Comment on Pi-Hole question regarding unbound and cloudflared
Darkassassin07@lemmy.ca 3 months ago
I prefer cloudflared myself.
While unbound requests its answers from the authoritative servers for each domain; it does so using regular DNS queries, so it’s susceptible to monitoring and modification like any other DNS request. While adding latency by extending that request to several servers, instead of a single trusted provider.
That doesn’t really seem beneficial to me. I’d rather use DOH.
irotsoma@lemmy.blahaj.zone 3 months ago
Unbound supports DoH if compiled with the support and given TLS certificates. I don’t use it internally on my home network because I have a pihole that I want to capture the traffic. I do use DNS over TLS for upstream communication, though.
Darkassassin07@lemmy.ca 3 months ago
DoH on the lan between devices is completely pointless; I’m talking about DoH between the lan and external dns which unbound does NOT do.
irotsoma@lemmy.blahaj.zone 3 months ago
DNS over TLS handles that. No need for DoH really. Unless DNS ports are blocked or captured by NAT or something and you need to use port 443 with DoH. At least not with a DNS server. DoH is useful for individual applications to do their own DNS lookups bypassing the OS or network level DNS. Otherwise DoH and DoT provide the same basic protection. DoT is just at a lower network layer and thus applies more broadly across the network or OS rather than being application or resolver specific. There’s never been a real need for a DNS server to use DoH instead of DoT unless DoT is blocked upstream.