Got no idea why but it seems actually two different certificates are used? Base64 digest of the other one is
A8J84S7EER8rZJ/IQ6MsYW7heNY939jWL7IpOLrj+VM=
And I wonder whether we should actually add the digests into stubby configs? One of the certificates expires in February and other one expires in March. Does it mean that we have to update the configs then?
Google has specifically stated that logs from Google DNS are not retained long term, and will never be correlated from logs from other Google services.
I trust the claims because Googles business depends so heavily on PR. If Google leaks everyone's browsing history, they as a company will cease to exist.
Notice how there are lots of people claiming 'Google collects XYZ info', but no claims of 'Google zipped up XYZ info and sold it'. Every article about Google selling user data is in reality Google using the user data for it's advertising business, but explicitly not letting the partners see the data - as well as being legally protected private data, that data is also a competitive advantage they would lose if they handed it over.
Less public facing companies on the other hand I don't trust, because they don't have much to loose on the PR front. That miscellaneous credit card processor? Yeah - they'll probably be handing your data over to every credit check/profiling agency.
It wasn't obvious to me immediately, but the hostname of Google's DNS-over-TLS servers is: dns.google
This is important for validating the TLS certificate that is provided by their servers on 8.8.8.8 and 8.8.4.4 (equivalent to requiring a matching hostname for TLS certificates in web browsers). I see that other commenters in this thread have correctly used this hostname in their examples for CoreDNS and Stubby.
Part of a configuration for the Unbound DNS server would look like:
Anyone has a good guide on setting up DNS-Over-TLS on Windows? I've only did something similar before on Debian and seems I'm quite dumb when it comes to doing this on Windows.
14 comments
[ 3.0 ms ] story [ 43.2 ms ] threadCloudlfare's 1.1.1.1 supports it as well which I highly recommend over Google.
I trust those claims.
Notice how there are lots of people claiming 'Google collects XYZ info', but no claims of 'Google zipped up XYZ info and sold it'. Every article about Google selling user data is in reality Google using the user data for it's advertising business, but explicitly not letting the partners see the data - as well as being legally protected private data, that data is also a competitive advantage they would lose if they handed it over.
Less public facing companies on the other hand I don't trust, because they don't have much to loose on the PR front. That miscellaneous credit card processor? Yeah - they'll probably be handing your data over to every credit check/profiling agency.
1) Google can still be subpoenaed to share your logs with the government
2) The user's queries are hidden from those who can't analyze them effectively and still open to those who analyze them better than anyone
Cloudflare and 1.1.1.1 are much more sensible choices for the provider of this service
This is important for validating the TLS certificate that is provided by their servers on 8.8.8.8 and 8.8.4.4 (equivalent to requiring a matching hostname for TLS certificates in web browsers). I see that other commenters in this thread have correctly used this hostname in their examples for CoreDNS and Stubby.
Part of a configuration for the Unbound DNS server would look like:
See the configuration guide for using DNS-over-TLS on unbound on the DNS Privacy site: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#D...[0] https://nssm.cc/
[1] https://coredns.io/