1. 15

  2. 5

    An adversary can still listen to packets. It’s best to also use dnscrypt-proxy to encrypt your DNS queries.

    1. 3

      And Unbound has a few security measures (e.g. 0x20-encoding and DNSSEC) if you’re worried about spoofing. I’ve read a few security people advising that Unbound should pretty much always be used over BIND.

      1. 4

        Actually, there’s much more happening around DNS hardening. There is T-DNS (DNS over TLS): https://tools.ietf.org/html/rfc7858

        And it seems like Unbound supports it: https://unbound.net/documentation/unbound.conf.html

        If it gains popularity, we might actually see standardized encryption in DNS.

        Also, DANE adoption seems to be slow, but it’s at least available for more services, as more software starts to support it.

      2. 1

        Agree on this 100%. A few weeks ago I started using it on my home LAN (before it was just Unbound as recursive resolver, now I have Unbound taking to dnscrypt-proxy for non-local zones) and it works like a charm. No difference in performance that I’ve noticed. FWIW, I’m using public servers (albeit ones that don’t log).

      3. 3

        Blah. The morale of the story is to have your own DNS server that queries the root servers and they tell you this over three separate pages :/ .

        1. 2

          This isn’t anything particularly revolutionary, but it’s a good reminder. And it describes the differences between a recursive and caching DNS server quite well, which is always nice.

          It’s also a nice kick in the butt to remind me to actually set one up. Having a log of all DNS traffic can be quite problematic, privacy-wise.