdd
      link
      53 years ago

      Does it not depend on other DNS provider or does it itself?

      • @xe8
        link
        23 years ago

        No, it doesn’t depend on another DNS provider.

      • @loki
        link
        13 years ago

        Unbound requests DNS from authoritative root DNS providers so it doesn’t depend on third party provider like Cloudflare, Google, Quad9.

    • @AgreeableLandscapeOP
      link
      33 years ago

      So Unbound skips the conventional DNS provider and goes straight to the TLD servers? Do the TLD servers themselves all have DoH or will anyone listening upstream of the network still be able to sniff the queries for what domains you’re accessing? In fact wouldn’t you stick out like a sore thumb as someone who isn’t a DNS provider querying TLD servers?

      • @southerntofu
        link
        13 years ago

        Yes that’s how DNS resolution works. Any DNS resolver can either query another resolver (most commercial internet routers will query your ISP’s resolver), or resolve the domain name themselves by querying DNS servers from right to left in the domain name.

        For example, querying lemmy.ml involves:

        • querying ICANN root servers for ml DNS servers
        • querying ml DNS servers for lemmy
        • querying lemmy DNS servers for an IP address to connect to

        Recursive resolution is a feature of the DNS system which ensures distribution of power among actors, so a single bad actors, even when very high in the hierarchy, can’t have too much negative impact further down the chain. For example, if root servers are compromised, they couldn’t stop lemmy.ml from resolving: they could stop the whole of ml from resolving (because ml is part of the zone they have authority for) but nothing more. This aspect of DNS limits temptation of censorship.

        • @AgreeableLandscapeOP
          link
          13 years ago

          Wouldn’t it still be plaintext though? Someone upstream the network (namely your ISP) datamining your network traffic would still be able to tell which domains you’re requesting, right?