walterw Posted October 7, 2019 Report Share Posted October 7, 2019 I was running unbound in conjunction with DNSSEC to basically ensure that responses aren't tampered with (because it is plaintext, if there is a malicious party in between me and the DNS server, it could modify the response without me knowing). Now, if I run unbound by itself in this manner, basically, my DNS queries are sent out in the open, plaintext and then unbound will do all of that magic for me, ensuring that the IP address for google.com is indeed what it should be. Now, not all zones to my knowledge are signed. Now, if I'm worried about someone seeing what my DNS traffic is, then they're going to be able to see my IP traffic too, so I don't see how much benefit there is to hide my DNS traffic. Yes, the IP address might be used by many domains, but they might all be fairly closely related. Now, if I were using forwarding DNS queries to another provider, I am basically delegating that responsibility to them and may or may not be able to validate the result. Is that an accurate assessment? And, since they may not provide DNSSEC, if the DNS provider isn't offering DoH or DNSCrypt, then I have no guarantee that the IP address returned is accurate? Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now