Comment on selfhosting alternative to nextdns
friend_of_satan@lemmy.world 10 months ago
all your traffic goes through them right?
Wrong. DNS just resolves hostnames to IP addresses and a few other small things. None of your web traffic will go through your DNS provider.
chiisana@lemmy.chiisana.net 10 months ago
It’s not so absolute; your DNS provider could resolve domains to their own server’s IP and MITM your traffic. This is how some of those DNS based region bypass work — by re-routing your traffic through their server in a supported region.
lemmyvore@feddit.nl 10 months ago
How exactly would that work? You would have to accept broken certificates or even no TLS at all for that to work.
chiisana@lemmy.chiisana.net 10 months ago
As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.
lemmyvore@feddit.nl 10 months ago
You’d have to install a cert for each domain. It’s not likely to happen. The only provider where this works is Cloudflare but that’s because they force you to use them as registrar and DNS so they can issue duplicate certs for any domain.
friend_of_satan@lemmy.world 10 months ago
You are correct. However, you can’t mitm traffic through DNS alone. Each device would need to install a certificate for that to function. Also, OP specifically mentioned nextdns features, and nextdns does not do that.