Might I suggest using PowerDNS's dinsdist. it's an ha proxy that you can put in front of your recursors and It implements dns over https if you want it to. It's open sources and ensures that you're not limited to Google's or Cloudflare's servers which exist to drive advertising at you (I've seen infected ads pwn machines). I have much more paranoid reasons for implementing, namely preventing 3rd parties from getting my histories.
----- Original Message -----
> From: "John Levine" <johnl@iecc.com>
> In article <804699748.1254612.1570037049931.JavaMail.zimbra@baylink.com> you
> write:
>>Tools. Are. Neutral.
>>
>>Any solution to a problem that involves outlawing or breaking tools will.
>>Not. Solve. Your. Problem.
>
> I think in the outside world you'll find very little support for an argument
> that filtering DNS is fundamentally broken.
>
> Sure, you can do it in broken ways, but it's going to be really hard
> to persuade anyone that their lives are better if they have unfiltered
> access to the malware links in their spam.
I expect I would.
But this is not "filtering DNS". It's "making a bodge-handed attempt to
REPLACE DNS (well, proxy it) for only one application/layer".
My problem isn't what they're using it for; it's that they've implemented
it so poorly.
I live down here in the trenches, John, where "it doesn't work" is the calibre
of problem reports I get. When my tools say that "yes, it does", *I'm* the one
who takes it in the nads because Mozilla had a Better Fuckin' Idea.
That it will likely cause lots of 50,000ft problems to is just a cherry on the
top.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
--