But you still need to trust the root servers right? I’d argue say 1.1.1.1 adds an extra layer of protection from compromised root (hijacked by China for instance; the premise between a rock and a hard place, an US corporation is more trustworthy than an adversarial government, or US government for that matter)
The author states that pihole sending requests to 8.8.8.8 (Google) is worse than sending requests to your ISP. I disagree. I have always had terrible experiences with Comcost's DNS. I trust them less.
I'm pretty sure it is using pure DNS recursion, so if you ask for abc.google.com, the pi itself will ask the com TLD DNS server for google.com's DNS server, then go and ask google what abc.google.com's IP address is
So you're not asking the ISP for abc.google.com, but because they provide the internet, the ISP will see all your requests, including the UDP request to the .com TLD, google.com's DNS, etc
DNSSEC and DoH DNS over HTTPS serve completely different purposes. There isn't a choice to be made between them. DNSSEC sole purpose is to validate the integrity of DNS records. DoH DNS over HTTPS protects DNS requests and responses in flight but does nothing to validate that the DNS record returned was actually created by the domain owner.
The author of the article states they don't care about tracking of requests by their ISP, so they don't bother to implement in flight protection of DNS.
On the choice of DNS forwarder: Unbound is very configurable and reliable, however, I went down this rabbit hole recently and decided I wanted a DNS "shotgunner" as latency to a single upstream source had a wide distribution.
Simply, you issue multiple DNS requests and take the fastest one. I use 9 different DNS servers over TLS. This is a bit excessive, two is enough most of the time.
Calling it 'abuse' seems like a leap. It is redundant, sure, but the results get cached, usually for extended periods of time if the TTL isn't set to too short of a duration.
