DNS privacy: Encrypted Forwarder vs. Resolver

[9axqe]

I read numerous posts on this and this is the essence, as far as I understood it:


Forwarder:

Pro: every is encrypted up to your upstream resolver.

Con: Your upstream resolver sees every DNS lookup. You better trust him – a lot.


Resolver:

Pro: it will send your DNS lookup to the relevant authoritative DNS servers, which mean the knowledge about your DNS lookups will be spread for one, and secondly less entities will know about it.

Con: no way of enforcing encryption (DoH/DoT/DoQ/DoH3/etc.). At least DNS lookups will happen in plain text and can be snooped on by your ISP.

Now to my question: how many of the DNS authoritative servers support some form of encrypted DNS lookups? I'm trying to gauge one model against the other. I do trust some DNS resolver providers to some extend, I do not trust my ISP at all.

My threat model: I am not a high value target (as far as I know), just looking for some privacy.

[marcquark]

I guess that's going to boil down to who you (dis)trust more - your ISP or the public resolver you intend to use. You could also look at using one of the privacy-focused resolvers like Quad9. Of course you still have to trust them in the end

Personally i've run both setups, both work fine. Right now i'm using a public resolver and DoT because i wanted to try it out, was happy that it's working and stopped caring at that point 

[Patrick M. Hausen]

I trust my ISP not to sniff customer traffic. Not because they promise, but because

- they are German Telekom
- they are bound by GDPR and other customer protection laws
- if they ever get caught, they are screwed

That will not keep them from doing so if there's ever a federal investigation concerning me in particular and they are ordered by the police - but it is certainly enough of a deterrent against general capitalist f*ckery with their customers on a large scale. In a proper rule of law country, at least.

YMMV
Patrick

[cookiemonster]

All this true. I am in the UK, so GDPR also luckily still applies. I take a similar view but I apply my twist.
I use getdns/stubby in OPNSense. With it we can use multiple DoT servers like quad9, cloudflare, etc. in round-robin. My DoT queries therefore go spread to encrypted and DNSSEC validated resolvers.
I don't trust any single one, they're all with an agenda. Less chance of any one can build a profile.
Do I need itx, not really (due to gdpr) but it was a fun exercise and just works. Except when rebuilding the firewall. I need to save that config somewhere

[lilsense]

I trust my ISP not to sniff customer traffic. Not because they promise, but because

- they are German Telekom
- they are bound by GDPR and other customer protection laws
- if they ever get caught, they are screwed

That will not keep them from doing so if there's ever a federal investigation concerning me in particular and they are ordered by the police - but it is certainly enough of a deterrent against general capitalist f*ckery with their customers on a large scale. In a proper rule of law country, at least.

YMMV
Patrick

but yet you get a warning or what not if you use torrent to download stuff etc in Germany. You may even get fined... So does this work when they are not supposed to sniff the traffic... LOL

[Patrick M. Hausen]

but yet you get a warning or what not if you use torrent to download stuff etc in Germany. You may even get fined...

Any documentation on that? Do the ISPs act on their own or only when there is an active investigation, e.g. on behalf of the content maf^H^H^Hindustry?