I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].
I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.
[1] - https://tls-ech.dev/
I use my own public powerdns dnsdist and recurser/authoritave instances for DoH, DoT, DoQ, TCP and UDP now for ~3 years. Setup took some time, because i used bind, unbound and dnsmasq before. It's super stable and i can also use it on my mobile or legacy devices and as resolver in unbound, adguard/dnsproxy or just in my local resolve.conf.
If its public , how do you prevent others from accessing it?
To be honest, there’s no way to prevent others from using my DNS server without putting it behind a VPN or in any other non-public network. Also you can do port-knocking or something, but that's not rely authentication. However, I'm not aware of any authentication mechanisms in DNS. That would also cause performance to plummet. If you use a VPN or something, in turn, would mean you'd have to rely on someone else's DNS infrastructure. So I don't have any of this and its public.
The good thing about dnsdist is that it acts as a sort of load balancer for DNS queries and offers features such as dynamic blocking (including via eBpf) at the IP level and rules and rate limits for query types you can combine. Therefore, there are no limits (or very open limits) for all query types from whitelisted IPs, and stricter rules for all others. IPset and GeoIP banning of known malicious IPs and regions (using block-lists) also keeps the footprint of "unwanted" use very, very small.
They don’t, I guess
Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?
I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.
Or you could use dnscrypt so ISP doesn’t see your lookups at all
During the TLS handshake, you send the domain name in clear text (Server Name Indication - SNI extension) so that the hoster can present the correct certificate for that domain.
Nothing prevents the ISP from collecting that.
Hence Encrypted Client Hello (https://datatracker.ietf.org/doc/rfc9849/), though deployment is still thin.
When all the authoritative servers support TLS I can enable TLS outbound but very few of them do at the moment. At some point someone is decrypting, turtles all the way down. I could of course just do DoT to another instance of Unbound somewhere else but I do not need to do that as my ISP does not care about my queries. I used to keep standby DoT Unbound servers around but I have never once seen a US ISP tinker with my traffic. If they did I would put up billboards saying they what they are doing.
Yours is not particularly problematic but I've always wondered how come advertising agencies allow highly controversial topics on their billboards in the US.
I know some (all?) EU advertisers deny creatives based on optics i.e. "our name and logo is on the billboard frame, we don't wanna get associated with topic X".
They like money. Controversial is not illegal. Slander is. If I purchase billboard space and spread defamation that will be problematic. The ISP could always take me to court but they would very likely lose provided I can prove I am telling the truth.
[dead]
There is a bunch of public dnscrypt servers to which your client can randomly fan out encrypted queries.
There are but I will wait until all the authoritative resolvers support TLS. If I wanted to hide my traffic from my ISP then I would just use DoT from my firewall Unbound instance to a few Unbound instances I already have around the web.
« I’ll keep my house door open until there is a really secure lock installed ». You either care about tampering and snooping or you don’t.
I understand your concerns. I personally do not share these concerns though I did when I resided in California that is for sure.
I know just about everyone at my ISP. I know where many of them live. We all live in the same small tight knit community. They tried really hard to get me to join their network team.
Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too
I use both of those as well in Unbound.
I was thinking that if you preload your 50k list and override the min-ttl, the prefetch would let you relax the cron schedule a little
I could but I like to run everything in cron hourly to force trigger the retry mechanisms on the expired records and make a bunch of noise so that my network always looks active.
It's just a "me" thing. Others can and should do whatever they think will work for them. If everyone does this a little different that is probably best.
I run unbound too here. I love it that it takes wildcards to blacklist domains. I'm using big lists of domains to block and then I've got a whitelist that supercedes the blocked ones.
And I've got a little tool that takes:
and simplifies it to: Then I've got a script which generates variations of domains name I use. Say if I use: I block: etc.I generate hundreds of thousands of such variations: all blacklisted by unbound.
I did it after one of my bank sent me an example of a very convincing phishing site.
Been using such a setup since years now. A million blocklisted domains runs fine on an old Pi 3. I take it that on a more powerful computer unbound can deal with blocklist with millions if not tens of millions of domains (and, no, I haven't moved to whitelisting only).
I also block all unicode domains. I simply cannot access a domain name that use unicode characters in its name (and, no, I don't care).
It sounds like we share some similar tactics. Some day you should make an article about your setup.
I love the dedication but isn't using a good password manager the much cleaner and robust way of fixing the bank phishing problem? Or using the app on your phone.
> I pre-cache all the domains I use hourly via cron.
How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?
It looks like this [1] I enable query logging to a tmpfs RAM disk and then every month I update a list of domains that I have queries more than {n} times. I mix that in with a list of the Cloudflare top 20K domains after removing the broken ones and some TLD's.
[1] - https://nochan.net/b/Internet-Crap/20260602-Set-Up-Your-Own-...