DNS? Could it be done better myself with Recursor Mode? Questions

Hello my dear forians and experts of the interne.

I have a few questions about DNS, in particular about Recursor Mode, which I only discovered today, and the differences in terms of privacy.
As far as security is concerned, I don’t see any differences as both run via DNSSEC, as far as my limited knowledge goes.

How I came to this: I had entered all censorship-free and DNSSEC-compatible DNS servers with IP/host and TLS protocol in Ipfire from a thread here, around 7 in number.

So far, I have now carried out the tests on the page https://dnscheck.tools/, which were all passed, BUT suddenly completely different DNS servers appeared, including Google and this as an ns: record, whereby my registered ones were only mapped as a ptr: record. Each time the page was reloaded, the ns:records changed back and forth. I also noticed that the response time was very high, sometimes up to 800ms.
What other privacy advantage do I have if my registered DNS servers in ipfire make their own enquiries to Google and the corresponding servers?

Because I was very confused about this, I came across the blog post from 2020 and the Recursor Mode on my search in the infinite depths. This also passes all tests and has a significantly lower response time.

From a data protection/privacy point of view, doesn’t it matter how you get and verify the IP?
Is there any way to make an anonymous DNS query?
What about Tor? Does the exit node get my IP?
Would DNSCrypt be a solution?

This does not quite make sense to me…

Where/How did they appear? Did they appear on your IPFire DNS server page?

Please post a screenshot of your DNS webgui page.

1 Like

Happy Friday Mum ,

I think the Recursor mode uses DNSSEC to protect against DNS poisoning but not DNS snooping.

I assume most public DNS SERVERS use recursor mode but you are right there is no way to confirm this.

I think Mum is describing his dnscheck.tools page

1 Like

I had this settings

and get this result

Does that make it easier to understand what I’m wondering about?

3 Arrows, 3 Questions marks???
Where they come from?
Why did they get my data?
How can I avoid this?

And my other questions above, too!

Does everyone do that?
Is that what they call data protection?
Who will receive my query?
All of them?
Only the ns Records, or only the pre records?

Good question, we are always focusing on policy of NO LOGS but what if the queries get forwarded in real time. Would you notice it by the delay?

DNScrypt would only encrypt your queries, but that’s what Unbound already performs very well.


Not only, it has an option to anonymize the query, if you select two DNS servers, the first serves as a DNS proxy and sends the query to the second server without forwarding the IP address. So no data can be collected, die first server do not know the query and the second one do not know who ask for the IP.
On android I use this option.

I did not find any description what data and how dnscheck.tools samples for the display.
I see the google server for my system also. But I know that some devices ( mainly Amazon tablets or SmartTVs ) ask google for DNS information. I didn’t check yet, whether I have defined a exception for the ‘force to use IPFire DNS server’ policy.

1 Like

For me it is one device, only firefox with a specific tab that is set for the Squid proxy.
Everything from my network is redirected to the IPfire for DNS requests.
Or VPN or Tor. Other topic.

Ok I had found the resolver who did forward the query…


Perhaps it should be mentioned here and here, these served as a template for my selection.

btw. I get also a lot of messages in unbound log while checking DNSSEC, with the mentioned DNS Server above, like this →

03:18:07	unbound: [11795:0]	info: validation failure <badsig-watch-2520bf2f.go-alg13.dnscheck.tools. A IN>: signature crypto failed from
03:13:27	unbound: [11795:0]	info: validation failure <nosig-watch-391a9368.go-alg15.dnscheck.tools. A IN>: no DNSSEC records from for DS nosig-watch-391a9368.go-alg15.dnscheck. tools. while building chain of trust
03:13:26	unbound: [11795:0]	info: validation failure <expiredsig-watch-391a9368.go-alg15.dnscheck.tools. A IN>: signature expired from

Those unbound log entries must be result of testing if DNSSEC validation is really working. They are in my unbound log also when I visit dnscheck.tools and all used services IPs are mentioned in logs, there is test for bad, expired and missing signatures after all.

My services

No google in my results. Only services that I have added and because I have so many added I got different result depending when I visit that site.

Do you have any addons in Firefox that might cause google to appear on that list?

Recarding other arrows in your earlier picture, that Telia 2a01:3a0:53:53:: IPv6 address is for censurfridns and I think most if not all anycast services uses diffrent IPs depending your location.

Now I have to say that I finaly also got those googleusercontet servers in my test results. That happened after I disabled cloudflare services, my other serivices had apparently better pings so dns0.eu was rarely used.

When open.dns0.eu was only enabled service I got pretty constantly those google servers to pop up after test was completed. With other services I haven’t seen them so far.

Not sure if dns0.eu is hosting some servers in Google datacenters or if there is something else going on.

1 Like

This is normal. The page checks domains with bad/missing/expirered dnssec signatures if your resolver correct report signature errors. and unbound logs this.

1 Like

You are right, I just realized that there is DNSCrypt 2.0 that does everything you mentioned.

Last release was Aug 2023.

Not sure if you know answers, but I am wondering the following:
Is it mature to be included in your Firewall?

What would be the advantage over unbound?
It will take away any need for a DNS server, but you will need a service provider you could trust?

Once you anonymize and resolve the DNS query, is you traffic still exposed when you contact the actual IP?

You have to repeat the test with F5 several times to really get all servers displayed, this changes depending on which server responds the fastest.

You may not have Google, but you still have IP addresses and companies that you have not entered, for example Telia Company AB

I don`t think so and after disabling DNS for the above mentioned Providers no google or other querys where shown here.

When I was talking about DNSCrypt I was talking about anonymous DNS querys and here every means is right.

Unfortunately, no one has yet answered my actual question.

Whether it doesn’t really make more sense in privacy case to do the DNS queries yourself with ipfire, instead of using a DNS server?

That is incorrect. I Have entered unicast.uncensoreddns address, both IPv4&6 telia addresses are for that service.

Here is list of all uncensoreddns servers → server list

Are you wondering if Telia can be trusted to not spy our IPs or dns request when using uncensoreddns? I think it’s good question to ask.

So even if many dns services claims to not log anything how we can be sure if external location where service is running doesn’t do some sort of loggin for connections? If they did and TLS is used don’t they see just some unrecognizable gibberish. Or am I wrong here?

TLS means that any people looking at the traffic from your IPFire to the DNS Server(s) you have selected will not be able to see anything, other than encrypted traffic, ie your ISP and anyone looking at the traffic flowing across the internet.

However the DNS server you are connecting with has to be able to decrypt your traffic to know what your DNS request is.

At the end of the day you have to review the various DNS Server services offered and decide which are the ones you are going to believe in.

As mentioned in one of the DNS blog posts it is advisable to utilise several DNS servers.

Alternatively you could use the Recursor Mode that is the subject of this post. The benefits and downsides are mentioned in one of the following blog posts.