Comment by toast0
1 day ago
> I think one way or another you will have to trust some entity with your DNS. Unless you are willing to use tor all the way on OS level. Even running your own recursive DNS resolver will leak your IP to root servers
With modern recursive DNS, you don't leak much to the root servers, just the tld you're trying to resolve. And you can axfr the root zone and then the root servers only know you're a resolver. The TLD servers know a lot, by necessity, though.
I think, though, for the purposes of this argument you can lump the TLD and root servers together. Lot of people are going to know who you are and what you're looking up if you run your own recursive resolver directly against the root servers
What modern recursive DNS uses is called Query Name Minimisation, and is enabled by default by some.
If you include the TLD as part of "Lot of people are going to know who you are and what you're looking up", ignoring any mitigating effect of Query Name Minimisation, the number of people is identical to any other setup.
For ISP resolver it will be the ISP and the owner of the domain name through web logs.
For public DNS resolver it will be the public resolver and owner of the domain through web logs.
for personal recursive resolver, it will be the TLD and the owner of the domain name through dns and web logs. The TLD job in this case is to give you the authoritative name servers of the domain name that the owner of the domain has.
With Query Name Minimisation, the TLD only get the domain name without any subdomains. They can't see the distinction between a user reading hacker news, or a user going to the main page of ycombinator to read about YC invests.