On Sat, 23 May 2020 11:38:18 +0200 (CEST) Havard Eidnes <[email protected]> wrote:
> With your own recursor which implements query minimization, and by > having multiple clients actively using it, you leak far less about > your lookup history than by forwarding all your full DNS client > queries to one of the above. Obviously, this comes at a price -- > lookup times will be longer while the cache warms up, and caching is > less effective the fewer clients you have using the cache. Plus, of > course, the outgoing queries from your recursor will be in > cleartext. > > Just saying... > > - Håvard OK, so I understand that root servers probably won't support TLS, but some authoritative servers may support TLS (aka ADoT). But I don't seem to find a way to tell unbound "use TLS opportunistically, wherever possible". Isn't there some record (similar to DNSSEC RRSIG) that tells unbound which servers actually support TLS? So this config doesn't work, and DNS queries time out, as it is always trying to use DNS over TLS (aka DoT), even if servers don't support it. server: tls-upstream: yes
