All my DNS queries are anonymous, encrypted and verified for validity.
Firefox can also use the encrypt SNI to further enhance https privacy.
You can also activate on top dns ad blocking either via kresd or dnscrypt-proxy.
Enjoy!
Open question: Does kresd verifies unsigned dnssec queries like dnsmasq?
–dnssec-check-unsigned[=no]
As a default, dnsmasq checks that unsigned DNS replies are legitimate: this entails possible extra queries even for the majority of DNS zones which are not, at the moment, signed. If –dnssec-check-unsigned=no appears in the configuration, then such replies they are assumed to be valid and passed on (without the “authentic data” bit set, of course). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast.
Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used –dnssec-check-unsigned to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
Does kresd offers similar checks? (or does it full trusts dns servers that they will not hide dnssec info?)
Maybe the listening address should be ‘127.0.0.1’ and maybe ‘::1’ for IPv6? Because, if I put 192.168.1.1 in the custom resolver configuration file, dnscrypt-proxy doesn’t communicate with anything (what you indicate is an address is LAN address).