On Mon, 13 Apr, 2020 at 16:19:55 +0300, Reco wrote: > On Mon, Apr 13, 2020 at 12:14:44PM +0100, Liam O'Toole wrote: > > On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote: > > > Hi. > > > > > > On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote: > > > > [...] > > > > > > Whether DoH or DNS-over-TLS, you have to trust the DNS server. > > > > > > Yup. That's why I have my own, and every Debian user can have their own > > > too, using only free software. > > > > > > > Pray tell us more. I use dnsmasq for clients on my LAN, but even that > > has to use an upstream name server --- in my case the one provided by my > > ISP. > > 1) Rent yourself a VPS, install bind there (there's no DNS but bind). > Replace bind with unbound if you need caching-only nameserver > (caching-only bind is possible, but it's an overkill). > > 2) Apply [1] to your dnsmasq. > > 3) Your ISP gets a TLS tunneled DNS request (and they can't do anything > about it), you get unmolested name resolution. >
[...] Thanks for the detailed information. I'm not familiar with bind. Does it work by consulting root name servers directly?
