Default DNS Provider Discussion for Kicksecure (not Whonix!)

Kicksecure('s servers) would be the best candidate for a recursive resolver, similar to how the GrapheneOS team uses their own servers:

This proposal reuses the same trust already provided from Kicksecure users, so only the technical implementation remains unaddressed. Here are a few base suggestions:

1. DNSSEC-validated cached queries
2. DoT/DoH(3)/DoQ/DNSCrypt from stub resolver to recursive resolver

Here are a few technical stretch goals:

3. QNAME minimization^[1] and aggressive NSEC(3) records^[2]
4. Opportunistic DNS encryption (DoT and DoQ) from recursive resolver to authoritative servers^[3]
5. Tor onion service similar to Cloudflare’s deployment^[4]

I will be going though a lot of documentation/references about DNS during April for my own security and privacy needs, so I can provide step-by-step deployment instructions for the base suggestions if necessary, assuming a Debian(-like) cloud image.

1. RFC 9156 - DNS Query Name Minimisation to Improve Privacy ↩︎

2. RFC 9077 - NSEC and NSEC3: TTLs and Aggressive Use (obsoletes aggressive DNSSEC caching from RFC 8198) ↩︎

3. RFC 9539 - Unilateral Opportunistic Deployment of Encrypted Recursive-to-Authoritative DNS ↩︎

4. Introducing DNS Resolver for Tor ↩︎

Unlikely that we’ll start hosting more infrastructure anytime soon. Adds lots of extra maintenance effort (sysadmin, legal, etc.).

Comparison with GrapheneOS is unsuitable. They’ve got a multiple of more users/donations/paid staff.

Writing guides on how to accomplish that can be useful since anyone can feel free to start providing such infrastructure as their own independent project.