I'm trying to achieve three simple goals (on our CentOS8 server)...
- local DNS resolution/caching
- DNSSEC
- DNSoverTLS
At first I went straight for dnsmasq because that was what it seemed most people were using in my research. It was a trivial install and I was able to get it up and running in no time. #1 - check
I then moved on to DNSSEC and eventually found that I just needed to add the following to my dnsmasq.conf...
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-check-unsigned
All seemed well and good, #2 - check
Finally I got to DNSoverTLS, and started to understand the difference between a dnsforwarder vs. a full DNS Server like bind. It seemed that without installing yet another link in the chain, such as stubby, it was not something that was supported natively. #3 - soft fail
I want as simple/easily maintainable solution as possible, i.e. fewer moving parts, so I started looking at BIND9 since it's the defacto standard, but in doing that I also found systemd-resolved which is already installed and seemingly supports all three of my requirements. #1,2,3 - Check
My question is, in light of my three requirements, why would I not use systemd-resolved, what are the real-world differences or benefits of using one of the other two methods? I've seen some hate out there for systemd-resolved, but only because it wasn't truly secure due to a possible MITM vector, but that has since been dealt with from what I can see.
I've tried to find details comparing the three but everything is all about bind and dnsmasq, it's suprisingly hard to find anything other than a reference manual for systemd-resolved.
Thanks.
EDIT: So you've got a better idea of the circumstance, the server will be low usage, mail services, some file syncing, light web duty, for < 5 users typically, maybe the occasional bot/idiot trying to randomly penetrate it, etc. The only caveat, is that there will be many such instances, all running independently as standalone single tenant systems orchestrated centrally... so I'm looking for a simple but capable DNS system that provides modern privacy and security features like DNSSEC and DoT.
I'm not against a solution that has more parts, but I'm just looking for a justification if there is one for doing that.
That said, I just realized that CentOS8 is stuck on systemd v239, and the fully working DoT is not working until v245 according to the docs. So looking at Fedora 32 as an option.
