I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?

  • eleitl@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    You run a local resolver for your household and enable DNS encryption where supported. Using a VPN for everything removes your ISP from the loop. It’s a matter of privacy layers and your threat model. If you want to play with TLAs you’ll need to try way harder.

    • terribleplan@lemmy.nrd.li
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      If my threat model realistically involved TLAs or other state-sponsored actors I would not be advertising what I do or do not know on a public forum such as Lemmy, haha.

      This conversation was in the conext of running Unbound, which is a recursive resolver and AFAIK DNS “encryption” isn’t a thing in a way that helps in this scenario… DoH, DoT, and DNSCrypt are all only concerned/deployed by recursive servers, meaning unbound isn’t using those. DNSSEC only provides authentication (preventing tampering) of the response, not any sort of encryption/hiding.

      • eleitl@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        I’m also running unbound on my opnsense, configured to use root DNS servers. Don’t recall what exactly is enabled.

        Yours is a good point why I should run all my traffic through a Wireguard tunnel to my dedicated server, so that my ISP is out of the loop.