top | item 25660536

(no title)

It's more complicated than that: using unbound is basically trusting your ISP with your DNS data (it's not encrypted so it can MITM). Using an upstream resolver doesn't necessarily mean you give up on privacy.

It may actually be more private to use a public resolver (with DoT or DoH of course) that will know your IP address but maybe not directly tie it to your identity (like an ISP does). Also, imo they generally have better privacy policies than ISPs (not that I trust those but still).

The next more private options include using DNS over Tor or Oblivious DNS (https://blog.cloudflare.com/oblivious-dns/). Those options are better for privacy, but I don't see them are default (at least for now) as they imply some slowness (Tor) or are more opinionated (ODNS).

Even after all that, your browser will leak the SNI header in clear-text (eSNI isn't popular yet) so your ISP can still get the precise name of the site you want to visit.

discuss

rconti|5 years ago

Thanks, I guess this is a fair point. I'm with Sonic (who I absolutely trust) but currently my fiber is provided by AT&T, who I do NOT. Still waiting for that native fiber.

I guess I'm so used to thinking about this from the the standpoint of building DNS resolvers for business that I didn't think through the differences when it's just my house's traffic.

I'll look into DoH.