Would our own DNS resolver help? With anything?

[nopdotcom]

Which DNS server do we use? Well, we can use our own. I suppose it depends on your estimates of risks of DNS-lookup logging versus flow sniffing/logging.

The unbound package is available for Ubuntu.

Unbound is a recursive-only caching DNS server which can perform DNSSEC validation of results. It implements only a minimal amount of authoritative service to prevent leakage to the root nameservers: forward lookups for localhost, reverse for 127.0.0.1 and ::1, and NXDOMAIN for zones served by AS112. Stub and forward zones are supported.

[nopdotcom]

See #26 and #27.

[cpu]

There seems to be some interest in providing "clean" DNS from a Streisand instance without having to use one of the VPN providers/tunnel all traffic through.

I'm in favour of moving towards running an Unbound instance on the Streisand server configured sensibly for the environment (DNSSEC enforcing, 0x20 randomization, qname minimization, etc). I think long term we'd benefit from the power/flexibility of running our own recursive resolver.

If we were interested in exposing DNS this also makes an easy way to introduce dnscrypt-proxy in front of Unbound to provide last-mile encryption between the client stub resolver and the Streisand Unbound instance.

[nickolasclarke]

yep, I'd be much in favor of this. DNS is so spotty here in china, even for non-censored sites, that having a reliable DNS would be greatly appreciated.

[Mayurifag]

+1, would be nice feature! For example, I need to resolve OpenNIC's DNS entries like *.lib and that would be super awesome if that worked out of box.