Closed brackenhill-mob closed 5 years ago
The best way to improve DNS data leakage, and possible simultaenously improve performance is to integrate with pi-hole. See https://github.com/StreisandEffect/discussions/issues/41
I'd say "PRs accepted" but I'm worried about how big and invasive pi-hole is.
I'd be more confident setting up a dummy net 10.10.10.0/24, and having some resolver listen on 10.10.10.10:53. This lets us configure DNS separately.
The easiest thing to do is have the existing dnsmasq listen there as well, then configure the dnsmasq to resolve wherever you like: the cloud provider, 1.1.1.1, or 8.8.8.8. Optionally, DNS blocklists such as https://github.com/notracking/hosts-blocklists could be added to the dnsmasq configuration.
unbound could instead be configured to listen on 10.10.10.10.
At a couple places, I currently run dnsmasq as the primary resolver, with unbound serving as the upstream resolver, listening on (say) 10.10.10.11.
We could also use ipfilters to force all port 53 traffic to 10.10.10.10; this would enforce our choices on users.
I think this is squarely a topic for the discussion repo. I'm going to close the issue here and encourage folks to move to a discussions thread.
CloudFlare DNS is a lot quicker at resolution than any other DNS server I've tested.
Also their privacy statement says that they won't store user IP addresses.
See https://1.1.1.1/
HTH