Hi,

I've been doing some digging around to figure out how to enhance DNS
security privacy, and it's really a rabbit hole. Fedora 28, not any
different near as I can tell from Windows 10 or macOS 10.13 is simply
deferring to DHCP assigned DNS which for my POS ISP is hardwired to
their DNS servers and can't be changed.

Then I ran into this ancient feature from Fedora 17:
https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations

Did that feature actually ship? Did it get  undone soon thereafter? I
don't remember ever having secure DNS of any type out of the box.

A little more digging around and found some lightweight DoH clients
that could be run locally, but then the best performer was
dnscrypt-proxy 2 so I did a dnf search...

dnscrypt-proxy looks like it's gone stale but is what's in the
official repo, and the package URL points to a dead end web page with
no function.
https://koji.fedoraproject.org/koji/packageinfo?packageID=22504

This looks like the current version of dnscrypt-proxy 2
https://copr.fedorainfracloud.org/coprs/eclipseo/dnscrypt-proxy/

The UI for this right now is icky. First, for wireless DNS a per
connection setting and I can't make it the default for all connections
or future settings, at least not through the GUI. Second, it's not
secure, it's just ordinary DNS.

Anyway, I'm wondering if it's practical now or in the near future for
Fedora to to offer an alternative to deferring to ISP DNS? But then
also what that would look like? And then what it would or could look
like among the editions: I could see Cockpit and GNOME/NetworkManager
UI's have some default, with a list of common alternative providers:
Google, quad9, Cloudfare's new thing, OpenDNS, etc and let people make
their own choice.



-- 
Chris Murphy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to