.. title: DNS privacy .. slug: dns-privacy .. date: 2017-07-29 10:42:00 UTC .. tags: linux, web, encryption .. category: .. link: .. description: .. type: text In my `last post `_, I've focused on the immediately obvious merits of a local DNS resolver. I didn't comment on an issue that I find at least as important: privacy, or rather, the lack thereof in the DNS system. Read Geoff Huston's excellent `post `_ for an overview. One of the main reasons why I've chosen Unbound as my local DNS resolver is that it was designed with privacy in mind. In particular, it supports `QNAME minimization `_ and `DNS over TLS `_. The latter is only one of the various possible approaches that are currently under discussion for the realization of an encrypted DNS system. However, it is among the few that already work: there are a number of `test servers `_ in essentially `continuous operation `_. I've used it for a couple of weeks and did not experience any interruption of service. To test whether a server really offers DNS over TLS, use `pydig: `_ :: pydig @185.49.141.38 +dnssec +tls=auth +tls_hostname=getdnsapi.net www.heise.de vs. :: pydig @8.8.8.8 +dnssec +tls=auth +tls_hostname=getdnsapi.net www.heise.de In order to use DNS over TLS in Unbound, we only need minimal modifications of the configuration files I've posted `previously `_. First of all, we of course need to define authoritative servers supporting DNS over TLS. Second, encryption has to be enabled. **01_Basic.conf** :: forward-addr: 146.185.167.43@853 # securedns.eu over TLS forward-addr: 185.49.141.37@853 # getdnsapi.net over TLS forward-first: no forward-ssl-upstream: yes **02_Advanced.conf** :: ssl-upstream: yes After restarting the resolver with :: systemctl restart unbound.service all of your DNS requests are encrypted over TLS. 😊