Here's my current setup: I connect from my Windows laptop via OpenVPN AES256 tunnel to my own OpenVPN server (don't trust any "no logs" VPN provider) where Bind DNS server is handling the DNS stuff (don't trust my ISP DNS or Google's public DNS & this way DNS queries come from my VPN public IP) and Squid does some ad & malware site filtering for HTTP stuff. All the servers run in the same offshore VPS and working nicely. Uplink speed is decent 1 Gbps and harware not bad (Xeon 8 core, 2 GB RAM + 2 GB Swap,80 GB SAS) But now Im thinking of securing the DNS request that come out from VPN endpoit. What I have been able to figure (while at flu) is that: - CurveDNS is supposed to offer end-to-end encryption for DNS servers that support it, and normal DNS query for those that don't, right ? - DNSCrypt is OpenDNS encrption solution but it only protects the last mile, the connection between DNS client and first DNS server? So maybe this is not needed because my DNS queries already travel throught VPN tunnel to my DNS server? - DNSSEC. It's not really about ecryption but a way to manage authenticate DNS servers? So what is the best way to protect DNS? 1. CurveDNS ? 2. DNSCrypt ? 3. DNSSEC ? 4. Some combination of above?