On Fri, 22 May 2020 22:38:19 +0100 Sad Clouds <cryintotheblue...@gmail.com> wrote:
> So which one of them takes precedence and under what conditions? > Why have both active at the same time? Is one option better/more secure > than the other? I would advise not doing both at the same time. Pick one model, which model depends on what you are trying to do. (1) If you want to provide DNS servers to a large number of clients on your network, use root hints and have Unbound handle recursion for you. This is technically the most secure in the sense of data integrity, because there are fewer upstream systems to tamper with your queries. Properly configured DNSSEC makes that security point largely moot, though. (2) If you want to provide DNSSEC validation to just a single local machine, TLS or no, use forwarders. Doing full recursion for a single host wastes your time, latency will be higher while your cache warms up. It also wastes the internet's bandwidth. Not a lot of bandwidth, but it would add up fast if everyone did recursion. (3) If you want to prevent your ISP from snooping your DNS traffic, regardless of a single machine or a small network, use forwarders. This is because most authorative servers out there won't support DNS over TLS - plus you'll need to bring up/down so many secured connections it simply won't perform well even if the authoritative servers did support TLS. -- Aaron B. <aa...@zadzmo.org>