[js2]

Switching to unbound seems like extra work. I kept dnsmasq on my EdgeRouter and just pointed it at doh-client from [0] which is trivial to cross-compile. I’m using Google’s dns servers as upstream.

[0] https://github.com/m13253/dns-over-https/tree/master/doh-cli...

[Fnoord]

Thanks for mentioning an alternative.

It is extra work either way. What is better performance though?

I'm using dnsmasq with Pi-Hole's blocklists, and forwarding to unbound for DNS over TLS. Forwarding to another client such as doh-client could also work though I'm not sure how this would work with Quad9.

My router is being backup for this ensure there's less load on the MIPS machine.

Go is cross-platform, sure. However dnscrypt-proxy [1] is also very portable.

[1] https://github.com/jedisct1/dnscrypt-proxy

[js2]

I’m not sure about better performance. Once it’s cached it doesn’t matter.

Using unbound won’t survive an EdgeOS upgrade will it? Maybe a script under /config/scripts could ensure unbound is installed and configured though.

[auslander]

From what I learned, for DNS over TLS (DoT) you have three options:

- dnsmasq resolver using Stubby for DoT stuff

- Unbound resolver using Stubby for DoT stuff

- Unbound doing it all

The last one, as of today, is not quite ready, missing some stuff Stubby [0] does better.

[0] https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+...

[js2]

Ah right, I’m using DoH, not DoT.