What do you mean by "secure DNS box"? This is a DNSSEC-validating resolver, which means it will check DNSSEC signatures, for whatever that is worth to you. It won't encrypt your DNS traffic. It may accept DoH/DNS-TLS requests, but won't (AFAIK) make outgoing DoH requests, so all the requests you make will be visible from the server.
AFAICT This does not include like an ACME implementation or anything like that, so:
You will need to obtain a suitable TLS certificate (for which you will have generated a private key).
For this to be of practical use outside of a toy, you will probably need to obtain the certificate from a different CA since you would want an ipAddress SAN (a certificate for the IP address of your DNS server, not the hostname) so that remote systems can use this server without also needing DNS, since if they have perfectly good DNS why use this server?
For a toy you can self-sign a certificate and set your test systems to trust that self-signed cert or whatever.
Unbound is probably more featureful (especially when it comes to DNSSEC, which, I mean, again, for what that's worth to you), but sdns is written in Golang. Unbound is written in C and has had at least one memory corruption vulnerability reported.
I'm definitely a fan of go over C. I was really happy with unbound as a local resolver for a good long time, but then started having DNS issues that would be cleared up by restarting unbound.
I'm all for rewriting things into safe languages, but I do like the battle-tested nature of C things, like unbound. For example, I'm interested in replacing my smtpd daemon with something better. I'm most tempted to go with postfix, because it's very supported, does lots, is totally battle tested, and has a good security track record. However, the hip kid on the block is Haraka -- https://haraka.github.io/ . It's written by smart people with a long history in the problem space, and it does things in a new and modern way. I'm inclined to like it. But several things make me hesitant:
- Will a hipster javascript thing really be as reliable? Are these new runtimes really sufficient for totally essential things like email? What about filesystem stuff? I'd think a battletested thing like postfix will be much better off than this.
- Do I really want to deal with javascript or whatever other hipster language for deployment? With most essential utilities, it's packaged in my distro with minimal dependencies. With hipster stuff, it's usually a fast pace of development, which doesn't lend itself to packaging, and uses something awful like npm. Is this something I really want to depend on?
So I'd wonder the same thing about sdns. The "rewrite it in ${safelang}" trend tends to produce immature and unreliably deployable software and that makes me worried. How's sdns fare?
Not sure I see the justification replacing postfix (which with simple configurations can be configured with just a few lines in a config file) with haraka written in javascript.
Unbound seems generally respected, is nice and simple, written cleanly, and does MUCH less than bind. However it has had at least one memory corruption bug that plagues most c/c++ applications of non-trivial complexity. It also does seem to hang and I ask around and other people have seen similar. It's no longer what I consider reliable enough to be installed on every client. It's scary that it hangs, because if it gets that wrong there's likely other issues as well.
I'm hopeful that SDNS is more reliable and secure. I just want a local caching resolver that understands DNSSEC.
Would love to see some support for Prometheus compatible metrics.