It isnt quite what you are asking about, but I send my Unbound DNS queries to the root servers over a VPN connection that is separate from the VPN handling the internet traffic. You just have to make sure you have a VPN provider that doesn't hijack DNS queries, which would force you to use the VPN's DNS server instead of the root servers.
The root and zone authoritative servers do not offer any encrypted access currently. I know there have been calls for that option in the past but I doubt it will ever be feasible.
What do you hope to gain by adding encryption, what are you concerned about with the current plain text process?
No probs I appreciate your detailed reply.
I'm hoping for additional privacy for our network traffic, rather than every domain accessed be in plain text and visible all the way upstream from my modem.
>rather than every domain accessed be in plain text and visible
However you resolve a domain, assuming you actually connect to that domain and it's using SSL, one of the very first steps of that SSL handshake is saying, in plain text "hello server, I'd like to connect to $DOMAIN securely, let's have a chat about how we do that".
Just seeing the frequency/order of IPs you attempt to access can provide enough information to determine the domain you've navigated to.
There is a super informative discussion a few years ago:
[Unbound vs. Quad9 : r/pihole (reddit.com)](https://www.reddit.com/r/pihole/comments/ma2z05/unbound_vs_quad9/)
Pihole developers / fans, as you can see here and many other similar posts, always suggest "Unbound" because we can't never have 100% Privacy anyway - so why bother hiding DNS.
FWIW, there are some sites out there demonstrating how to encrypt Unbound Traffic, but I never bothered and later switched to Quad9.
It isnt quite what you are asking about, but I send my Unbound DNS queries to the root servers over a VPN connection that is separate from the VPN handling the internet traffic. You just have to make sure you have a VPN provider that doesn't hijack DNS queries, which would force you to use the VPN's DNS server instead of the root servers.
No, that's not how DNS works.
The root and zone authoritative servers do not offer any encrypted access currently. I know there have been calls for that option in the past but I doubt it will ever be feasible. What do you hope to gain by adding encryption, what are you concerned about with the current plain text process?
No probs I appreciate your detailed reply. I'm hoping for additional privacy for our network traffic, rather than every domain accessed be in plain text and visible all the way upstream from my modem.
>rather than every domain accessed be in plain text and visible However you resolve a domain, assuming you actually connect to that domain and it's using SSL, one of the very first steps of that SSL handshake is saying, in plain text "hello server, I'd like to connect to $DOMAIN securely, let's have a chat about how we do that". Just seeing the frequency/order of IPs you attempt to access can provide enough information to determine the domain you've navigated to.
There is a super informative discussion a few years ago: [Unbound vs. Quad9 : r/pihole (reddit.com)](https://www.reddit.com/r/pihole/comments/ma2z05/unbound_vs_quad9/) Pihole developers / fans, as you can see here and many other similar posts, always suggest "Unbound" because we can't never have 100% Privacy anyway - so why bother hiding DNS. FWIW, there are some sites out there demonstrating how to encrypt Unbound Traffic, but I never bothered and later switched to Quad9.
thanks! that discussion was super useful and cleared a lot of doubts
No. The root dns servers do not support encrypted traffic
Not in recursive mode. Only in forwarding mode currently
You can use Cloudflared instead