On 10/16/2016 04:54 PM, Petrusko wrote:
Thx for this share.
But I'm not sure how Unbound is "speaking" with the roots DNS servers... Somewhere I've read that DNS queries can be forwarded by a "man in the middle", and the server operator can't be sure about this :s An ISP is able to do it with your "private server" hosted behind your ISP's router...
I see DNSsec to crypt DNS queries from a client to a server, but for sure it's not possible to use it with roots DNS servers...
My VPS host uses 8.8.8.8 for DNS by default. I think it's configured in their DHCP settings or something because 8.8.8.8 will end up in /etc/resolv.conf every time the VPS restarts. Consequently, I have to keep an eye on /etc/resolv.conf to ensure that it always points to my Unbound instance. I take immediate action if this is not the case.
The dnscrypt repository on Github has a list of public DNS servers. I point my Unbound instance at one of them and I give Unbound as much RAM as I can to ensure that it caches as much as possible. In this way, I can reduce the frequency of lookups to external server. I have had limited success with DNSSEC. I eventually had to disable it because too many requests were failing (including torproject.org) and I was not able to correct the issue. DNSCrypt works just fine though if you can find a server that supports it.