[CaliforniaKarl]

In addition to the root hints, you should also download the DNSSEC anchor key (available on the same site as the root hints). That will let you detect manipulations of records that are DNSSEC-signed.

Otherwise, you could spin up your recursive resolver on your cloud, VPS, or other hosting provider of choice, and then use that.

[teejmya]

And make sure it only resolves records for you. Don't leave it wide open or it will be used as an attack vector. https://www.cloudflare.com/learning/ddos/dns-amplification-d...

[Arnavion]

Right, DNSSEC will solve the "manipulate" problem, but it won't solve the "see" problem. But whether that's a concern is up to you. You could run your resolver on a VPS and speak DoT / DoH to that, which shifts the leak from your ISP to your VPS provider.

[tptacek]

It doesn't solve the "manipulate" problem we're talking about here, either: nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain; it only (situationally) prevents them from redirecting it somewhere else. (And, of course, it only works if you're running your own recursive server; it does nothing whatsoever in the 8.8.8.8-type use case).

[progval]

> nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain

But at least it is detectable thanks to NSEC and NSEC3 records.

[cyounkins]

Kind of. An intermediary can drop packets and the client will never get the response.

[tptacek]

It's detectable when the site that the DNS provider is censoring falls off the Internet!

[Arnavion]

Yes, that's true.