Dear beloved Zenarmor Users,
All DNS queries are routed in plaintext. Your ISP or a hacker can intercept transmissions via UDP and TCP protocol 53 in plaintext to compromise the site's DNS queries and responses. For this reason, we should encrypt our DNS queries for security purposes. DNS over TLS (DoT) is a security protocol that utilizes Transport Layer Security (TLS) to encrypt DNS traffic and is one of the most common DNS security solutions.
This tutorial will help you configure the OPNsense DNS resolver to encrypt all DNS queries in order to prevent surveillance and enhance your online privacy and security.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense
Best Regards,
Zenarmor Team
Does this really improve security and privacy though?
You are giving a recursive DNS Server of a provider like google and cloudflare all of your DNS queries, they can easily profile you, undermining the privacy statement.
Additionally, DNS over TLS doesn't secure you from hackers. The recursive DNS servers still have to query the DNS root servers, which communicate unencrypted (also with each other authorative DNS Server of a domain). That means now the hacker has an easy single point to poison DNS entries, the big centralized recursive DNS providers. And everybody has a false sense of security. And since DNS is based on trust anyway (since everybody is allowed to publish DNS records on their authorative DNS servers) you can't prevent malicious data sources that replicate through DNS, even if you then get it encrypted from your centralized recursive resolver (like Google and Cloudflare). Its all automatic after all.
In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Quote from: Monviech on February 27, 2024, 09:08:30 PM
In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Amen, brother. (emphasis mine)
Quote from: Patrick M. Hausen on February 27, 2024, 10:28:50 PM
Quote from: Monviech on February 27, 2024, 09:08:30 PM
In my opinion, the best way to ensure your privacy and security is to use your own recursive DNS resolver, which is the standard configuration of Unbound in the OPNsense. It leverages the decentral structure of DNS.
Amen, brother. (emphasis mine)
Bless you both, holy words. I agree.
Even thou DoT is "nice to have" is partially a placebo effect for people thinking they are super duper secure on the DNS side, created by misconception and miss-understatement how it works behind the dedicated DoT DNS server on the "last mile"
Regards,
S.
I have DoT to Quad9. Not a commercial organization. Logs are kept for 24 hours, only to prevent abuse.
I trust that Quad9 operators know what they do. And that is above my pay grade.
The interesting question is what they are going to do when the feds knock on their door with a national security letter?
Quad9 is run by a cooperation of several national Police organizations. So, they are not enemies of the FBI.
And if the Police wants to know what I do with my computers/mobile phones, they are legally allowed to intercept my traffic and hack my devices.
Anyway: for the law-abiding citizens, Police is their friend, not their enemy.
Quote from: almodovaris on February 28, 2024, 08:12:24 PM
I have DoT to Quad9. Not a commercial organization. Logs are kept for 24 hours, only to prevent abuse.
I trust that Quad9 operators know what they do. And that is above my pay grade.
Look at their Sponsors who pay the bills. LOL
If you only want to use something perfect: DNS is by default not perfect, so you should not use it.
What can they find about me through DNS calls? That I use Wikipedia and that I'm an Usenet leecher. Usenet leeching is not prosecuted in my country.
Speaking of man-in-the-middle, in my case, I prefer using DNS-over-TLS with Cloudflare because of thier no-tracking/logging policies, but also because it it's one less way my ISP (Verizon) can track the home usage.
For those who have similar ISPs that love to log everything and sell customer data, DoT could be useful.
How to configure unbound as recursive DNS resolver??
Quote from: peterwkc on December 30, 2024, 09:34:32 AMHow to configure unbound as recursive DNS resolver??
Simple: install OPNsense. It's the default.
Thanks @Patrick
Quote from: Patrick M. Hausen on December 30, 2024, 09:38:09 AMQuote from: peterwkc on December 30, 2024, 09:34:32 AMHow to configure unbound as recursive DNS resolver??
Simple: install OPNsense. It's the default.
Is there an instruction to set this up using pihole?
Quote from: lilsense on January 17, 2025, 05:05:52 PMIs there an instruction to set this up using pihole?
I never used pihole, sorry. Also I do not quite understand. Configure pihole to act as a recursive DNS server or what?