[sliken]

Shudder sure. But why not run your own DNS? Pick a desktop, Pi, server or similar and run a full resolver like unbound. You'll never have issues because your ISPs DNS is slow or dead, and you'll be talking to the root servers directly.

[jeroenhd]

That's the great thing about this feature, you can! Set up a DoH server, configure it on your phone, and you'll have your personal, encrypted-in-transit DNS server that you can use from anywhere!

By leveraging Oblivious DOH you can even encrypt your DNS traffic securely to your upstream DNS provider without having to set up your own recursive resolver (which would only lead to privacy issues).

[jmprspret]

Don't you need TLS certs for that? Isn't that a pain to do on a home intranrt that you don't want accessible from the external internet?

[jeroenhd]

Depends on your setup. You can tunnel your DNS through a Wireguard link to some cloud server if you want or you can use something like ngrok to expose the port publicly.

Every hop adds latency, though, so I'd recommend using as direct a connection as you can get. DNS latency can make your internet experience a real pain!

[staticassertion]

Do you have a guide for this that you'd recommend?

[jeroenhd]

I've worked it out myself, there's a Rust crate called doh-proxy that contains a binary that's essentially a DoH server for a DNS server you specify and if you set it up right it'll just open a DoH server on a port you specify. Kind of a pain to debug, but once it works, it works pretty well. Can take a TLS cert or can work without TLS and a reverse proxy.

[josephcsible]

Because if I do that, then I have to worry about my ISP hijacking the recursive requests it makes.

[jeroenhd]

DNSSEC protects against that for well-configured domains, though you can't assume people put in the effort.

You can use ODoH (https://blog.cloudflare.com/oblivious-dns/) to double-encrypt your DNS requests and forward them through an external server, disconnecting your query from your response, and encrypting your upstream DNS requests. You can pick any relay from this list: https://download.dnscrypt.info/dnscrypt-resolvers/v3/odoh-re... (need to de-base64 them to get the actual domain) and any upstream DOH server you prefer.

[josephcsible]

> DNSSEC protects against that for well-configured domains

This isn't effective against DNS-level censorship, though. A DNSSEC validation error is just as effective as a fake NXDOMAIN or bogus IP at keeping me from visiting the correct site.

[jeroenhd]

It works in the sense that at least you can know your ISP is messing with your DNS. If they mess with DNS, they might as well just block an IP (range), so a DNS alternative probably won't bypass most censorship. You're better off with a decent VPN at that point.

[tptacek]

Are you wondering whether your ISP is messing with your DNS? Let me help you with that: if you're in North America, your ISP is messing with your DNS.

[josephcsible]

I temporarily agree with this, but once TLS ECH gets widely deployed then I won't. I can see an ISP blocking a single domain, but not all of Cloudflare just because it's hosted there.

[sliken]

No different than using 8.8.8.8. I've been meaning to track which (if any) root servers support DNS over HTTPS/TLS, that seems the ideal solution.

[NegativeLatency]

> You'll never have issues because your ISPs DNS is slow or dead

You will have issues because your DNS is slow or dead :)

[sliken]

Heh, true, so far my latency and uptime are far higher than comcast. I also use it for DNS blacklisting various sites/services.