• @[email protected]
    link
    fedilink
    English
    46 days ago

    I do exactly this as well. Works great! Dynamic DNS is kind of a hilarious hack.

    Quick question: since I use wireguard, do I need to use DNS-over-HTTPS for security? My assumption is that my entire session is already encrypted with my wireguard keys, so it doesn’t matter. But I figured I should double check.

    • @[email protected]
      link
      fedilink
      English
      35 days ago

      Depends, do you have pihole/unbound setup to only recursively resolve? Or do you forward requests to an upstream (either as a fallback or just as a primary). If that’s the case, and depending on your threat model, you’ll want to set up DoH or DoT as your DNS requests will be forwarded in plaintext

      • @[email protected]
        link
        fedilink
        English
        15 days ago

        Fortunately I set up unbound ages ago, and disabled every other upstream option in my pi.hole. However, I imagine that still “leaks” some information about my DNS queries, just indirectly – it’s not like my pi.hole has every domain mapped all the time!

      • @[email protected]
        link
        fedilink
        English
        15 days ago

        Excellent to have confirmation, thanks. What about the VPN connection handshake? I always assumed it was OK over non-SSL, because the exchange should use signed keys. But that is quite an assumption on my part.

        • @[email protected]
          link
          fedilink
          English
          25 days ago

          Wireguard uses public and private keys which are designed from the ground up to be used over plain text to establish the handshake so it isn’t an issue. Same idea with ssh keys and ssl keys

          • @[email protected]
            link
            fedilink
            English
            15 days ago

            Thanks. Wild that folks build SSH and HTTP around the same time without realising that HTTP could benefit from some of that same tech!