Encrypted DNS: Should I use encrypted DNS update

[razac-elda]

I updated the "Should I use encrypted DNS" section because I felt it wasn't very clear.

The flow chart is better suited here, I polished it up a bit and added a new choice. I think security and performance of 3rd party DNS should be mentioned since the table on the recommandation also talks about filters.

[netlify]

✅ Deploy Preview for privacyguides ready!

Name	Link
🔨 Latest commit	8776541
🔍 Latest deploy log	https://app.netlify.com/sites/privacyguides/deploys/624ee412ab868a0008343a3a
😎 Deploy Preview	https://deploy-preview-926--privacyguides.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[realguyman]

@jonaharagon @dngray Sorry, I think I broke something. lol

[dngray]

I think security and performance of 3rd party DNS should be mentioned since the table on the recommandation also talks about filters

It's not really the correct. Correct how? enumeration of badness? It's not really security. The context of that flow chart is eavesdropping. Unencrypted DNS is without a doubt more performant than a HTTPs request if you look at round-trips etc.

I also don't agree with the addition of:

or DNS blocking?

If an ISP is doing DNS blocking, then it's likely at the order of Government. Do you think it's a really good idea to circumvent that in a way they can detect? Regardless of whether or not the user is aware of immediate repercussions, I think this is bad advice.

The very premise of this article is that you should not use encrypted DNS to get around filtering, because it is detectable.

About the only threat model where it makes sense is maybe a school or your parents, assuming you're a child and your parents are using some off-the-shelf filtering that is overly zealous.

Based on what we discussed previously, there aren't much privacy benefits to use encrypted DNS but this may change in the future so it's recommended where applicable.

Fragment, and a mouthful. I think I'd just get rid of it. We will update the article when something changes, and yes we're aware of https://datatracker.ietf.org/doc/draft-ietf-dprive-dnsoquic/ but it's not even RFC yet.

Other than that, I do think it's an improvement. 👍

[razac-elda]

I would consider optional malwares filters as "increased security" in those cases where it is not feasible to implement a local solution. I do agree that it is slower than unencrypted, but my suggestion was based on the idea of recommending encrypted DNS when possible and if we combine that with filtering it might gain some performance.

Regardless of whether or not the user is aware of immediate repercussions, I think this is bad advice.

DNS blocking was already described in the sentence below the chart with an appropriate warning so I added it in the flow chart.

We will update the article when something changes

Seems legit.