Q&A What DNS client to use?

F

ForgottenSeer 85179

DoH is, yes. DoT is not. As a whole, encryption is about security.
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
 

blackice

Level 33
Verified
Apr 1, 2019
2,206
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
A lot of people conflate the purpose of DNSSEC vs encrypted DNS. To be fair the information hasn't been disseminated well.
 

SpiderWeb

Level 6
Aug 21, 2020
287
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
In my opinion, the whole DNSSEC paranoia is redundant. The reason nobody cares about it is that HTTPS/TLS is doing exactly what DNSSEC is doing. It validates the servers and checks that this is the actual domain. If not, connection closed. TLS is superior to DNSSEC in that it requires far less effort to set up by the admin.

DNSSEC is really only important when you are using protocols other than HTTPS like email (SMTP). Your email provider/server needs to support DANE. But in browser, it would just duplicate what HTTPS is already doing and just add latency for nothing.
 

geminis3

Level 18
Verified
Sep 10, 2015
859
I'm currently running Adguard Home in my router, it has a built-in DoH/DoT/DoQ/Dnscrypt and plain DNS client as well as adblocking and safe browsing features.

1631905898024.png

1631905920326.png

1631905939560.png

Compared to PiHole it has less dependencies so you can install it on any router running OpenWrt as long as you have at least 20MB free space and 100MB RAM.
Here's a guide: [HowTo] Running Adguard Home on OpenWrt
 
Last edited by a moderator:
Top