From my limited knowledge, DNSSEC & DNS-over-HTTPS/TLS (DoH / DoT) are 2 different technologies. Ideally both should be used.

Quoting from Reddit:

"DNSSEC and DoT/DoH are not substitutions for each other. The former verifies that the dns answer is valid, the latter encrypts the dns request between the requesting (client)/server and responding server (no listening). They can both be used separately or together."

Original link:
https://www.reddit.com/r/pihole/comments/ai...ps_with_dnssec/

I think most major public DNS servers support DoH/DoS. If you router support it, then great news for you.

Not all domains support DNSSEC. Browsing through my router's dnsmasq syslog entries, less than 10% domains we visited support DNSSEC. I guess most are not, if based on my home usage. Please correct me if I'm wrong.

This post has been edited by taqu: Oct 23 2019, 03:26 PM

Off-topic but still DNS-related

1. I'm using Clean Browsing DNS to block p0rn & malware sites.
2. Since Clean Browsing DNS doesn't block ads sites, I've enabled Adblock in my router to block most ads sites, on top of Clean Browsing DNS.
3. DNSSEC enabled. DoT not yet tried.
4. I've forced all DNS requests to go through Clean Browsing DNS. Even if hard-coded, they still get redirected.
5. Previously using Pi-Hole, but since moving to Clean Browsing DNS, I missed Pi-Hole's dashboard. Therefore I've made my own DNS dashboard using: a) syslog b) syslog-ng c) MariaDB d) Java e) Grafana. So far so good. Will add more features in future.



This post has been edited by taqu: Oct 23 2019, 05:33 PM