Run your own unbound or bind resolvers!

  • Domi@lemmy.secnd.me
    link
    fedilink
    English
    arrow-up
    8
    ·
    5 months ago

    Is it possible to get unbound to talk to the root servers via TLS/HTTPS by now?

    I’m currently using Quad9 because they support DNS over TLS and DNS over HTTPS.

    • NullGator
      link
      fedilink
      English
      arrow-up
      5
      ·
      5 months ago

      Yes its possible 👍

      Use:

      forward-zone:
        forward-addr: 9.9.9.9@853#dns.quad9.net
      
      • Domi@lemmy.secnd.me
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        That is what I’m doing currently but now unbound doesn’t talk to the root servers anymore, it sends all queries to Quad9.

        Both scenarios are not ideal because you always end up with one entity knowing all your queries.

        • NullGator
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Perhaps you could configure more than unbound service behind a loadbalancer. Each unbound instance is configured to use different upstream dns servers.

          Double check if unbound doesn’t allow you to randomly hop between dns upstreams first, but the above solution should work if that’s unavailable atm.

    • out@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Not sure you would even need encryption. Surely It can’t be illegal to ask the root servers (and all the other DNS servers involved, because the root servers only have IPs for TLD DNS servers) for IPs

      • Domi@lemmy.secnd.me
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        Not illegal but it leaves all your DNS lookups in plain text with your ISP, which just doesn’t sit right with me.

        Not that the ISP in my country would care.

        • NullGator
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Also introduces the possibility of DNS poisoning