Re: Securing DNS traffic

[Havard Eidnes <he%NetBSD.org@localhost>]

>> What I'm not sure about is this - unbound(8) has "root-hints" that
>> points to root DNS servers and it will handle recursive queries, but it
>> can also specify "forward-zone" where it can forward to Cloudflare or
>> Google recursive DNS servers. Both of these solution would resolve DNS
>> names. So which one of them takes precedence and under what conditions?
>> Why have both active at the same time? Is one option better/more secure
>> than the other?
>
> Another option for DNS over HTTPS is Mozilla's servers:
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https.

If you desire to protect your lookup history from prying eyes, it's
one thing to protect the communication itself.  However, I would
personally shy away from all of Google, Cloudflare and Mozilla
recursors, DoH or not.

With your own recursor which implements query minimization, and by
having multiple clients actively using it, you leak far less about
your lookup history than by forwarding all your full DNS client
queries to one of the above.  Obviously, this comes at a price --
lookup times will be longer while the cache warms up, and caching is
less effective the fewer clients you have using the cache.  Plus, of
course, the outgoing queries from your recursor will be in
cleartext.

Just saying...

- Håvard