Hacker News new | past | comments | ask | show | jobs | submit login

Stupid question: What do I need to do to use DNS-over-TLS? I am running a recursive resolver in my home network (BIND9), so if that is a requirement, it is not a problem.

EDIT: I misunderstood; I though this would encrypt communication between resolvers and authoritative nameservers, too. :(




Your recursive resolver is still going off over the internet and querying (root) DNS entries in clear text. My understanding is that this would wrap it in TLS to stop your ISP (or coffee shop) either spying on what sites you're resolving (read visiting) or even man-in-the-middling and re-writing your DNS responses.


mitm seems like the most important bit. They'll know what sites you visit regardless when you actually fire off a request to the site, yeah?


DNSSEC already solves MITM if it is actually adopted by the domain being queried..


I found this guide (with slight modifications) helpful for setting up stubby as a localhost DNS resolver to proxy through 1.1.1.1 with DNS-over-TLS on macOS: https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with...


If you run your own recursive resolver that kind of defeats the point doesn't it?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: