On Fri, May 22, 2020 at 10:38:19PM +0100, Sad Clouds wrote: > > 2. DNS over TLS - encryption of DNS traffic for privacy. This goes via > port 853 and could be over TCP or UDP (DTLS), although it's not clear > to me if both TCP and UDP are always supported, of if it's mainly TCP. >
Assuming dns over tls is the same as normal dns then you need both. With normal dns the requests go over udp, most of the time that will work but if the remote server determines that the response cannot fit into a udp packet it will send back a "try the query again over tcp" response at which point the dns client will use tcp. It drives me to distraction the number of people who have the incorrect idea that named only uses tcp for zone transfers so firewall it off and then make wild accusations that some sites dns is busted because they are dropping the tcp dns responses. > > What I'm not sure about is this - unbound(8) has "root-hints" that > points to root DNS servers and it will handle recursive queries, but it > can also specify "forward-zone" where it can forward to Cloudflare or > Google recursive DNS servers. Both of these solution would resolve DNS > names. So which one of them takes precedence and under what conditions? > Why have both active at the same time? Is one option better/more secure > than the other? > You need root hints if you want to do your own recursive dns resolution. You dont have use forwarding at all. The root hints are there to tell your name server where to start when it is resolving a query. You can choose to forward all name resolution off to another server, you dont need root hints then but you are at the mercy of that remote dns server as to what you get back. You can mix it up and do some recursive resolution yourself but forward some domains to other name servers, this is called conditional forwarding and can be useful if you cannot reach the authorative name servers for a domain due to, say, geoblocking firewall rules or the like. The most likely reason for running your own name server is either you want a local cache to speed up repeated requests or that you have some domain you need local control over. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
