@johnpoz said in Understanding DNS validating resolver w/ DNSSEC vs DNS-over-TLS and interception:
And who says the info was not manipulated before cloudflare or google or whoever you forward to? They are just serving up what is in their cache - if has not been validated via dnssec, then it could be junk just as well.
That is possible, I am aware. And I know you feel strongly from previous discussions that resolver is a better option, and I respect your experience and opinion. But let's look at the pros and cons...
Resolver via ISP:
Pros: Does not go through middle man, can use DNSSEC, DNSSEC-enabled domains can be trusted and if interfered with results would be rejected.
Cons: Non-DNSSEC-enabled domains (of which it seems there are many) can be interfered with at the ISP level or anywhere inbetween. No DNS requests are encrypted so can be seen and monitored by ISP.
DNS-over TLS with Quad9:
Pros: Requests to forwarder are encrypted and can't be interfered with. ISP can not monitor the DNS requests (although obviously can do to resulting connections to the IP addresses). Forwarder implements DNSSEC themselves so results they give for DNSSEC-enabled domains should be accurate unless they are messing with it themselves. Optional blocking of malicious domains at the DNS level.
Cons: Do you trust the forwarder?
So yes, it really comes down to do you trust more the forwarder, or the ISP?
@johnpoz said in Understanding DNS validating resolver w/ DNSSEC vs DNS-over-TLS and interception:
Your just trusting them to not manipulate it more you trust your isp... Which to be honest doesn't make a lot of sense.. Who has more to gain from dns shenanigans some isp with x number of customers.. Or some site serving up dns to the globe? ;)
Well I am talking about ISPs in developing countries where:
There is no legal framework governing what they do.
Security services get anything they want from them with no rules or legal basis. If they walk in and tell the ISP to redirect some sites DNS they'll get it instantly.
There is little to stop some malicious ISP employee from doing same.
ISP Employees have previously leaked large amounts of personal subscriber information including passport and ID card information.
Their own security and technical expertise is poorer, and so chance of them being hacked by third-parties.
An example - one ISP (not mine) previously ran entire neighborhoods of customers in the same subnet with no vlans or firewalls between them.
There is no technically-minded local userbase to monitor, determine or complain if the ISP is doing bad things. No-one globally is looking at what they do.
Versus.... Using Quad9 just as an example...
A global DNS provider regulated as 501(c)(3) nonprofit organization (Charitable Organization, Educational Organization) founded by IBM, Packet Clearing House, & Global Cyber Alliance and based in California.
A large global userbase capable of monitoring results, with frequent comparisons and tests made between it and other global DNS providers.
As a result I would hope that if they were really messing with results, it would be found out by someone somewhere... and I don't see the incentive for them to do it given their nonprofit status.
So yes... for me I do trust such providers more than my ISP.
All of that said... I haven't been able to work out the issues I suddenly started having with DNS-over-TLS after it working seamlessly for a long time. I feel now the issue is something in pfSense not the ISP. But I don't currently have the time to spend on troubleshooting it so I'm sticking with straight resolver for now. While I still have less trust in its theoretical overrall privacy/authenticity in my particular situation.... I have to say it is performing very well indeed, is fast, and has had no issues.... so I may stick with it.
PS - I'm aware for optimal security from local/country issues it's better to just use a VPN, and I do use that selectively. And have the capability to apply it to my whole LAN. But I don't find it suitable for use on all my LAN and general use.