Yeah, I’m looking at it now.
I think cloudflare is trustworthy.
I also think that some sort of encryption on DNS is a good thing as well. One of the main vulnerabilities of DNS is Man in the Middle or even just dragnet monitoring of DNS requests.
3 Likes
Ah I see now. We all ready have an ongoing topic on this here:
3 Likes
Done!
2 Likes
It benches better than anything else but I have noticed it does get slow in real use sometimes. As far as how much more secure it is over anything else, I lack the technical chops to answer that. Using Google was my best option until now and that might not be the best thing.
1 Like
If anyone is interested and wants to get this setup with DNS over TLS easily on Linux you can do it with local unbound resolver service. Simply install unbound and either replace or modify /etc/unbound/unbound.conf with the snippet below and start the service. From there you can add 127.0.0.1 as your DNS server and all requests will be using TLS, just make sure your ISPs DNS isn’t also enabled at the same time.
## DNS Over TLS
server:
cache-max-ttl: 14400
cache-min-ttl: 600
do-tcp: yes
hide-identity: yes
hide-version: yes
interface: 0.0.0.0@53
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
ssl-upstream: yes
use-caps-for-id: yes
verbosity: 1
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 # Cloudflare primary
forward-addr: 1.0.0.1@853 # Cloudflare secondary
forward-addr: 9.9.9.9@853 # Quad9 primary
forward-addr: 149.112.112.112@853 # Quad9 secondary
1 Like
I’ve been using my isp DNS until today. I switched just before leaving the office but I’ll update tomorrow to let people know if I notice a difference.
With the isp DNS, I’ve noticed that I do sometimes get multi-second response times.
2 Likes
Just a quick note that quadnine’s (9.9.9.9) logging policy is slightly more privacy-friendly than Cloudflare with the same encryption features…
3 Likes
Glad to hear it!
Just an update, I’m seeing much faster time-to-render on my browser, at least via butt-dyno. I’m glad to say it’s noticably faster than ISP DNS, although that’s not saying much.
2 Likes
I switched over to this to replace my fairly convoluted dnscrypt setup. So it’s good to be rid of that but I needed it for a pretty specific use case. For general use there’s not much value in encrypted dns traffic, although there’s no harm in it either. But dnssec is much more useful and its a shame that it will probably never be fully adopted.
Firefox (60?) Also supports DNS over TLS
I wonder if there is plans to include DNS over TLS support in distros standard networking setup (networkmanager etc.). Anyone know?
2 Likes
Looks like it’s still kind of a WIP, but it would be a nice feature to have. I’d like to be able to have separate DNS config per browser window for testing… Probably a way to set that up already, but I’m not sure.
2 Likes
I checked my work connection and I’m borked by Concast… we are off of Concast and they just completely fuck the routing with multiple bounces and latency between bounces, that’s random.
A peripheral consideration if you are going to use cloudflare’s dns over tls or dns over https (more so with https) is increased bandwidth. My local bind server routes its forwarded requests to google’s public dns servers though an AWS ec2 instance. And my used bandwidth for all of March was small:
In mid April, I put dnscrypt-proxy in front of my my bind server and pointed the proxy at cloudflare’s dns over https service. In a little two weeks, my April bandwidth usage has already doubled:
Although, it’s of very little value, if it ever was, to continue to route dns traffic through an ec2 instance with it wrapped in https.
2 Likes