Re: Securing DNS traffic

To: netbsd-users%netbsd.org@localhost
Subject: Re: Securing DNS traffic
From: Sad Clouds <cryintothebluesky%gmail.com@localhost>
Date: Sat, 23 May 2020 09:25:21 +0100

Looking at the responses to my original email and doing some further
research, the summary of pluses/minuses would be:

1) unbound(8) resolving via root DNS servers
  + Most accurate results, since it bypasses any intermediaries.
  - Increased lookup time and higher load on authoritative DNS servers.
  - Some servers won't support DNS over TLS, hence my ISP can monitor
    those searches.

2) unbound(8) resolving via external forwarders (e.g Cloudflare)
  + Faster lookup time.
  + DNS over TLS is always supported, hence hidden from my ISP.
  - Cloudflare can monitor those searches.
  ? Have to trust Cloudflare that the results are accurate.
  + Cloudflare DNS servers seem to support encrypted SNI.

There is still a separate issue of unencrypted TLS SNI, leaking
information in plain text. Seems like Firefox can support it when the
following config setting is set to true

network.security.esni.enabled

References:
- Securing DNS traffic
  - From: Sad Clouds

Prev by Date: Re: Securing DNS traffic
Next by Date: Binary packages with X11_TYPE=modular
Previous by Thread: Re: Securing DNS traffic
Next by Thread: Re: Securing DNS traffic
Indexes:

Home | Main Index | Thread Index | Old Index