On Tue, 9 Mar 2021 23:02:31 -0800 Rick Moen <r...@linuxmafia.com> wrote:
> Quoting tito via Dng (dng@lists.dyne.org): > > > Hi, > > just for fast information, is it enough for unbound to remove: > > > > forward-zone: > > #forward-first: yes > > name: "." > > forward-tls-upstream: yes > > forward-addr: 1.1.1.1@853#cloudflare-dns.com > > forward-addr: 1.0.0.1@853#cloudflare-dns.com > > forward-addr: 8.8.4.4@853#dns.google > > forward-addr: 8.8.8.8@853#dns.google > > forward-addr: 9.9.9.9@853#dns.quad9.net > > forward-addr: 185.222.222.222@853#dns.sb > > forward-addr: 185.184.222.222@853#dns.sb > > Answer below. > > > Makes it sense to keep: > > > > server: > > tls-upstream: yes > > tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt > > On that: yes. > > On the former question, er, I'm actually a bit non-plussed about why > those forwarder lines are in your configuration file in the first > place. > > Forgive me, but it's rather late at night in my time zone, and I am > not at peak alertness, _but_ my guess is that Unbound got set up > somehow configured to forward outbound recursive queries to those > entities, leaving me perplexed about why anyone would do that. Just by following one of the many tutorials out there. Initially I was just interested in using dns to filter out adservers and the like. > That having been said, I personally would definitely _not_ want to > have that configuration detail in my recursive nameserver state, > without an extremely compelling reason, because doing that appears to > largely defeat the entire purpose of running one's own recursive > nameserver. Analogously, it would be like setting up a fully capable > SMTP smarthost on a stable public IP address with free routing to > 25/tcp anywhere in the world, but then configuring it to forward all > outbound SMTP traffic to an untrustworthy ISP external mail host. > Which would lead one to wonder, why? > > I hope that helps. I have no idea what else you might have in your > configuration that ought not to be there, obviously. > > > > I ask because after reading the thread I've tried on one > > of my home's net dns servers and it worked (I could browse the web) > > but browsing speed was noticeably slower, does it improve > > in the long run or do we have to choose between > > privacy and speed? > > I'm seriously not sure why operating a local recursive nameserver > would be expected to reduce speed. Obviously, at initial startup of > that process, it has nothing yet in cache and needs to do some > queries of often-used FQDNS, but I would expect that it would very > quickly improve DNS performance over _any_ nameserver on the far side > of your uplink, because obviously your speed of local DNS resolution > is really fast relative to your uplink, right? > I will try and report about this in a few days. Thanks, Tito _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
