On Sat, 23 May 2020 15:03:13 +0100 steve-ALUG@hst.me.uk allegedly wrote:
Random musings:
Opendns - It logs, that's a shame. It alters results? It can remove links to certain sites, e.g. adult or gambling etc, which is why some people use it. If memory serves, it sometimes also take you to a search page if the domain does note exist. If you use dnsmasq, you can enter the IP of this landing page under "bogus-nxdomain" which means that dnsmasq knows that the search didn't work. Dunno if that's of interest.
Steve
Thanks - yes I knew that and do exactly that on my dnsmasq configuration. I also use dnsamsq's "addn-hosts=" option to point to hosts files listing domains I /don't/ want to resolve properly (Dan Pollock's list for one, plus my own list of no-nos - google analytics, fb stats, ad sites etc. ad nauseam). I do not like DNS resolvers which examine your request before deciding how they will reply (as does opendns and quad9 for example. Except of course when I manage those servers....)
Which name servers don't log you? The ones at the end of your post?
The ones which /claim/ not to log you are listed at the dnsprivacy references I gave and at the privacytools.io reference. I deliberately avoid all public resolvers known to log. And I have configured stubby to round robin on six different (ok five really because two are cloudflare) resolvers so no one resolver ever gets a full picture of my DNS lookups.
Have you considered using pihole? It does site-wide dns lookups and drops "spammy/malwarey/bad/advertisey" domains. I think it also caches your lookups. Dnsmasq can also cache your lookups.
You could setup dnsmasq to lookup via a pihole server, and pihole to lookup via whichever non-logging server, or list of servers you choose. With caching, only your initial lookups would be slow.
Yes, I have considered pihole (particularly since I run my local resolvers on pis) but I see no advantage over my (new) current set up using dnsmasq as my local caching resolver and forwarding through stubby for the upstream. Ideally all the root and other authoritative servers should accept DOT requests. I could then go back to using unbound and not rely on any public resolver. One day maybe.
Thanks
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------