Its actually much more beneficial to use a local DNS server even for a single user. A single user will keep querying for DNS requests since OS/apps cache DNS only for a minute or so. Local DNS will keep cache for the full TTL of the record and thus reduce the number of DNS requests that go out of your network. Plus there is Serve Stale feature which improves resiliency. For privacy, depending on your scenario, you can either run recursive resolver or use encrypted DNS protocols to hide DNS from your ISP. There is also support for configuring SOCKS5 or HTTP proxy to route requests via another server or via Tor network.
Have you registered these domains? I’ve seen a lot of companies use “internal” domains that they don’t register and then are surprised when names they didn’t register end up resolving unintentionally to something external.
No. I use adguardhome to act as a private DNS for my android devices. It's the best way to get both DNS for self hosted services AND DNS filtering to remove tracking and ads in all android apps.
You can at least partially mitigate this by simply blocking the major DNS-over-https endpoints. There aren't that many. However, in my experience this really pisses off some devices e.g. Google/Nest Home speakers even if you have regular DNS working fine. You also of course won't catch the really nefarious devices phoning home over a custom non-public endpoint. It can be interesting just for logging purposes as well, that's what I do.
Personally, I think DoH was a mistake. Instead of the network admin configuring the name resolution services (via DHCP, for example) each app has a hard-coded list of IP addresses that it will use to resolve hostnames. Instead of a system resolver that does the job we now have a resolver, complete with hard-coded server configuration, baked into various applications/devices.
Yep, playing whack-a-mole trying to block it is a losing battle long term, but for now it kinda works. Serving content from the same endpoints is indeed the whole point because it makes it hard to block without collateral damage.
Probably the only way to really block it is some kind of SSL unwrapping and deep packet inspection at the firewall but that's a HUGE hassle to deal with and is itself a potential privacy issue.
> Had to remove the slash to pass through cloudflare block
I was going to write: You can’t write a comment with the text / etc / hosts?!
But I tried it and got the CloudFlare block page. That’s pretty incredible that a tech focused forum blocks you for simply referencing a common file on all Unix file systems. What state a sad future we live in.
I get your point, but this is already solved in a much easier manner with an OprnWRT router (and GUI etc) and kind of a strawman's argument using DNS for that. OpenWRT comes out of the box even with social website toggles that require no configuration.
Granted, you still have to install OpenWRT, but I still think that running a root DNS isn't necessary for home setups.
Technitium advertises itself with being able to serve as a root DNS, in both its documentation and on their blog [1]. So I think my argument is still valid, as it's way too over engineered to be a simple, self-hosted, home lab solution for the problem at hand.
Self-hosting allows you to block trackers at the DNS level. =) Depending on your level of hands-on you can block rentable infrastructure that trackers use and whitelist the apps which coincidentally also rent compute in that space. You can also use resolution telemetry to synthesize PTR records so that reverse DNS works for assets in the the cloud.
In order to accomplish those things I rely on Response Policy Zones and Dnstap, features which I don't see listed for this server. Nonetheless it does have filtering capability and decent coverage of features important to the average internet user, based on their listed features.
[I give away the RPZ / Dnstap stuff on GitHub, and I use BIND.]
Are there any uostream DNS Servers that would allow you to just download the while database and then everything immediately after its TTL runs out? I can image it would be a lot of traffic.
That would be zone transfer and its generally not allowed by DNS servers. And there couldn't be a single DNS server to query from, instead you would need to recursively query all the DNS servers which also is not exactly practical.
