@furom said in Recommended public DNS over TLS:
it's still better than freely available to anyone
Who exactly do you think this anyone would be? Who would be sniffing your traffic either locally or on your isp network? Or even on the public internet?
When you resolve - you would be going to to all the authoritative ns for the domains you go to.. Or this who your talking to would have to be in line with your traffic flow to the roots.. Which is going to change depending on which root or tld servers your talking to, and then again when you talk to the authoritative for the domain in question.. So this who would really have to be real close to the source of your traffic.. Pretty much your isp, etc..
If your concerned with the roots and tld servers - you could setup Query Name Minimization, this would only send the roots and tld server the info your looking for, ie the NS for say .com or .net, etc. Then when you ask the tld ns for the domain, you would only send them say domain.net vs host.domain.net, etc.
Keep in mind, that once you talk to roots and learn the tld servers for say .org, you don't go ask roots again for .org anything until the cache has expired.. Same goes for the tld servers, once you ask them for domain.org, you never go ask them again for www.domain.org or ftp.domain.org or whatever.domain.org until that cache expires, etc.
So even when you send the fqdn to roots or the tld servers - your only really going to send them a small fraction of that actual amount of fqdns your going to be looking, just 1 to get the NSes your looking for that thing.. So while you might send www.something.org to roots, any other .org you look for would never go to roots, but only to the tld servers. Until the cache of the .org tld NS expire.
