Which is more private: Pi-Hole and Unbound OR Cloudflare Tor resolver?

1 point

8 years ago

Alright, here's the deal: I've just finished modifying my Pi-Hole configuration to work with Unbound so it caches responses and recurses the TLDs which is fairly "private" in that it uses the root servers rather than an aggregator so there's that.

At the same time, I've just seen that Cloudflare has released a Tor onion service to resolve DNS requests which can ALSO be configured to work with Pi-Hole.

Thus far I have not quite been able to figure out how I may be able to combine them (so DNS queries go from my device > Pi-Hole > Unbound > Cloudflared daemon > Tor > Cloudflare resolver. Not to mention, that seems slightly ... pointless if the Cloudflare Tor onion service provides better privacy/anonymity/pseudoanonymity (whatever) than using Unbound to traverse the root authorities does.

The upshot I see with Unbound is that it's less likely anyone's going to hijack enough root servers that I'll have a reasonable chance of malicious DNS hijinks whereas if someone hijacks Cloudflare's resolver, they've got the keys to the kingdom as far as my ability to resolve hostnames correctly is concerned.

So my question is fairly simple: given the choice between having Pi-Hole resolve DNS queries through Unbound (which traverses root authorities) or Cloudflare's new Tor-based onion service resolver: what are the pros/cons of each and which provides, overall, the best security/privacy/anonymity/pseudoanonymity?

I realize this is a bit subjective and comes down to personal preference when choosing, but as far as the pros/cons go, I'd like to see what other people think and which they'd choose.

P.s. - here are the relevant announcements/explanations of the two services I'm talking about: https://pi-hole.net/2018/06/09/ftldns-and-unbound-combined-for-your-own-all-around-dns-solution/

https://blog.cloudflare.com/welcome-hidden-resolver/