[talk] Question about DNSSEC

Pete Wright pete at nomadlogic.org
Mon May 6 16:49:09 EDT 2024


On Sun, May 05, 2024 at 06:23:49PM UTC, Miles Nordin wrote:
> > I'm wondering about sane public DNS that people are using, outside of
> > the usual suspects....
> 
> I use a local resolver, and it's garbage.  I think BIND is buggy, and
> besides the terrible security track record it wedges sometimes.  My gut
> feeling is that there are a lot of broken recursive resolvers out there 
> causing pages to load slowly.

i run local-unbound on all my unix systems, and serve my network with
unbound as well where it acts as a validating/caching resolver.  i've had
zero issues with it.

> 
> If I were setting up something from scratch I'd probably try to use 
> DNS-over-TLS to Cloudflare or Google to evade the logging.  If I decided
> it was just too yucky to depend on a megacorp and that I want to keep
> running a local resolver, it would not be BIND if I were doing it all over.
>

if you are going to give someone all of your internet traffic i'd suggest
using quad9 (9.9.9.9).  in theory they aren't aggregating data which goog
and cloudflare are most certainly doing.

ibm is (was?) a backer of quad9 - but at least in theory there are some
legal controls to not mine your internet usage:
https://www.quad9.net/

bonus points for it doing a decent job of filtering out malware.

-pete 




More information about the talk mailing list