Hey Normen,

What is the precise goal you want to achieve with DNS-over-TLS?

You have to connect to the host before the encryption begins. So, after the 
browser has the IP address for the domain it seeks, it requests that host 
address in clear text. If you want to give your browsing from your IDP, this is 
the point where you inevitably lost without a VPN. Only after a connection had 
been established, the TLS handshake process begins and the encryption is 

As such, DoH and DoT do nothing to increase your privacy against your ISP. They 
can still see your IP requests if they want, and a third party DNS service has 
your entire DNS history. You do have the benefit of authenticity, in that the 
DNS travels in an encrypted tunnel with protection from a third party modifying 
it. However, when you use DNSSEC, you already get the same security benefits.

>From a privacy point of view, I typically recommend to run a local unbound 
>instance on the same machine that does reverse lookups and DNSSEC 
>authentication for you. By this, no single DNS provider has all your data.

Your view might differ from mine, it's always a question of whom you trust more 
over the others. There is no solution where you don't have to trust, e.g., 
either you ISP or a VPN provider. I just know that I trust my local ISP over 
some random large scale "for free" DNS provider which is why I have my local 
unbound resolver in addition to dnsmasq.


Am 30. Juli 2019 02:58:19 MESZ schrieb "Normen B. Kowalewski" 
>Hi Simon,
>I would love to have my HG funnal all local LAN DNS quereis througha
>properly TLS secured path towards my trusted DNS of choice.
>I stumbled upon a several year old narchive thread where you were
>considering DNS-over-TLS support:
>Are you seeing this still as something in the future of dnsmsq native
>implementation, without extra external proxy function like stubby?
>BR, Normen
>Dnsmasq-discuss mailing list

Dnsmasq-discuss mailing list

Reply via email to