On Thu, Oct 24, 2019 at 11:27:24AM +0100, Kevin Chadwick wrote: | | > The purpose of unwind is to provide secure DNS services even when | > the available nameservers are broken or filtered like in many hotels. | > To do that, it prefers DNSSEC whenever possible and changes to do | > resolving by itself if needed. | > | > DNSSEC only offers integrity and authenticity. To protect | > eavesdropping on the requests in transit, encryption is needed, as | > offered by e.g. DNS over TLS (DoT) and DNS over HTTP (DoT). unwind | | Before I jump aboard with DNSSECs failings in mind on my own networks rather | than the mentioned hotel scenario. I believe but I am still not certain that | services like PowerDNS have secure channels to the main primary DNS servers that | apparently do not scale for the rest of us? Otherwise I worry that the network | security target is a more singular centralised target compared to e.g. unbound.
These solutions (DoT / DoH, or the older DNSCrypt) encrypt DNS queries from client to resolver, authorities are not available through these protocols (yet). This topic of DNS has lots of different attack vectors and risks associated with it. Slowly but surely, things are improving .. but there's no big-bang solution that gets rid of all the issues in one go. If you want to use encrypted DNS from your client to your own resolver then you can also do that. Unbound is in base, look at the tls-service-* and tls-port: options in unbound.conf(5). The downside of using your own resolver (e.g. by running unbound on your laptop), its traffic is more easily tied to a specific user. There's an anonymizing power in using a bigger (shared) resolver (with the downside that you then give your queries to a resolver that's probably outside of your control - different risks and all that) If you don't want to trust the freely available PowerDNS recursor then that's your prerogative; it's just an easy option that's available should you wish to test Otto's diff. Cheers, Paul 'WEiRD' de Weerd -- >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] http://www.weirdnet.nl/