Cloudflare DNS has DoH, but it’s Cloudflare so… ew. Is there one that is more privacy respecting and also has DNS over HTTPS?
Cloudflare DNS has DoH, but it’s Cloudflare so… ew. Is there one that is more privacy respecting and also has DNS over HTTPS?
I just set up Pi-hole / unbound on a raspberry pi zero w:
https://docs.pi-hole.net/guides/dns/unbound/
It’s not too difficult. All you need is the raspberry Pi zero W and a microSD card. You can power it via USB. You don’t even need to connect a monitor / keyboard for set up.
Does it not depend on other DNS provider or does it itself?
No, it doesn’t depend on another DNS provider.
Unbound requests DNS from authoritative root DNS providers so it doesn’t depend on third party provider like Cloudflare, Google, Quad9.
So Unbound skips the conventional DNS provider and goes straight to the TLD servers? Do the TLD servers themselves all have DoH or will anyone listening upstream of the network still be able to sniff the queries for what domains you’re accessing? In fact wouldn’t you stick out like a sore thumb as someone who isn’t a DNS provider querying TLD servers?
Yes that’s how DNS resolution works. Any DNS resolver can either query another resolver (most commercial internet routers will query your ISP’s resolver), or resolve the domain name themselves by querying DNS servers from right to left in the domain name.
For example, querying lemmy.ml involves:
ml
DNS serversml
DNS servers forlemmy
lemmy
DNS servers for an IP address to connect toRecursive resolution is a feature of the DNS system which ensures distribution of power among actors, so a single bad actors, even when very high in the hierarchy, can’t have too much negative impact further down the chain. For example, if root servers are compromised, they couldn’t stop
lemmy.ml
from resolving: they could stop the whole ofml
from resolving (becauseml
is part of the zone they have authority for) but nothing more. This aspect of DNS limits temptation of censorship.Wouldn’t it still be plaintext though? Someone upstream the network (namely your ISP) datamining your network traffic would still be able to tell which domains you’re requesting, right?
Short answer, yes. But Authoritative DNS over TLS (ADoT) is being standardized for encrypting resolver-to-authority queries.
Does Unbound support this already?