This is a general DNS security thread for anyone willing to discuss, help newbies or learn more about DNS security in general.
Who among you are using DNSSEC [1, 2] already? Why do you use it? What do you use it for? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?
Perhaps you don't like DNSSEC and instead use DNSCrypt [6] or DNSCurve [7] for encryption of your queries?
DNSSEC uses asymmetric cryptography [8] to securely sign all resource record sets (RRsets) on all authoritative name servers that support DNSSEC. Your local DNSSEC enabled resolver then validates the authenticity of your DNS queries to make sure your query has not been tampered with. This thwarts attacks trying to, for example, redirect you to malicious and compromised servers instead.
If you're thinking about registering your own domain, check if your registrar offers DNSSEC. Some registrars automatically sign your zone, which means you most likely can already add your TLSA RRs and such. Other registrars offer to upload your Delegation Signer (DS) RR, or your public zone signing key (ZSK) / public key signing key (KSK) instead. That's also nice if you wish to just host your own authoritative name server.
helps if you find a server close to you, i get 9ms
ofc, i would guess it's kinda redundant
Leo Sullivan
Not necessarily redundant, but it does show that for many people confidentiality is missing in DNSSEC's design. However, if your goal is to stop your ISP or anyone else from snooping, a VPN would make more sense instead of only protecting your DNS queries with DNSCrypt.
Josiah White
my dnscrypt resonses have basically the same response time as non dnscrypt.
maybe you just chose a server with horrible latency, try a different dns erver
Liam Lewis
i have a VPN, but rarely use it except on my seedbox. The ISPs are required to block torrentsites, so they do it by DNS (kinda stupid, but ok)
Aiden Williams
>we dont like this business so we arent going to publish its telephone number in our phonebook
Samuel Sanchez
How can I host my own DNSCrypt server? I don't want to rely on anything third-party. Can Unbound do it?
William Richardson
What's your goal? Yes, you can install DNSCrypt on a VPS and install the client on your local system(s). Unbound has nothing to do with DNSCrypt, though, but you can run it through the DNSCrypt tunnel. Still, I'm not sure what you want to accomplish here.
Connor Walker
My goal is to deploy a DNSCrypt server on a CentOS VPS so I don't have to use any of the provided ones, and forward my DNS queries to that using Unbound.
Lucas Parker
For what purpose? To obfuscate your traffic? You'll still connect directly to the IP address once resolved, which anyone in between can see.
Jack Stewart
It's more just to prove to myself that it can be done
Juan Hughes
You can, and it's fun to play around with it, that's for sure. :)
Bentley Harris
We have our own recursors for network use (with a custom "cache warmer" because ~30 users don't keep the cache filled) We run DNSSEC on our authoritative servers for customer domains We put IPsec keys and SSH fingerprints in DNS We have configured SPF for mail
Dylan Richardson
that makes no sense unless your game is looking up new DNS queries constantly..
did it have 1000s of ads?
Lucas Young
It's good to use a separate server as your own DNS and hook up your friends with the IP and then use one of the main dnscrypt servers for that server for confidentiality
Gavin Richardson
How would one go about implementing a cache warmer? Like a cronjob that sends queries at intervals less than cache-min-ttl? Is it possible to set up unbound so that it logs the most requested domains or do I need to script that too?