[qubes-users] DNS -- good practice ?

Hi all,

I have the impression that DNS questions should get more attention than
the often attract, with the purpose of caching, anonymity, censorship
prvention & securing against DNS manipulation. Let me start my question
with a citation, that -at the end- is not that surprising:

"more than two-thirds of the encrypted DNS resolvers manipulate at least
one domain’s DNS response, showing that the DNS manipulation in the
encrypted DNS is even more prevalent than that in the traditional DNS,
where only 11% of the resolvers have been identified to manipulate DNS
responses."

source:
https://digitalcommons.odu.edu/cgi/viewcontent.cgi?article=1195&context=computerscience_fac_pubs

Somehow, people who feel that their traffic should be anonymous are
surveilled / manipulated with higher energy :slight_smile: Of course you may answer
to use TOR at all times, but at the end of the day, that does not work
-- many sites either block or limit TOR traffic, etc.

And I ignore if TOR does use "cross checking requests" to detect
manipulation? The question of " best practice " seems non-trivial to me.
Setting up a DNS qube seems a good idea as such, but what kind of
software can trustworthily be run on such a qube??

Thank you for any helpful comment, Bernhard

Hi Bernhard,

nice to see you're still around. :slight_smile:
I hadn't seen you active for a long time, probably I just don't know your nick on the forum.

And I ignore if TOR does use "cross checking requests" to detect
manipulation? The question of " best practice " seems non-trivial to me.
Setting up a DNS qube seems a good idea as such, but what kind of
software can trustworthily be run on such a qube??

Personally I use unbound as recursive DNS resolver, but I guess everyone may have different trust choices. Anyway that's not specific to Qubes OS.

I also use systemd-resolved in firewall VMs for caching [1].

[1] GitHub - 3hhh/qubes-dns: DNS VM helper scripts

Best Regards
David