DNScrypt with self-hosted Unbound DNS OR Anonymized DNS?

I have DNScrypt/DNScrypt-proxy installed on an OpenWRT (23.05) router. I'm seeking the best trustless privacy solution for resolving DNS from here.

My research shows this to be the most effective privacy setup for resolving DNS:

• Install Unbound DNS package on the router (similar to this) to self-host my DNS server. This should shield my IP address, since I'm not having to trust a DNS provider/server, as I would be my own server. I believe it would also provide DNSSEC, QNAME minimization, and DNS-over-TLS 1.3.
• Install VPN

My perceived alternative to that is:

• Set the default server as a DNScrypt server (which is why I did the Ensure NTP (Network Time Protocol) can work without DNS option to ignore time stamp validation on my DNScrypt setup).
• Use Anonymized DNS via relays to shield my IP address from the DNScrypt server/provider.
• Enable DNS-over-TLS 1.3 (via DNScrypt's Cipher Suite ?)
• Install VPN

Does this all sound correct?

If so, does anyone have insight into the command line programming needed to install/setup Unbound DNS to my router and use that as my DNS server?

You're already running a DNS server.
Wouldn't https-dns-proxy be good enough ?

Cool, never seen anyone attempt to self-host a DNS server for the whole world, or at least the parts he's interested in, without an upstream DNS.
Would suck if you ever discovered a new site, you'd like to surf to, or some site changed it's IP.

Do you live in a country where internet is censored?

What are you actually trying to achieve ?

I'm trying to achieve maximum privacy without trusting 3rd parties.

You'll achieve "more privacy" by continuously deleting your browser cookies, than by all the actions described above.

It seems you are unwilling or unable to assist with my desired objective. I will keep your advice in mind and await others who may have more inclination to help. Thank you for your time and input.

I sort off think you’re over stating your perceived risk exposure.

Your above comment clearly indicates you’re not inclined to listen to any advice contrary to your viewpoint.

Good luck maintaining your own DNS Server.

+1 @frolic

On the contrary, I am a beginner in this realm and eagerly seeking help. What I got was a condescending response more focused on the "why" of my objective. I am asking for technical assistance and a better understanding of how to accomplish my objective, not criticism of why I am attempting to do this.

ETA: If I am misunderstanding the technical aspects of this, I would like to be corrected. I am not here to justify the why. I am here to learn.

We're not saying it isn't doable, but you won't achieve your goals, by implementing the solution you've described.

Hence reluctant to help out.

Basically spend X hours helping you set it up, then hear you say "it doesn't do what it's supposed to...".

Understood. I certainly don't wish to waste anyone's time/efforts. My apologies if I come across as such. Since I am an admitted novice with a fundamental misunderstanding of what I am attempting, can you elaborate more on what I'm missing?

Is it that DNScrypt/DNSproxy2 already does what I want a locally-installed Unbound server application to do?
If so, what is the point of this guide recommending Anonymized DNS?

To be clear, I do not wish to run any server for public use, given my objective is maximizing trustless privacy. I just want to ensure I am minimizing the identifiable information flow for my entire home network. My perspective is that the digital realm is a burgeoning battlefield of sorts. rife with threats (including oppressive state actors). I would like to ensure the safety of my family in this environment.

As stated previously, you're mainly tracked by cookies, not DNS requests.

By anonymising your DNS request, you're locking the front door, but the whole rear wall of your house is gone.

Log on to Facebook, Gmail, or any random site requiring a logon.
Change your DNS IPs afterwards, will the site(s) keep you logged on ?

DNS protocols may not be able to hide completely the requests you make such as the there is sni that is still in plaintext and isps can still have some information about the sites you are requesting. Although ,May be bit more harder with DOH queries.

No real advantage to use additional unbound with dnscypt if the goal is to achieve anonymity.

Address you are accessing that is information returning to yourself can still be logged by isp.

And why go for dnscrypt over DoH, when your web traffic runs over https ?

Assuming dnscrypt is more secure than https, they'll just listen to your https traffic instead of the dnscrypt encrypted DNS traffic.
Https will provide more info anyway.

Security <> privacy.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.