YogaDNS now supports DNS-over-QUIC and soon DoH3!

[OpenSource Ghost]

YogaDNS is one of few programs for Windows that encrypts DNS traffic before it leaves your PC's NIC, avoiding plaintext DNS over LAN. It does so by intercepting DNS traffic on driver level unlike similar programs that act as DNS proxies. It allows assigning custom upstream DNS servers on per-interface basis. That means you can select DNS encryption for your non-VPN interfaces and plaintext DNS for VPN interfaces to use your VPN providers' native DNS servers to blend in with the rest of VPN users. Unlike Windows DNS Cache service (which you should disable), YogaDNS can support block lists with 250,000+ entries without any issues.

Supported are NextDNS ultra-low latency servers and most DNS encryption protocols, such as DoH, DoT, DNSCrypt, and DoQ. DoH/3 support is in internal testing. DoQ doesn't blend-in with HTTPS traffic like DoH, but is probably the best protocol because it doesn't involve as much metadata as DoH, doesn't leave session cookies, and is very fast, but only a few specialized servers (such as AdGuard and NextDNS) support it.

 

[Valnar]

To each their own. I block ALL that stuff. PiHole and such allow you to do blocklists for devices that cannot support a client.

 

[Vermillion]

To each their own. I block ALL that stuff. PiHole and such allow you to do blocklists for devices that cannot support a client.

So much this ^^^^

Pi-hole with Unbound means you're basically your own DNS resolver and Unbound uses DNSSEC to get new data from the root DNS servers. Self-hosted, filtered, signature verified DNS. Can't beat it.

 

[MrGuvernment]

Same, PFSense - outbound 53 / 853 blocked, the only DNS accessible is my Pfsense, which i then have using DNSSEC up to external providers.

I guess if you dont have the option for PiHole or a pfsense system this could work, some have noted it is a Russian based company, would be easy to monitor it for other traffic leaving it I guess..

 

[OpenSource Ghost]

If you want queries to be encrypted on LAN, before they leave your device, then local DNS servers are not a good option. To keep queries encrypted over LAN, there are only a few options for Windows:
- DNSCrypt-Proxy (probably the most trusted, open-source solution, but doesn't support my preferred DNS-over-QUIC)
- AdGuard for Windows (extremely bloated and slow)
- YogaDNS (closed-source)
- NextDNS (limited only to NextDNS)

I've inspected YogaDNS traffic inside-out and never once had it make a connection to anywhere aside selected DNS servers and YogaDNS website (to check for updates), which you can disable in options, block IP in firewall, and use hosts file to block YogaDNS domains.

 

[Nicklebon]

In a home environment that is almost certainly switched wtf would you care if queries are encrypted on the LAN? You'd have to span a port to see the queries. Much easier to access dns server and get everything from the logs. The same applies to MOST commercial environments. In my home and any customer's network I manage ALL dns is internal and inspected, filtered and logged extensively. HTTP and HTTPS is transparent or in some cases explicit proxied and inspected. All QUIC is blocked. Anything identified as DoH is blocked. Outbound DNS is from server is DoT. Otherwise, any dns/http/https not from the proxies is blocked. With a a very few trusted exceptions if I can't inspect it it does not leave my network. Anything that attempts to interfere with that gets removed.

 

[OpenSource Ghost]

Some people do not administer every network to which they connect and have to connect to untrusted networks. That is where tools like encrypted queries over LAN/WLAN help if VPN is blocked or you don't use one (stupid...). Public WiFi and cellular networks are a perfect example where you are unlikely to administer the network itself and have to rely on your client/device.

 

[Vermillion]

Some people do not administer every network to which they connect and have to connect to untrusted networks. That is where tools like encrypted queries over LAN/WLAN help if VPN is blocked or you don't use one (stupid...). Public WiFi and cellular networks are a perfect example where you are unlikely to administer the network itself and have to rely on your client/device.

While this is true, during my travels, I've run into very few places that stop me from connecting back to my home network via my VPN. The places that do block me I don't bother connecting to because well if they're blocking VPNs you can't trust them.

Also when it comes to DNS queries you need to remember that if you're at a Starbucks using their WiFi with no VPN, even if you have encrypted DNS (DoH, DoT, etc) that doesn't stop them from seeing where you go. It just means they can't see your DNS query. They can still see the IP address you end up connecting to and can resolve that to the URL. This is one of the reasons why encrypted DNS is kinda meh. It doesn't really make anything more private, it just makes it slightly harder to figure out the destination.

 

[BlueLineSwinger]

Also when it comes to DNS queries you need to remember that if you're at a Starbucks using their WiFi with no VPN, even if you have encrypted DNS (DoH, DoT, etc) that doesn't stop them from seeing where you go. It just means they can't see your DNS query. They can still see the IP address you end up connecting to and can resolve that to the URL. This is one of the reasons why encrypted DNS is kinda meh. It doesn't really make anything more private, it just makes it slightly harder to figure out the destination.

Meh, IP address is largely irrelevant when trying to identify a destination. Odds are very high the address belongs to some data center, cloud provider, or other hosting service, and not the owner of the site. A PTR lookup typically will return a record for them, not the actual site accessed by the user. Chances are also very good there are multiple, completely unrelated sites running off the same address.