relic4322

Interesting in learning more about that. I do a lot of dev work with AI, agentic and otherwise. Did a proof of concept for quick fact finding but of course you run into "where do you source the truth" and the more I looked the harder it was.

totally arbitrary, lol. Im used to DNSSEC, saw DoT and DoH about the same time, think I saw a write up that used DoT and just went for it. Havent even compared DoT vs DoH, but DoH reminds me of Homer Simpson cuz im old XD

In my particular setup, I have an additional constraint and that is that my network has to be designed for portability and travel. Not that it affects your design per say. Thank you for the response. Just something that occurred to me that I hadnt mentioned.

I am living a transient life at the moment. So lots of virtualization and lack of control concerning the WAP and such.

I do like your set up btw.

Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.

Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.

"Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet." 100%, I decided to break up my posts into sub components of the total stack, but to your point currently im enforcing a deny all inbound and outbound at the host level, as the network is shared with the fam and they are not ready for that level of learning (pain, lol)

I just learned about unbound, didnt realize it had a blocklist capability so thats great to know. Gotta dig into it.

I like that last bit, blocking DoT except for the one approved path. Much like TLS 1.3 it offers insider threat protection against inspection. So with that in mind when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right? Thats what I am doing now as well, though I am not actively blocking it yet. Just currently enabling and testing feasibility on a single host to see the performance and operational impacts of privacy/security implementations.

Curious to your IDS solution, I gotta dig into opnsense. I know about it, its been around a long time, but havent touched it in so long I cant remember its capabilities.

good point. not a huge fan, but better than no option at all. Actually thats probably the best option for now.

I think if you are using any meta app on your phone yes. I would assume yes, if they put in the time to figure out the security bypasses then I cant see why they would limit it to one app. I removed all meta apps from my phone.

Brutalism and Art Deco, not together obviously, but +1000 points to Affordable Housing @supersquirrel@sopuli.xyz lol

Its funny to qualify and not go after it. After exploration I found the same things. Whats the point? Only thing I could find was hey you can hang out with smart people.

Its lonely being SMRT so this seems like it might be a good thing, but you know what... you put a bunch of smart people in a room and they are all used to being the smartest in a group and its insufferable.

Better to not bring it up, and just find people that share your hobbies tbh.

same for me, codeberg works quite well. no issues at all in comparison to github. slowly moving my code over.

nice. Im looking to make the transition to graphene OS. would go to linux daily driver if I can get away from MS Office. I do too much writing collaboration with others and it gets wonky going back and forth with office users. Though Denmark is saying they are ditching office so that might incentivize alternatives and such. exciting times.

Im currently working on a whole stack, so docker pi-hole with unbound using dns over tls, squid proxy with maximum privacy, FF fork with ublock, privacy badger, noscript. mullvad and/or tor depending on where and when im using it.

yeah, and extensions additionally work against you in fingerprinting. Though I'm totally interested in what extensions you are using.