For background: DNS normally is clear text. If you interact with x.y.z on the internet you send a request to resolve that into an IP address. Everybody on the way can monitor (and even manipulate) DNS traffic 2/n
DNS data is collected and analysed continuously by interested parties. search for „passive DNS“ to learn more about that. The data is even sold. 3/n
Normally you send your DNS requests to a resolver - by default the one of your provider. They do the actual name resolution for you and answer with the IP address 4/n
This means that an interested party - lets name it NSA - which is monitoring for example the DNS authority for y.z will only see the request of your provider (or whatever public resolver you use). Your interest in x.y.z remains hidden to them. 5/n
Your DNS requests are only visible to your provider (and whoever can coerce them into helping them). More on this later when we talk about DoT. But the rest of the internet will never see your interest in x.y.z (setting aside things like SNI - but that is for another thread) 6/n
To avoid the dependency (and censorship) from a third party some ppl operate their personal resolver (for example outbound on a pi-hole). All their devices will query this resolver - even from abroad via VPN. 7/n
While this makes sense for a company or an organization, it is dangerous for individuals. Because NSA’s monitoring of y.z will suddenly record your personal IP and they now can trace your interest in x.y.z back to you. 8/n
So my recommended #DNS setup for #privacy aware individuals is: always use a public resolver that is operated by a third party you trust. Maybe that is @quad9dns or @mullvad or @digitalcourage. This way your DNS requests are hidden behind their IP 9/n
And to protect the transport from your device to the resolver from monitoring and manipulation by third parties use DNS over TLS (DoT). Every privacy aware DNS provider will offer that nowadays. Thanks for reading this far. EOT 10/10
