DNS DoT, DNSSEC with Rebind Protection - Sanity Check.

[AStaUK]

For home use is there any benefit to having DNSSEC enabled.

Although I currently have it enabled (along with Rebind protection) I feel that maybe it's overkill and has a detrimental effect on my home internet, as an example both Reddit and Amazon can be slower to load, with Reddit quite often failing or being very slow to load images which doesn't occur with DNSSEC off. I realise that having DNSSEC on is a good way to stop some Man in the Middle attacks which is great in the enterprise area but on my home internet connection is this really a scenario I'm likely to face, if anything was happening at the ISP level I'd be in far bigger trouble.

 

[Tech9]

With DoT enabled keep DNSSEC disabled. Your upstream provider of choice does DNSSEC validation and you have encrypted communication with their servers. If you have filtering DNS service upstream returning 0.0.0.0 and Rebind protection enabled you will get possible rebind protection attack messages in logs.

 

[PaddraighOS]

Tech9 has it right. With DoT already encrypting your queries, having router-level DNSSEC validation on top is double work and the performance hit you are seeing is exactly what you would expect. DNSSEC validation requires the resolver to fetch and verify a chain of signatures from root to TLD to authoritative - that is multiple extra round trips per query. Sites like Reddit that use CDNs with frequent DNS TTL changes are particularly sensitive to this. The sensible setup for home use: keep DoT on, disable DNSSEC at the router level, and use a provider that does DNSSEC validation on their end before sending you the response. You get the security benefit without the overhead. If you want to compare providers on speed and security features, publicdns.info has a good comparison table - handy for seeing which DoT servers actually do DNSSEC validation server-side. Let me know how you get on.