Unbound: Recursive DNS
This was done 2-3 months ago, so no idea why it took so long before it was documented. Most had already been forgotten, but after a brief revisit, it came back to me. I will not go through the technical details about how a recursive DNS works, but will briefly describe how it can improve security.
A normal DNS is when you as a client ask a DNS server about a domain. It will reply with an IP and you can connect to it. If it does not know, there is a protocol on how to retrieve it from other servers, maybe even the actual nameservers themselves.
For a while now I have been using PiHole in order to set up my own DNS server. This allows me to block a list of domains which I rather not want to visit, like ads. It works like an ad-blocker, but on the DNS server. This server will connect to other DNS servers for information about domains.
What Unbound does, is that it looks up the name servers for information. This takes a longer while, as you first need to locate them. But, it’s more secure, as there are no insecure DNS server in the middle that can log your web traces.
Of course, there currently is no DoH, as it adds extra complexity, and as my DNS is local, I trust my internal network.