>> What I'm not sure about is this - unbound(8) has "root-hints" that >> points to root DNS servers and it will handle recursive queries, but it >> can also specify "forward-zone" where it can forward to Cloudflare or >> Google recursive DNS servers. Both of these solution would resolve DNS >> names. So which one of them takes precedence and under what conditions? >> Why have both active at the same time? Is one option better/more secure >> than the other? > > Another option for DNS over HTTPS is Mozilla's servers: > https://support.mozilla.org/en-US/kb/firefox-dns-over-https.
If you desire to protect your lookup history from prying eyes, it's one thing to protect the communication itself. However, I would personally shy away from all of Google, Cloudflare and Mozilla recursors, DoH or not. With your own recursor which implements query minimization, and by having multiple clients actively using it, you leak far less about your lookup history than by forwarding all your full DNS client queries to one of the above. Obviously, this comes at a price -- lookup times will be longer while the cache warms up, and caching is less effective the fewer clients you have using the cache. Plus, of course, the outgoing queries from your recursor will be in cleartext. Just saying... - Håvard
