I've got some spare time on my hands, so I decided to educate myself on how to secure DNS traffic. I have a small home network with various devices and most of them use public (Cloudflare or Google) DNS servers.
It seems there are two main security enhancements for DNS: 1. DNSSEC - digital signatures for DNS records to verify they haven't been tampered with. 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via port 853 and could be over TCP or UDP (DTLS), although it's not clear to me if both TCP and UDP are always supported, of if it's mainly TCP. I assume that NetBSD (and other OSes) libc simple stub resolver doesn't support any of these options, so I would need to use something like unbound(8) on a local network. So I started looking at configuring unbound(8) and came across this useful guide - https://calomel.org/unbound_dns.html What I'm not sure about is this - unbound(8) has "root-hints" that points to root DNS servers and it will handle recursive queries, but it can also specify "forward-zone" where it can forward to Cloudflare or Google recursive DNS servers. Both of these solution would resolve DNS names. So which one of them takes precedence and under what conditions? Why have both active at the same time? Is one option better/more secure than the other? Thanks.
