Comment by justsomehnguy

> My goal was not to convince you, but to provide explainers and pointers to your input.

The thing is, I should be convinced by your documentation alone. My shoe is unique (as in 0.001% at best), but the questions are valid not only for my setup only. The typical situation would be some VPN provider installing a global route through the VPN service and configuring resolvers to internal company DNS servers (to be able to resolve internal names, duh). This is not /that/ unique situation in WFH world.

> but did not want to ping him in his vacation because of a HN response

Yep, you shouldn't!

> I come from a web development background.

Ah, that explains some things.

> Thankfully Safing does not rely on my skills in that area

Ahah, being humble and self-conscious. Gladly I already drank my coffee.

> If you are willing to contribute

Thanks, no, I have too many posts unread, too many comments not replied.

But overall:

You should have a clear and straight explanation on how P. uses DNS in [0] (right at the start, before anything else) and in [1].

Preferably in typical scenarios, eg:

1. I want to use only secure DNS of P.? A: Configure your OS' DNS resolvers to point to 127.0.0.1/::1; configure P. to use secure DNS providers (or leave the defaults enabled)

2. I want to use my own resolvers, how P. would work with them? A: P. would intercept non-secure DNS requests (plain udp/53) and perform the request itself and return the result back to the querier.

3. I use P. secure DNS, but my work resources (which I access with VPN) isn't working! A: Make following configuration changes in P. config to route queries for you work: ...bla.bla.bla.

For anyone else (who doesn't need typical scenarios, like me?) I need to understand how exactly you provide a secure DNS without changing my configuration. Because now it is looks like this is exactly what happens - no changes, system configured with external plain UDP/53 resolvers... and P. magikally makes them secure.

[0] https://docs.safing.io/portmaster/guides/dns-configuration

[1] https://docs.safing.io/portmaster/architecture/core-service/...

NB: looks like miekg/dns doesn't support QNAME minimisation. This isn't strictly required, but is preferred in some situations [2]

[2] https://www.nlnetlabs.nl/downloads/presentations/unbound_qna...