Hey there,

I just want to share my personal knowlegde and opionion how a safe DNS Environment should be implemented.

Common attack-vectors are data collection (if only one DNS-Provider is used) or DNS-Poisoning.

There are two easy ways to circumvent both of this threats: Use of DNSSEC and Secured DNS Protocols like DNS-over-TLS where possible and use a local DNS Appliance, which loadbalances it's own requests over different upstreams, so no one gets the whole DNS Traffic alone.

This may espacially improve privacy and stability for exit relays.

For this task, I would recommend either Unbound or AdGuard (without enabled filters!) as DNS Appliance..

Personally I use  about six different DNS.Providers, which are optimized for performance, not privacy. So there is headroom for improvement.

Examples: Cloudflare, QuadDNS, applied-privacy, Telekom-DNS.

With this setup I achieve DNS-Resolving in about 4 - 5ms on Home-VDSL, and thats only when it's a cache miss.

So it has both privacy enhancements and also speed improvements, it also confuses which client did the initial request, if more than one node is in that network. In normal operation, I disable all logging and clear any data that may be left over.

Add like 10 - 20 resolvers and achieve a massive split of your requests, every provider has as little information as possible and even a widespread outage should not affect your services.

This also resolves country-specific resolving issues, e.g. in Germany, the Standard-Resolvers (Telekom, etc.) are blocking some DCMA/Piracy related stuff (classics like boerse,kinox,movie.) - with cloudflare no problem. Another step against censorship.

If you experience problems with the huge DNS providers because your IPv4 is blacklisted, I warmly recommend to use IPv6 to fix this issue. Just give your DNS Appliance a different IPv6 Adress, it should have one by nature, and use this Address (which is obviously not blacklisted) to do your name resolving. Most VPS Providers have Single IPv4 but multiple IPv6 Adresses per Package.

If you only have a single virtual Server, Ad-Guard as Docker Image is a great, ressource sparing option and a custom IPv6 Configuration to circumvent the blocks can be easily done via the docker configuration..

For DNSSEC, just get yourself a Let'sEncrypt Certificate (should be easy on Linux), so it's possible for your relays to even check the certificate of your own DNS-infrastructure (against MITM and Poisoning) - without the need to import anything as it's public.

A CertBot or ACME Client should be installed for easy and automatic certificate renewal.

Last step is to enable DNSSEC on your Relay-OS and insert your appliance as resolver.

I hope I could inspire you with my thoughts, ot maybe you already have an optimized DNS Infrastructure.

If you have any improvements, it would be great to hear your suggestion :)

Best regards and tommorow a nice start into the weekend!

Joker

P.S. I have added an old example screenshot of my own homelab stats, the distribution was not perfect but now stabilized well.