[talk] public "private" dns resolver

[Raul Cuza]

On Fri, Sep 20, 2019, 20:09 Pete Wright <pete at nomadlogic.org> wrote:

> so in light of all the recent sillyness of mozilla enabling DoH and all
> that it got me thinking it is past due for me to stop using my home ISP
> DNS servers.  i do have a server colo'd with an ISP i trust, so my first
> thought is to fire up a jail and setup unbound as a recursive resolver
> that i would then point my home at.  seems simple enough.
>
> so on a scale of meh to omg-kill-it-with-fire would running a random
> resolver with no ACL's on the public internet be?  i've run resolvers
> (which had ACL's enabled) on the public net for work as well as public
> bind servers doing anycast - so i feel confident i won't horribly mess
> up my configuration.  i'd like to avoid setting restricting access as i
> want to avoid a hassle if my home internet ip changes, or if i want to
> use this resolver while i'm on the road.
>
> thoughts?
> -pete
>
> --
> Pete Wright
> pete at nomadlogic.org
> @nomadlogicLA
>

If you are sending DNS requests over UDP, no matter what DNS server you are
using, the companies that own the pipe between you and your server can mine
information about you.

You could set up something like DNSCrypt [
https://www.opendns.com/about/innovations/dnscrypt/] to protect yourself.
Basically, create an encrypted tunnel from your computer to your trusted
server and run a DNS proxy on your computer that uses the tunnel. The
tunnel can use whatever authorization you feel comfortable with using.

The encrypted tunnel can be on whatever port you wish I'm case you are on a
draconian network.


DNS over TLS also sounds interesting. This could have certificate
authentication, too.

Hmmm. Sounds like a fun project.

Raúl

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org:8080/pipermail/talk/attachments/20190920/098de074/attachment.html>