NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Securing DNS traffic

Looking at the responses to my original email and doing some further
research, the summary of pluses/minuses would be:

1) unbound(8) resolving via root DNS servers
  + Most accurate results, since it bypasses any intermediaries.
  - Increased lookup time and higher load on authoritative DNS servers.
  - Some servers won't support DNS over TLS, hence my ISP can monitor
    those searches.

2) unbound(8) resolving via external forwarders (e.g Cloudflare)
  + Faster lookup time.
  + DNS over TLS is always supported, hence hidden from my ISP.
  - Cloudflare can monitor those searches.
  ? Have to trust Cloudflare that the results are accurate.
  + Cloudflare DNS servers seem to support encrypted SNI.

There is still a separate issue of unencrypted TLS SNI, leaking
information in plain text. Seems like Firefox can support it when the
following config setting is set to true

Home | Main Index | Thread Index | Old Index