Jump to content
walterw

Unbound with DNSSEC / other providers

Recommended Posts

I was running unbound in conjunction with DNSSEC to basically ensure that responses aren't tampered with (because it is plaintext, if there is a malicious party in between me and the DNS server, it could modify the response without me knowing).  Now, if I run unbound by itself in this manner, basically, my DNS queries are sent out in the open, plaintext and then unbound will do all of that magic for me, ensuring that the IP address for google.com is indeed what it should be.  Now, not all zones to my knowledge are signed.  Now, if I'm worried about someone seeing what my DNS traffic is, then they're going to be able to see my IP traffic too, so I don't see how much benefit there is to hide my DNS traffic.  Yes, the IP address might be used by many domains, but they might all be fairly closely related.

Now, if I were using forwarding DNS queries to another provider, I am basically delegating that responsibility to them and may or may not be able to validate the result.  Is that an accurate assessment?  And, since they may not provide DNSSEC, if the DNS provider isn't offering DoH or DNSCrypt, then I have no guarantee that the IP address returned is accurate?

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...