Help with best DNS config

  • Hi,

    My setup is currently working, but I'm not sure I have things setup the best possible way in terms of privacy. Here is my setup:

    • I have a local DNS Server running on a Windows 2008 domain server inside my network that is the default DNS for most of the internal devices. I have my own domain name and it houses the entries for my local hosts.

    • Four gateways - regular local Internet plus ExpressVPN OpenVPN connections to Canada, US, and UK.

    • For most of my devices, I don't care if they use a VPN or not, so they route out the default gateway and use my local DNS Server. DHCP feeds them the default gateway and my internal DNS Server entries.

    • I have a couple of computers that I want protected by the VPN, so they route through the Canada VPN. However, I still need them to recognize local host names, so they also use the internal DNS Server - fed by DHCP.

    • I have Roku devices that I want to appear as though they are in the US, so they route through the US VPN. They don't need to recognize local host names and need to use US DNS Servers, so I manually assign them and by defining DHCP reservations for these devices and overriding their DNS Server assignments in the reservation definition.

    • I have one streaming device routing through UK VPN and override its DNS Server assignment in the same way as above, but use UK public DNS Server entries.

    This all works, but using public DNS Servers in all instances (even my local DNS Server forwards upstream to google DNS servers) does not provide me with any privacy. Ideally, I'd like to be using the DNS Servers my VPN service provides each of my connections. THis is my ideal setup, but I don't know how to do this:

    • Default internal devices continue to use local DNS Server

    • Devices routing through Canadian VPN use DNS Servers assigned by my Canada VPN connection, but also have the ability to recognize the local host names that are defined on my local DNS Server without using that server for all DNS lookups.

    • Devices routing through US VPN use DNS Servers assigned by my US VPN connection. It would be ideal if these devices could also recognize the local host names that are defined on my local DNS Server, but not completely necessary.

    • Devices routing through UK VPN use DNS Servers assigned by my UK VPN connection.

    Help please.

    Thank you,

  • A good start for you might be to setup all of your DNS queries to go to unbound and configure unbound to forward to or (I think those support TLS) using TLS. The options for TLS aren't "check boxes" in the GUI. You have to put it in the text field of unbound advanced options.

    I'm not sure what other options unbound has for meeting your requirements but it's a good place to start.

    Also, block outbound port 53 and require TLS to only come from unbound (I don't remember the port. Maybe 853?) to make sure you're not accidentally allowing DNS on misconfigured machines.

Log in to reply