Encrypted DNS & DNSSEC


#1

Traditional DNS uses UDP and no encryption nor authentication, which is not secure and not private. There are several new techniques to encrypt DNS and they are able to encrypt DNSSEC as well. I am aware of DNSCRYPT client, but I am asking about DNS-over-TLS and DNS-over-HTTP.
Q1: Can I configure DoT or DoH in PureOS?
Q2: If so, what options of DNS service providers (eg, Google, Cloudflare) do I have? Who supports DNSSEC as part of DoT/DoH?


#2

I forgot to mention: Please don’t mention VPN option.


#3

Minor correction: That’s DNS-over-HTTPS.

I can’t answer that but DNSSEC relates to the integrity (authenticity) of the returned information in the DNS packet (and is itself in the DNS packet) whereas the other things that you are talking about (DoT, DoH v. classical DNS over UDP) relate to the transport of the DNS packet. In an ideal world, the two would be independent i.e. regardless of how your computer received the DNS packet, it either is or is not capable of using the DNSSEC info to verify the DNS packet.

I think that using a DoH service like Google or Cloudflare could be problematic within the mindset of why you might be using PureOS. Handing over all the domain names that you are choosing to look up to Google is just another part of surveillance capitalism. However the essence of open source is that it is your choice.

https://github.com/curl/curl/wiki/DNS-over-HTTPS lists some available public servers and expresses in rather unclear terms whether DNSSEC is supported. Some experimentation may be needed.


#4

Thanks anyway.

xxxxxx


#5

The reason why I might want to use 1.1.1.1 or 8.8.8.8, is that my ISP is even worse. It is just always the truth, unless you do it on your own.


#6

That might be a good option i.e. run your own recursive DNS server (but in that case you must also implement caching of DNS results).