I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?

      • terribleplan@lemmy.nrd.liEnglish
        1·
        1 year ago

        The only problem there is that if you are going for privacy all of the traffic between your unbound and the authoritative servers is unencrypted. It us certainly a trade-off involving trusting a 3rd party, but with a busier public DNS server there can be a level of plausible deniability due to the aggregation and shared caching involved.

        • RustyWizard@programming.devEnglish
          1·
          1 year ago

          Kinda. You can always route your traffic over a VPN. Further, from the unbound page:

          To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.

          Edit: to be clear, I run unbound but I don’t recall how much I hardened it. The config file is fairly large and I was mostly focusing on speed and efficiency since it’s running on an already busy raspberry pi.

          • terribleplan@lemmy.nrd.liEnglish
            0·
            1 year ago

            Sure, which at least increases the burden from observing just your traffic to your ISP to observing your ISP and your VPN provider. That traffic is still unencrypted upon egress from your VPN. If you’re going through the effort of using a VPN I think using a public DNS server could make more sense as they can’t tie your query to your actual IP. (Also this is all thinking about an upstream for PiHole or similar, so always some sort of local server for your clients to use)

            • eleitl@lemmy.mlEnglish
              0·
              1 year ago

              You run a local resolver for your household and enable DNS encryption where supported. Using a VPN for everything removes your ISP from the loop. It’s a matter of privacy layers and your threat model. If you want to play with TLAs you’ll need to try way harder.

              • terribleplan@lemmy.nrd.liEnglish
                1·
                1 year ago

                If my threat model realistically involved TLAs or other state-sponsored actors I would not be advertising what I do or do not know on a public forum such as Lemmy, haha.

                This conversation was in the conext of running Unbound, which is a recursive resolver and AFAIK DNS “encryption” isn’t a thing in a way that helps in this scenario… DoH, DoT, and DNSCrypt are all only concerned/deployed by recursive servers, meaning unbound isn’t using those. DNSSEC only provides authentication (preventing tampering) of the response, not any sort of encryption/hiding.

                • eleitl@lemmy.mlEnglish
                  1·
                  1 year ago

                  I’m also running unbound on my opnsense, configured to use root DNS servers. Don’t recall what exactly is enabled.

                  Yours is a good point why I should run all my traffic through a Wireguard tunnel to my dedicated server, so that my ISP is out of the loop.