On Fri, Mar 16, 2018 at 12:54 PM, torix@protonmail.com wrote:

I have seen mentions on this list of people using pi-hole and unbound DNS servers in their setups, and I wondered if others had considered opinions as to the usefulness of doing this.

https://pi-hole.net/ https://github.com/pi-hole

Pi-hole DNS style is nice where you can't get inside TLS such as adblockplus does inside the browser, and for filtering all traffic / apps for entire machines / networks but it is by nature of DNS not full URI a bit less fine grained.

Pi-hole's biggest feature seems to be their filter lists to block extra/evil DNS queries

One's 'extras/evils' / adverts are another's censorship. Exits are not supposed to be censors, but enablers instead. Would you use an exit that arbitrarily censors you, uses arbitrary subscriptions, or is subject to arbitrary censorship? Are there so few free and clear providers left? Are exit bandwidth / circuits / CPU / RAM / latency really that tight? Is it your role to "protect" users from your idea of "bad"? Can users identify and select from everything all the exits might be doing, who they are, where, etc?

Those and more can all be debated in a new thread covering philosophy of any network which might offer exit / vpn / transit style services.

However for the tor network, exits found censoring / filtering / etc above and beyond what they can do in their tor exit-policy config are likely to be reported by users / scans as bad-relays, which could lead to the exit bring dropped from consensus.

while Unbound seems to feature caching and validating functions.

This is of benefit to exits and users.

I would think that a DNS cache that kept queries for a long time

Time is up to the zone authority, not arbitrary downstreams, which would again be modification / censorship of the internet, and breaks services as their zone changes and the cache doesn't.

would certainly keep most of your queries out of an ISP's DNS logs.

Logs of their DNS servers, maybe, provided they don't grab and redirect DNS into them, or record netflow, etc.

Logs of adversaries sniffing the wires, no.

Or are there DNS providers that are relatively immune to their logs being requited by others?

This depends on - providers actually not keeping logs. - them letting you audit their claims therein. - them not being subject to whims of the State. - them not being hacked by same and other adversaries.

The AND operation upon these conditions is quite unlikely to be TRUE. Working to change that would be good.

Running a local caching DNS (unbound etc) is considered best practice, approaching universal for large exits due to cache savings and performance alone.

The additional potential privacy benefit by not expressly funneling all your users DNS through yet another third party is even more reason to do so.

Same for whatever censorship / evils that party might be doing.