On Mon, Apr 13, 2020 at 12:14:44PM +0100, Liam O'Toole wrote: > On Mon, 13 Apr, 2020 at 12:57:54 +0300, Reco wrote: > > Hi. > > > > On Mon, Apr 13, 2020 at 11:16:02AM +0300, Andrei POPESCU wrote: > > [...] > > > > Whether DoH or DNS-over-TLS, you have to trust the DNS server. > > > > Yup. That's why I have my own, and every Debian user can have their own > > too, using only free software. > > > > Pray tell us more. I use dnsmasq for clients on my LAN, but even that > has to use an upstream name server --- in my case the one provided by my > ISP.
1) Rent yourself a VPS, install bind there (there's no DNS but bind). Replace bind with unbound if you need caching-only nameserver (caching-only bind is possible, but it's an overkill). 2) Apply [1] to your dnsmasq. 3) Your ISP gets a TLS tunneled DNS request (and they can't do anything about it), you get unmolested name resolution. stunnel can be replaced with ipsec or openvpn or wireguard. Whatever you use as a caching DNS on your end does not matter, as long as it can forward DNS queries to another upstream DNS. Reco [1] https://kb.isc.org/docs/aa-01386
