:: Re: [DNG] web conferencing software…
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] web conferencing software (was Re: Any interest in a Devuan Meetup in Colorado Springs or Denver?)
Quoting tito via Dng (dng@???):

> Hi,
> just for fast information, is it enough for unbound to remove:
>
> forward-zone:
>         #forward-first: yes
>         name: "."
>         forward-tls-upstream: yes
>         forward-addr: 1.1.1.1@853#cloudflare-dns.com
>         forward-addr: 1.0.0.1@853#cloudflare-dns.com
>         forward-addr: 8.8.4.4@853#dns.google
>         forward-addr: 8.8.8.8@853#dns.google
>         forward-addr: 9.9.9.9@853#dns.quad9.net
>         forward-addr: 185.222.222.222@853#dns.sb
>         forward-addr: 185.184.222.222@853#dns.sb


Answer below.

> Makes it sense to keep:
>
> server:
>         tls-upstream: yes
>         tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt


On that: yes.

On the former question, er, I'm actually a bit non-plussed about why
those forwarder lines are in your configuration file in the first place.

Forgive me, but it's rather late at night in my time zone, and I am not
at peak alertness, _but_ my guess is that Unbound got set up somehow
configured to forward outbound recursive queries to those entities,
leaving me perplexed about why anyone would do that.

That having been said, I personally would definitely _not_ want to have
that configuration detail in my recursive nameserver state, without an
extremely compelling reason, because doing that appears to largely
defeat the entire purpose of running one's own recursive nameserver.
Analogously, it would be like setting up a fully capable SMTP smarthost
on a stable public IP address with free routing to 25/tcp anywhere in
the world, but then configuring it to forward all outbound SMTP traffic
to an untrustworthy ISP external mail host. Which would lead one to
wonder, why?

I hope that helps. I have no idea what else you might have in your
configuration that ought not to be there, obviously.


> I ask because after reading the thread I've tried on one
> of my home's net dns servers and it worked (I could browse the web)
> but browsing speed was noticeably slower, does it improve
> in the long run or do we have to choose between
> privacy and speed?


I'm seriously not sure why operating a local recursive nameserver would
be expected to reduce speed. Obviously, at initial startup of that
process, it has nothing yet in cache and needs to do some queries of
often-used FQDNS, but I would expect that it would very quickly improve
DNS performance over _any_ nameserver on the far side of your uplink,
because obviously your speed of local DNS resolution is really fast
relative to your uplink, right?