Best DNS for privacy?

fatcat@discuss.tchncs.de · 1 year ago

Best DNS for privacy?

meitantei@lemmy.dbzer0.com · edit-2 1 year ago

deleted by creator

ddh@lemmy.sdf.org · 1 year ago

Yes, but what does it use?

RustyWizard@programming.dev · 1 year ago

Authoritative name servers.

Good enough write-up about it here: https://docs.pi-hole.net/guides/dns/unbound/

terribleplan@lemmy.nrd.li · 1 year ago

The only problem there is that if you are going for privacy all of the traffic between your unbound and the authoritative servers is unencrypted. It us certainly a trade-off involving trusting a 3rd party, but with a busier public DNS server there can be a level of plausible deniability due to the aggregation and shared caching involved.

RustyWizard@programming.dev · edit-2 1 year ago

Kinda. You can always route your traffic over a VPN. Further, from the unbound page:

To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.

Edit: to be clear, I run unbound but I don’t recall how much I hardened it. The config file is fairly large and I was mostly focusing on speed and efficiency since it’s running on an already busy raspberry pi.

Cambionn@feddit.nl · edit-2 1 year ago

Use your own.

That may not always be the best way to go, as it’ll make fingerprinting also much easier. The more custom your setup is, the less there are like you, the easier your tracked by fingerprinting techniques.

Not saying it’s bad per se, but the idea that trusting no one and setting everything up yourself is always more private isn’t true either. Both providers and do-it-yourself have negative sides one should stay critical about.

pound_heap@lemm.ee · 1 year ago

How using selfhosted DNS makes you easier to be tracked?

Cambionn@feddit.nl · edit-2 1 year ago

As I said:

as it’ll make fingerprinting also much easier.

Fingerprinting is a technique where they look at everything they can grab from received requests and try to use that info to identify people. The things you block (like ads and trackers), the used DNS, your user agent, your IP, etc. It’s all used to try to identify you. The more you blend in with others, the harder to identify you are. The more custom stuff you have, the easier to identify you are.

If fingerprinting or not having to trust third parties is more important depends on your threat model. But it’s important to know the risks of a trust-no-one do-it-yourself approach when making the decision.

pound_heap@lemm.ee · 1 year ago

Well, my question was specifically about DNS. I don’t think that the sites or services you use have any way to know what DNS are you using.

ISP can capture DNS traffic, but this is where threat model comes into play… Like if you are concerned about some entity to collect you profile based on data from ISP which includes both your DNS queries and your IP

Cambionn@feddit.nl · 1 year ago

Well, you’re right. I was mixing a few things up in my head. My bad. Altrough I did find a few interesting ways that can be used by websites to find client side DNS, it isn’t exactly the norm or likely to hit you with custom setups.

I retract my point on DNS, but the general notion that do-it-yourself isn’t always better stays. Al be it off-topic here now.

pound_heap@lemm.ee · 1 year ago

Interesting, can you share any links regarding finding client DNS?

Cambionn@feddit.nl · 1 year ago

There are quite some results if you search online, but here’s one with some specific info: https://security.stackexchange.com/questions/129917/how-does-a-website-know-the-dns-server-a-client-uses