top | item 34820061

(no title)

eftepede | 3 years ago

I'm happy with blocky. I was using pihole before it, but blocky gives me DoH out of the box (without a second service/container for it). It also can bootstrap itself (download blocking rules) via DoH. Thanks to it, my DHCP broadcasts my blocky instance(s) as 'standard' UDP DNS servers for everything at home, but all the DNS traffic going outside my gateway is on DoH.

The next thing on my list is to craft my own set of blocking rules. Currently I'm using the set from a friend, who was using blocky before me.

discuss

duffyjp|3 years ago

I don't know enough about it, is DoH better/different from using DNSSEC upstream servers in Pi-hole?

eftepede|3 years ago

DNSSEC only makes you sure that the DNS response is 'correct' and 'legit', like 'no one has poisoned it during the transfer'. But the traffic is still unencrypted, so someone (like your ISP) can see what names you're trying to resolve and when. This can be a base for some profiling or even making opinions, like 'this guy goes to porn sites every evening' or 'this person likes to browse amazon, maybe they're addicted to online shopping'. Of course I exaggerate a lot here, but it's possible.

With DoH, or DNS-over-HTTPS, your DNS requests are traveling through the network encrypted. The first advantage is: man in the middle can't see what domain names are you trying to resolve. The second: they don't even know if the traffic they see right now is actually resolving a domain, or just browsing a website.

So DoH is a lot more private than DNSSEC. But it's fair to say it's a lot slower than standard DNS taffic (although it's not the difference a human can actually notice in most cases).

tptacek|3 years ago

Yes, for many reasons, the most important two being that DNSSEC doesn't encrypt traffic, and that DoH works even on the (vast, overwhelming majority of) zones that haven't and won't ever be signed with DNSSEC.