Advice Request What DNS client to use?

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 85179

DoH is, yes. DoT is not. As a whole, encryption is about security.
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
A lot of people conflate the purpose of DNSSEC vs encrypted DNS. To be fair the information hasn't been disseminated well.
 

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
609
Yes encryption means security but not this time.
Encrypted DNS doesn't harden your security in any way like DNSSEC or certificate pinning does for example.
Encrypted DNS "only" increase your privacy against "man in the middle".

I also doesn't say it's not needed as I use always encrypted DNS, but it's not what most people think it is.
You can read more at GrapheneOS Frequently Asked Questions (not GrapheneOS related)
In my opinion, the whole DNSSEC paranoia is redundant. The reason nobody cares about it is that HTTPS/TLS is doing exactly what DNSSEC is doing. It validates the servers and checks that this is the actual domain. If not, connection closed. TLS is superior to DNSSEC in that it requires far less effort to set up by the admin.

DNSSEC is really only important when you are using protocols other than HTTPS like email (SMTP). Your email provider/server needs to support DANE. But in browser, it would just duplicate what HTTPS is already doing and just add latency for nothing.
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
I'm currently running Adguard Home in my router, it has a built-in DoH/DoT/DoQ/Dnscrypt and plain DNS client as well as adblocking and safe browsing features.

1631905898024.png

1631905920326.png

1631905939560.png

Compared to PiHole it has less dependencies so you can install it on any router running OpenWrt as long as you have at least 20MB free space and 100MB RAM.
Here's a guide: [HowTo] Running Adguard Home on OpenWrt
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top