Jump to content
Forums in Read-Only Mode - Please use Reddit ×

Unbound with DNSSEC / other providers


Recommended Posts

I was running unbound in conjunction with DNSSEC to basically ensure that responses aren't tampered with (because it is plaintext, if there is a malicious party in between me and the DNS server, it could modify the response without me knowing).  Now, if I run unbound by itself in this manner, basically, my DNS queries are sent out in the open, plaintext and then unbound will do all of that magic for me, ensuring that the IP address for google.com is indeed what it should be.  Now, not all zones to my knowledge are signed.  Now, if I'm worried about someone seeing what my DNS traffic is, then they're going to be able to see my IP traffic too, so I don't see how much benefit there is to hide my DNS traffic.  Yes, the IP address might be used by many domains, but they might all be fairly closely related.

Now, if I were using forwarding DNS queries to another provider, I am basically delegating that responsibility to them and may or may not be able to validate the result.  Is that an accurate assessment?  And, since they may not provide DNSSEC, if the DNS provider isn't offering DoH or DNSCrypt, then I have no guarantee that the IP address returned is accurate?

 

Link to comment
Share on other sites

×
×
  • Create New...