it's a pity doesn't get any attention lately. it was the first of the three main standards, it has a community and quite a few resolvers. it (unlike DoH and DoT!) adds paddings to queries, so dpi can't figure out how long the requested domain name is.


its official implementation is the best. it has cache, logging, blacklists, whitelists, custom forwarding, etc.

there're only two issues: it's harder to implement (as opposed to just using tls / https libraries) and its creators don't have the political power of cloudflare, mozilla and google, so it won't become an ietf standard

i read about unbound a little, kinda disappointed. there's no dedicated whitelist file, but you can add a lot of rules to not resolve individual domains. so afaiu you can't make whitelists.

turns out, dnscrypt-proxy is quite an advanced resolver

Show thread

I've been using it for a year and never had any problems

@leip4Ier my home network has dnscrypt-proxy running in the router for the whole network. An amusing side effect is that after the cache starts to fill (which doesn't take much time) it tends to be faster (that is: less latency) that our ISP's DNS servers. That being said, now that I think of it I have rarely seen an ISP have speedy ones... :pika:

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.