On Thu, Oct 24, 2019 at 11:27:24AM +0100, Kevin Chadwick wrote:
|
| > The purpose of unwind is to provide secure DNS services even when
| > the available nameservers are broken or filtered like in many hotels.
| > To do that, it prefers DNSSEC whenever possible and changes to do
| > resolving by itself if needed.
| >
| > DNSSEC only offers integrity and authenticity. To protect
| > eavesdropping on the requests in transit, encryption is needed, as
| > offered by e.g. DNS over TLS (DoT) and DNS over HTTP (DoT). unwind
|
| Before I jump aboard with DNSSECs failings in mind on my own networks rather
| than the mentioned hotel scenario. I believe but I am still not certain that
| services like PowerDNS have secure channels to the main primary DNS servers
that
| apparently do not scale for the rest of us? Otherwise I worry that the network
| security target is a more singular centralised target compared to e.g.
unbound.
These solutions (DoT / DoH, or the older DNSCrypt) encrypt DNS queries
from client to resolver, authorities are not available through these
protocols (yet).
This topic of DNS has lots of different attack vectors and risks
associated with it. Slowly but surely, things are improving .. but
there's no big-bang solution that gets rid of all the issues in one
go.
If you want to use encrypted DNS from your client to your own resolver
then you can also do that. Unbound is in base, look at the
tls-service-* and tls-port: options in unbound.conf(5).
The downside of using your own resolver (e.g. by running unbound on
your laptop), its traffic is more easily tied to a specific user.
There's an anonymizing power in using a bigger (shared) resolver (with
the downside that you then give your queries to a resolver that's
probably outside of your control - different risks and all that)
If you don't want to trust the freely available PowerDNS recursor then
that's your prerogative; it's just an easy option that's available
should you wish to test Otto's diff.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
