Post by t***@protonmail.comI have seen mentions on this list of people using pi-hole and unbound DNS
servers in their setups, and I wondered if others had considered opinions as
to the usefulness of doing this.
https://pi-hole.net/
https://github.com/pi-hole
Pi-hole DNS style is nice where you can't get inside TLS such
as adblockplus does inside the browser, and for filtering
all traffic / apps for entire machines / networks but
it is by nature of DNS not full URI a bit less fine grained.
Post by t***@protonmail.comPi-hole's biggest feature seems to be
their filter lists to block extra/evil DNS queries
One's 'extras/evils' / adverts are another's censorship.
Exits are not supposed to be censors, but enablers instead.
Would you use an exit that arbitrarily censors you, uses
arbitrary subscriptions, or is subject to arbitrary censorship?
Are there so few free and clear providers left?
Are exit bandwidth / circuits / CPU / RAM / latency
really that tight?
Is it your role to "protect" users from your idea of "bad"?
Can users identify and select from everything all
the exits might be doing, who they are, where, etc?
Those and more can all be debated in a new thread
covering philosophy of any network which might offer
exit / vpn / transit style services.
However for the tor network, exits found censoring / filtering / etc
above and beyond what they can do in their tor exit-policy
config are likely to be reported by users / scans as bad-relays,
which could lead to the exit bring dropped from consensus.
Post by t***@protonmail.comwhile Unbound seems to
feature caching and validating functions.
This is of benefit to exits and users.
Post by t***@protonmail.comI would think that a DNS cache
that kept queries for a long time
Time is up to the zone authority, not arbitrary downstreams,
which would again be modification / censorship of the internet,
and breaks services as their zone changes and the cache doesn't.
Post by t***@protonmail.comwould certainly keep most of your queries
out of an ISP's DNS logs.
Logs of their DNS servers, maybe, provided they don't
grab and redirect DNS into them, or record netflow, etc.
Logs of adversaries sniffing the wires, no.
Post by t***@protonmail.comOr are there DNS providers that are relatively
immune to their logs being requited by others?
This depends on
- providers actually not keeping logs.
- them letting you audit their claims therein.
- them not being subject to whims of the State.
- them not being hacked by same and other adversaries.
The AND operation upon these conditions
is quite unlikely to be TRUE.
Working to change that would be good.
Running a local caching DNS (unbound etc)
is considered best practice, approaching
universal for large exits due to cache savings
and performance alone.
The additional potential privacy benefit by not
expressly funneling all your users DNS through
yet another third party is even more reason to do so.
Same for whatever censorship / evils that party
might be doing.