0

I've recently taking an intrest in DNS security and have opted to use the "dnsrypt-proxy", "dnsmasq" and "unbound" packages on my Debian 11 system chained together in the following order to encrypt my DNS traffic and improve the integrity of the resolved addresses:

My System -> Unbound -> DNSMASQ -> DNSCrypt Proxy -> Internet

However I'm wondering if using Unbound is necessary, does it serve any new function in the chain, have any benefits or is it completely redudant as I see I can enable "DNSSEC" in the other packages?

Lil Cyanide
  • 1
  • 1
  • 1
    DNSSEC has nothing to do with anything you listed (unbound validates). You must first understand the important difference (with lots of people trying to pretend it doesn't exist) between securing the transport (where DoH/DoT come into play) and securing the content (Where DNSSEC comes into play). When you talk about security and "beneficial" you need to list first what you are trying to protect yourself against? Do you want people (ex: ISP) not to snoop on your DNS traffic? Then you might need DoH/DoT. Do you want to have guarantees on data received? You need DNSSEC. And you can do both. – Patrick Mevzek Sep 13 '22 at 22:11
  • 1
    As it currently stand your question might be offtopic here as it seems to be in a personal setting not in a business setting, and is anyway quite broad. What do you gain in chaining unbound and dnsmasq exactly? – Patrick Mevzek Sep 13 '22 at 22:12
  • @PatrickMevzek The DNS request is made to Unbound and then unbound uses dnsmasq to resolve the request which in turn uses dnscrypt-proxy – Lil Cyanide Sep 13 '22 at 22:29
  • 1
    "The DNS request is made to Unbound and then unbound uses dnsmasq to resolve the request " That still doesn't explain what unbound needs to use dnsmasq. Unbound is a full fledged recursive resolver by itself. – Patrick Mevzek Sep 14 '22 at 13:43

1 Answers1

0

Unbound has as interest to avoid you to send your DNS requests to some DNS resolver, all is in the trust you can have between some firms as Cloudflare compared to some firm as Verisign or those hosting a.gtld-servers.net

Menard
  • 1