Re: DOH (was: geolocation services disabled and Gnome maps)
On Mon, Apr 13, 2020 at 12:14:44PM +0100, Liam O'Toole wrote:
> On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote:
> > Hi.
> >
> > On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote:
>
> [...]
>
> > > Whether DoH or DNS-over-TLS, you have to trust the DNS server.
> >
> > Yup. That's why I have my own, and every Debian user can have their own
> > too, using only free software.
> >
>
> Pray tell us more. I use dnsmasq for clients on my LAN, but even that
> has to use an upstream name server --- in my case the one provided by my
> ISP.
1) Rent yourself a VPS, install bind there (there's no DNS but bind).
Replace bind with unbound if you need caching-only nameserver
(caching-only bind is possible, but it's an overkill).
2) Apply [1] to your dnsmasq.
3) Your ISP gets a TLS tunneled DNS request (and they can't do anything
about it), you get unmolested name resolution.
stunnel can be replaced with ipsec or openvpn or wireguard.
Whatever you use as a caching DNS on your end does not matter, as long
as it can forward DNS queries to another upstream DNS.
Reco
[1] https://kb.isc.org/docs/aa-01386
Reply to: