Best DNS for privacy? (discuss.tchncs.de)

submitted 1 year ago by fatcat@discuss.tchncs.de to c/privacy@lemmy.ml

46 comments fedilink hide all child comments

I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?

you are viewing a single comment's thread
view the rest of the comments

[-] RustyWizard@programming.dev 4 points 1 year ago* (last edited 1 year ago)

Kinda. You can always route your traffic over a VPN. Further, from the unbound page:

To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.

Edit: to be clear, I run unbound but I don't recall how much I hardened it. The config file is fairly large and I was mostly focusing on speed and efficiency since it's running on an already busy raspberry pi.

[-] terribleplan@lemmy.nrd.li 1 points 1 year ago

Sure, which at least increases the burden from observing just your traffic to your ISP to observing your ISP and your VPN provider. That traffic is still unencrypted upon egress from your VPN. If you're going through the effort of using a VPN I think using a public DNS server could make more sense as they can't tie your query to your actual IP. (Also this is all thinking about an upstream for PiHole or similar, so always some sort of local server for your clients to use)

[-] RustyWizard@programming.dev 3 points 1 year ago

The question was about privacy. Routing your DNS traffic through a VPN puts your unencrypted traffic out of an endpoint with all sorts of other connections. That's a privacy gain.

Further, using DNS-over-TLS or DNS-over-Https encrypts your query end-to-end.

Using both in concert prevents the DNS servers from knowing your IP and anyone along the route from knowing your query.

[-] terribleplan@lemmy.nrd.li 1 points 1 year ago

Sure, but we were talking about using Unbound, or some other recursive resolver, locally. Unbound doesn't use DoH or DoT for its queries, and most/all authoritative servers don't offer DoT/DoH.

You would have to use some local stub resolver, route its traffic over a VPN, and then use public resolver(s) that provide DoH/DoT (and those still use plaintext DNS to do their resolution, the benefit you get there is the shared cache and semi-anonymization due to aggregation). Whether that is good enough is up to you.

load more comments (3 replies)

this post was submitted on 30 Jun 2023

37 points (97.4% liked)

Privacy

32045 readers

799 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS