[Dnsmasq-discuss] Native DNS over TLS support... ?

Dominik dl6er at dl6er.de
Tue Jul 30 08:03:42 BST 2019


Hey Normen,

What is the precise goal you want to achieve with DNS-over-TLS?

You have to connect to the host before the encryption begins. So, after the browser has the IP address for the domain it seeks, it requests that host address in clear text. If you want to give your browsing from your IDP, this is the point where you inevitably lost without a VPN. Only after a connection had been established, the TLS handshake process begins and the encryption is operational.

As such, DoH and DoT do nothing to increase your privacy against your ISP. They can still see your IP requests if they want, and a third party DNS service has your entire DNS history. You do have the benefit of authenticity, in that the DNS travels in an encrypted tunnel with protection from a third party modifying it. However, when you use DNSSEC, you already get the same security benefits.

From a privacy point of view, I typically recommend to run a local unbound instance on the same machine that does reverse lookups and DNSSEC authentication for you. By this, no single DNS provider has all your data.

Your view might differ from mine, it's always a question of whom you trust more over the others. There is no solution where you don't have to trust, e.g., either you ISP or a VPN provider. I just know that I trust my local ISP over some random large scale "for free" DNS provider which is why I have my local unbound resolver in addition to dnsmasq.

Best,
Dominik

Am 30. Juli 2019 02:58:19 MESZ schrieb "Normen B. Kowalewski" <nbkowalewski at gmx.net>:
>Hi Simon,
>
>I would love to have my HG funnal all local LAN DNS quereis througha
>properly TLS secured path towards my trusted DNS of choice.
>
>I stumbled upon a several year old narchive thread where you were
>considering DNS-over-TLS support:
>https://dnsmasq-discuss.thekelleys.org.narkive.com/ID8nebif/dns-over-tls
>
>Are you seeing this still as something in the future of dnsmsq native
>implementation, without extra external proxy function like stubby?
>
>BR, Normen
>
>
>_______________________________________________
>Dnsmasq-discuss mailing list
>Dnsmasq-discuss at lists.thekelleys.org.uk
>http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list