Hi Didier,

On Mon, 2025-03-31 at 11:35 +0200, Didier Kryn wrote:
> Le 30/03/2025 à 21:22, Marjorie Roome via Dng a écrit :
> > Yes my Resolv.conf is fixed because it simply points to dnscrypt-
> > proxy (127.0.0:1:53) which is a DNS proxy running on my own machine
> > and that then uses a choice of DNS resolvers which are dynamic.
> >
> > It finds DNS servers from a list that you can control.
> > You can have a fixed list and a fallback, such as 9.9.9.9 but it
> > normally looks for nearby DNS servers, that in my cases are limited
> > to ones that are non-logging, are dnssec, use doh or dnscrypt (so
> > lookup is encrypted in transit) and then load balances between the
> > quickest few based on latency, so not all queries are sent to one
> > resolver anyway.
>
>      May I ask where one can find a list of close-by DNS servers and
> how they work ?
>
Dnscrypt-proxy publish a basic list of servers, you can, of course
create your own or just filter theirs when you want to include further
restrictions (such as DNSSEC, non-logging or just DoH).

The program regularly pings this filtered server list and then selects
from those that are alive and have the lowest latency.

More info here:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration-Sources

>
>      I understand DOH is a good protection from malignant hackers,
> but, AFAIU, if links to Google or Amazon servers, which I consider
> malignant as well. Or is there a way to avoid or fool them?
>
Generally only the first DNS server you link to know who you are and as
you use either DoH or Dnscrypt your request/reply to/from them is
encrypted so not available to your ISP. 
You can exclude Google or Amazon DNS servers from being your first
server. If the server can't resolve your quesry then it will refer your
request on but the upstream server can't idenitfy you.

If you want to obfuscate further you can send your DNS request through
a relay DNS server and the relay then cloaks your details from the
queried Server (Anonymous DNS or Oblivious DNS-over-HTTPS).

>     It was common, about 20 years ago to be redirected to porn sites
> when a DNS request failed, but it seems to me that this issue has
> completely disapeared, at least in my country. OTOH I can understand
> that, under some political regimes, people may prefer to be monitored
> by Google rather than their own government.
>
> > On my fixed PC I only refresh these latencies and hence preferred
> > resolvers every 4 hours but you might want to do something
> > different on a laptop that moves around.
> >
> > Dnscrypt-proxy also caches queries.
> >
> > And I can and do also choose from a selection of blocklists that
> > block
> > the usual subjects. I can override these with an allowlist in the
> > event
> > there is a website I need that would otherwise not work.
>
>      So, if I understand correctly, your goal is to protect yourself
> from having your requests monitored and/or redirected by malignant
> hackers, which is not the same goal as people who want essentially to
> protect themself against ads.
>
>      We then have two motivations to run one's own DNS server, though
> I'm not sure it's possible to achieve both; is it?
>
Dnscrypt-proxy also supports blocklists, these run on your local
dnscrypt-proxy. You can select a mix of publicly available lists, which
are merged and deduplicated and add your own using the program
generate-domains-blocklist.py 
I update my blocklists once a week.

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Combining-Blocklists

There are other combi lists you can use:
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blocklisthttps://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blocklist

Of course there is the obvious objection that dnscrypt-proxy is a sort
of systemd for DNS since it combines into one program what you can
largely achieve by mixing separate tools such as unbound and pi-hole.
However I find it convenient. I do occasionally find a commercial site
won't work because my blocklists catch it.