I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?

  • terribleplan@lemmy.nrd.li
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Sure, which at least increases the burden from observing just your traffic to your ISP to observing your ISP and your VPN provider. That traffic is still unencrypted upon egress from your VPN. If you’re going through the effort of using a VPN I think using a public DNS server could make more sense as they can’t tie your query to your actual IP. (Also this is all thinking about an upstream for PiHole or similar, so always some sort of local server for your clients to use)

    • RustyWizard@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      The question was about privacy. Routing your DNS traffic through a VPN puts your unencrypted traffic out of an endpoint with all sorts of other connections. That’s a privacy gain.

      Further, using DNS-over-TLS or DNS-over-Https encrypts your query end-to-end.

      Using both in concert prevents the DNS servers from knowing your IP and anyone along the route from knowing your query.

      • terribleplan@lemmy.nrd.li
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        1 year ago

        Sure, but we were talking about using Unbound, or some other recursive resolver, locally. Unbound doesn’t use DoH or DoT for its queries, and most/all authoritative servers don’t offer DoT/DoH.

        You would have to use some local stub resolver, route its traffic over a VPN, and then use public resolver(s) that provide DoH/DoT (and those still use plaintext DNS to do their resolution, the benefit you get there is the shared cache and semi-anonymization due to aggregation). Whether that is good enough is up to you.

    • eleitl
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      You run a local resolver for your household and enable DNS encryption where supported. Using a VPN for everything removes your ISP from the loop. It’s a matter of privacy layers and your threat model. If you want to play with TLAs you’ll need to try way harder.

      • terribleplan@lemmy.nrd.li
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        If my threat model realistically involved TLAs or other state-sponsored actors I would not be advertising what I do or do not know on a public forum such as Lemmy, haha.

        This conversation was in the conext of running Unbound, which is a recursive resolver and AFAIK DNS “encryption” isn’t a thing in a way that helps in this scenario… DoH, DoT, and DNSCrypt are all only concerned/deployed by recursive servers, meaning unbound isn’t using those. DNSSEC only provides authentication (preventing tampering) of the response, not any sort of encryption/hiding.

        • eleitl
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          I’m also running unbound on my opnsense, configured to use root DNS servers. Don’t recall what exactly is enabled.

          Yours is a good point why I should run all my traffic through a Wireguard tunnel to my dedicated server, so that my ISP is out of the loop.