On Thu, Jul 17, 2025 at 9:40 AM Marc Binderberger via NANOG <nanog@lists.nanog.org> wrote:
This raises my question: are public DNS like 1.1.1.1 or Google's 8.8.8.8 actually a good thing?
Overall I would say the services' existence is mostly a good thing, And you could mitigate most redundancy issues on the client by setting a different public DNS provider as a second or tertiary resolver. But there are definitely some disadvantages, and outages are not the only risk created by global centralization in one provider. For example: By centralizing in a few public rDNS providers; You are creating a single entity who can be easily served by governmental entities or large conglomerates with blanket censorship or blocking orders due to sites hosting content related to sensitive social issues or legal disputes, plus subpoenas or warrants exposing user data. By running your own recursive resolver you are guaranteeing that the interests of the person hosting your resolver servers are aligned with your interests, and they aren't going to block your access to resources some company doesn't want you to see.
Personally I tend to run "unbound" for recursive resolving and close it against outside use. But I may miss an important point - any reasoning that
In its simplest config: You lose out on a privacy benefit by running your own recursive nameserver. When using 1.1.1.1 with your browser: requests and responses can be exchanged using DNS over HTTPS; which means that a passive eavesdropper, such as your own Internet service provider with their DNS monetization program cannot capture and log your queries for resale to data brokers. You are reducing the number of parties you have to entrust with the privacy of DNS queries you make and their answers. However, authoritative Nameservers have no equivalent encrypted transport, so you cannot obtain that privacy when you are running your own recursive resolution. You may perform DNSSEC validation, but TCP Port 53 or UDP DNS traffic is still unencrypted, and authoritative nameservers rarely or never offer an encrypted transport to secure your recursive resolver against passive spying.
points to the one or the other solution as being better? (my setups/domains are for private use only these days, nothing big, nothing
I think the best solution may be have your own DNSSEC-validating resolver, but operate it in a query forwarding mode towards multiple different DNS resolver providers for redundancy using DoH; DNS or HTTPS or DNS over TLS. -- -JA