Hello, Im trying to monitor & control my dns in my network. I like the idea & features of nextdns but all your traffic goes trough them right? I wanna host something simular. I currently have pi-hole installed but i feel like its not as advanced as something like nextdns. What service could i use for this? Thanks for your time!

  • friend_of_satan@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    ·
    1 year ago

    all your traffic goes through them right?

    Wrong. DNS just resolves hostnames to IP addresses and a few other small things. None of your web traffic will go through your DNS provider.

    • chiisana@lemmy.chiisana.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      It’s not so absolute; your DNS provider could resolve domains to their own server’s IP and MITM your traffic. This is how some of those DNS based region bypass work — by re-routing your traffic through their server in a supported region.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        MITM your traffic

        How exactly would that work? You would have to accept broken certificates or even no TLS at all for that to work.

        • chiisana@lemmy.chiisana.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            You’d have to install a cert for each domain. It’s not likely to happen. The only provider where this works is Cloudflare but that’s because they force you to use them as registrar and DNS so they can issue duplicate certs for any domain.

            • chiisana@lemmy.chiisana.net
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.

              Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs. You’re not forced to use them as registrar, and they could (though they will lose accreditation very quickly) in theory sign any domain without you using them to host your domain’s DNS.