Re: Securing DNS traffic

["Aaron B." <aaron%zadzmo.org@localhost>]

On Fri, 22 May 2020 22:38:19 +0100
Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:

> So which one of them takes precedence and under what conditions?
> Why have both active at the same time? Is one option better/more secure
> than the other?

I would advise not doing both at the same time. Pick one model, which
model depends on what you are trying to do.

(1) If you want to provide DNS servers to a large number of clients on
your network, use root hints and have Unbound handle recursion for you.
This is technically the most secure in the sense of data integrity,
because there are fewer upstream systems to tamper with your queries.
Properly configured DNSSEC makes that security point largely moot,
though.

(2) If you want to provide DNSSEC validation to just a single local
machine, TLS or no, use forwarders. Doing full recursion for a single
host wastes your time, latency will be higher while your cache warms
up. It also wastes the internet's bandwidth. Not a lot of bandwidth,
but it would add up fast if everyone did recursion.

(3) If you want to prevent your ISP from snooping your DNS traffic,
regardless of a single machine or a small network, use forwarders.
This is because most authorative servers out there won't support DNS
over TLS - plus you'll need to bring up/down so many secured
connections it simply won't perform well even if the authoritative
servers did support TLS.

-- 
Aaron B. <aaron%zadzmo.org@localhost>