Quoting tito via Dng (dng@lists.dyne.org): > Hi, > just for fast information, is it enough for unbound to remove: > > forward-zone: > #forward-first: yes > name: "." > forward-tls-upstream: yes > forward-addr: 1.1.1.1@853#cloudflare-dns.com > forward-addr: 1.0.0.1@853#cloudflare-dns.com > forward-addr: 8.8.4.4@853#dns.google > forward-addr: 8.8.8.8@853#dns.google > forward-addr: 9.9.9.9@853#dns.quad9.net > forward-addr: 185.222.222.222@853#dns.sb > forward-addr: 185.184.222.222@853#dns.sb
Answer below. > Makes it sense to keep: > > server: > tls-upstream: yes > tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt On that: yes. On the former question, er, I'm actually a bit non-plussed about why those forwarder lines are in your configuration file in the first place. Forgive me, but it's rather late at night in my time zone, and I am not at peak alertness, _but_ my guess is that Unbound got set up somehow configured to forward outbound recursive queries to those entities, leaving me perplexed about why anyone would do that. That having been said, I personally would definitely _not_ want to have that configuration detail in my recursive nameserver state, without an extremely compelling reason, because doing that appears to largely defeat the entire purpose of running one's own recursive nameserver. Analogously, it would be like setting up a fully capable SMTP smarthost on a stable public IP address with free routing to 25/tcp anywhere in the world, but then configuring it to forward all outbound SMTP traffic to an untrustworthy ISP external mail host. Which would lead one to wonder, why? I hope that helps. I have no idea what else you might have in your configuration that ought not to be there, obviously. > I ask because after reading the thread I've tried on one > of my home's net dns servers and it worked (I could browse the web) > but browsing speed was noticeably slower, does it improve > in the long run or do we have to choose between > privacy and speed? I'm seriously not sure why operating a local recursive nameserver would be expected to reduce speed. Obviously, at initial startup of that process, it has nothing yet in cache and needs to do some queries of often-used FQDNS, but I would expect that it would very quickly improve DNS performance over _any_ nameserver on the far side of your uplink, because obviously your speed of local DNS resolution is really fast relative to your uplink, right? _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng