> I was wondering what you guys would recommend - shall I use the > router's own DNS resolver with DNSSEC or shall I use my ISP's one > without DNSSEC?
I don't think DNSSEC matters because the web does not use DANE, but I would not use the ISP's nameserver regardless, as George says. Since names are bound to endpoints by TLS certificates the relevant attack today is unregulated ISP logging, not cache poisoning. it could make sense to use DNSSEC as part of some ssh intranet, putting ssh fingerprints in DNS, but this is a special thing that has to be configured so it's hypothetical while the ISP logging is real. I do not really understand all the DNSSEC modes, do endpoints have to support it, do you have to request fail-closed per query, what is the latency penalty, etc., so besides not being meaningful on the web, I'm not sure offhand how to go about setting up such a hypothetical ssh-fp scheme. DNSSEC seems kinda irrelevant to me, like IPv6, though this is "sad," or whatever. > I'm wondering about sane public DNS that people are using, outside of > the usual suspects.... I use a local resolver, and it's garbage. I think BIND is buggy, and besides the terrible security track record it wedges sometimes. My gut feeling is that there are a lot of broken recursive resolvers out there causing pages to load slowly. If I were setting up something from scratch I'd probably try to use DNS-over-TLS to Cloudflare or Google to evade the logging. If I decided it was just too yucky to depend on a megacorp and that I want to keep running a local resolver, it would not be BIND if I were doing it all over. ISTR the logging policy for honestdns is sane and Google is well-watched by many litigious governments because of European protectionism and US political grandstanding. I guess the same is true of Cloudflare but less. Of ISPs, obviously, we know they are not watched or effectively controlled at all. They are the most hated companies in the country and scoff at other regulations and pay the wrist-slap fines, they illegally overcooperate with government wiretaps then receive retroactive immunity from Congress. Maybe ISPs are not watching local resolver traffic, only recursive traffic, because weirdos like us are too rare and irrelevant to bother with the implementation, but if Apple put a local resolver in airport by default they would start watching that traffic so DNS-over-TLS is a real move in the game, solving a real problem that running a local resolver does not solve: if you can get your web traffic to a CDN without the ISP seeing the URL, you can gain a little more privacy without the speed, flakiness, dollar, and sketchiness cost of a VPN. It's a sensible default, which I think is what you're looking for here, how do I provide an unopinionated but "good" interweb connection. so I would take option (c) other, DNS-over-TLS, though it's not what I do myself. For CDNs it's important your DNS queries come from near where the https request will come from, so one thing you should definitely not do is somehow shove DNS into a privacy VPN but then make https requests outside the privacy VPN. I think I was doing this at one point, not sure how noticeable it was, but it's "incorrect" in terms of unopinionated-but-good. _______________________________________________ talk mailing list talk@lists.nycbug.org https://lists.nycbug.org:8443/mailman/listinfo/talk
