-
-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Info] DNS Servers #590
Comments
@funilrys Nice to hear this! Can you please add some documentation regarding the upstream server, filters used, logging, etc? Also, I hope that you will also set up DNSCrypt and DNS-over-HTTPS on the same servers. |
Hey @DRSDavidSoft I had DoH on my DNS servers, but since FF DO NOT respect the You can read a more in-depth comment on this at https://mypdns.org/my-privacy-dns/issues/-/issues/607. There are also a bunch of links to among other FireBug etc. With this, even how good the intention originally was supposed to be, it can actually rather soon become the pure evil 😒 and my personal advice is, Don't put it up, unless you can and will provide a user account for using the DoH service. Update note: fixing some grammar for readability. |
@spirillen Good point. Since you brought this issue up, I'd like to also mention some of my opinions regarding this matter as well. Please click here to expand the comment.I agree that the way Mozilla is currently handling DoH on their browser is not optimal, however as they have stated, this is meant to be a temporary measure until a proper method to signal the browser is standardized:
Personally, I don't believe in each browser using a separate encrypted channel to relay the DNS requests, especially when they default to either Cloudflare or Google DNS. My personal reason being that I will lose control over the DNS responses, such as blocking Adware and Malware (e.g. However, in my opinion, the alternative should NOT be to simply disable DNS encryption, since now the ISP (or corporate) will be able to eavesdrop and/or spoof my DNS requests, especially those that are not hardened with DNSSEC. Please see what an unencrypted DNS is returning for `youtube.com` in my country: (click to expand)In this case, if I'd like to browse YouTube, I expect to get the IP address of Google servers, not the private-range address
What I personally prefer to use is a system-wide DNS resolver (such as Unbound or DNSCrypt-proxy) that upstreams to an encrypted server, preferably one that I run with my custom blacklists and whitelists. That way, my ISP, corporate, coffeeshop, etc, will NOT be able to see or modify my DNS requests. which is important to me. In most cases, using an anonymized Cloudflare's 1.1.1.1 DoH resolver is fine, and I trust it more than Google. Of course, Quad9's 9.9.9.9 is also a good choice. With that being said, not many people are well-versed in running a technical setup like this, or they simply just do not care. I believe Mozilla and Google's efforts to implement a built-in encrypted resolver are in the right place, in order to prevent unwanted DNS hijacking and governmental censorship, for those type of people. With that being said, I also do NOT appreciate Firefox defaulting to another DNS server -- whether encrypted or not -- when I have explicitly implied that I intend to resolve the DNS through localhost ( Moreover, If I'd like to disable this "feature", I do not trust FF to adhere to their signaling method in the long run, and I only see this domain being useful in situations where you can't manually disable the behavior as outlined here https://www.mypdns.org/T607#6866. (e.g. for other computers running in my network which are managed by other users than me). I will always turn off this "feature" in my machine, and just set Firefox to use the localhost resolver. I'd also like to mention that I believe Google's approach is more logical and thus better, as it only upgrades the DNS resolver if there exists an encrypted equivalent to the currently set DNS resolver (e.g.
Thus, if any other DNS server is set by the user that doesn't support encryption, Chrome will not automatically try to use an alternative DNS resolver. This makes more sense to me than Mozilla's default approach. Since I do not use Firefox as my main browser (for other reasons), I either use a De-Googled version of Chromium (such as Bromite), or I use Google Chrome when I'm feeling comfortable sharing my data with Google and would like to use Google services. In both cases, I have built-in telemetry disabled, and I use extensions such as uBlock Origin, HTTP Everywhere, Privacy Badger, Disconnect, and Nano Defender. In cases where I'm not using DuckDuckGo, I additionally use an extension called "Don't track me Google" to further reduce Google search tracking. In any case, I'd still like to use an encrypted upstream DNS resolver, whenever possible. |
Hey @DRSDavidSoft A couple of replies on that long thread. (Why didn't you add it to T607 now you signed up anyway 😃 That site is protected against all kind of tracking 👍 ) It would also help this thread from becoming de-routed as now.
This can actually be you are routed to a proxy here it's evil from a privacy issue, but again.. all google is one big privacy issue, and here a proxy can actually help obfuscating who is doing what on yt. So this is a 50/50 change for the better.
Cloudflare = all activity tracking
Try to as @DaniV5 if this was difficult even he never tried anything like this before!!! He was up and running in a few hours, with help from this starter script: https://mypdns.org/rpz/dns-rpz-integration/-/tree/master/PowerDNS-Recursor
If bastards like google would/is doing this, trust me it isn't for your sake, it is purely for there own for getting even more data about you for brainwashing you.
Could you post more about this in the T607, as I have completely blocked google here. That's include the spyware chromium.
You should try to watch your log when you lunch any
A SSL certificate based on IP addresses, is first and foremost extremely expensive and you can only obtain it through a limited number of providers. Next you need to be assigned the IP by RIPE, with all organization data etc. You shall then have those IP addresses setup by a hosting company, then find some papers with the RIPE letterhead to forward to the SSL application etc etc.... it's a jungle and it cost the the bucks of a big country's BNP. Setting it up takes what 5 to 10 minutes ⏳
To not loose any of the control of contents being blacklisted and whitelisted and have other deciding this to you, there is only one solution..... Install your own resolver PowerDNS's recursor or ICS Bind9 on you own machine (My personal flavor is by far the PowerDNS recursor) and then use the RPZ and maintain your own whitelist, it should always rely on a personal choice, rather than other. And by a local resolver using RPZ you have the keys, nobody else. Another noteNice to see more people trying to do something good and setting up other open DNS servers 👍 |
@spirillen If it's alright with you, I don't mind posting to mypdns.org -- although maybe on a new document, since my reply is already getting kind of off-topic. I'd like to apologize for the long reply beforehand, but since the topic is already posted here, I'll just reply here. (Click to expand)
I see your point, and I agree that if the IP address was being used as a reverse proxy, it would actually benefit the user privacy-wise, by anonymizing the source IP address. (Not that it'd be helpful in case the user is logged in.) However, just to be clear -- this is NOT a proxy, it's simply a page hosted that displays "Access to this website has been denied". I was just using YouTube as an example, but this DNS hijacking also occurs for DuckDuckGo and also Telegram.org, a privacy-oriented messenger. Even in case, this IP was being used to proxy my requests (and not to display an "access denied" page), I wouldn't want my ISP to perform DNS hijacking since this server could definitely be used as an MITM (Man-in-the-middle) attack vector. On unsecured port 80, they could see the plain requests and modify them. On secured port 443 (TLS/HTTPS), they could extract the domain name that I'm connecting to. In both cases, they can see what domains my devices are trying to connect to, and they can modify or block the DNS response. For this reason, I'm never using an unencrypted DNS server for my main devices and network.
Good to know, Quad9 is actually the preferable upstream server that I'd use. I'd still use Cloudflare, but only for anonymized incoming DNS requests. Regarding Google and Cloudflare running DoH, I 100% agree with you on the fact that they run the service mostly for their own sake, and not the users. In either case, at some point, we should choose how much data we're willing to share with the Big 5 Companies (FAAMG). Personally, I'm comfortable to share some of my public data, and only that.
This is indeed a great solution, but as I said, provided the user is willing to set it up. I know many people that don't have the time or the budget to set it up on a server of their own, but are willing to use another people's servers.
I see, and I completely agree with your points. However, as a web developer and a user, I really dislike the Gecko engine, and parts of the Firefox interface. Webkit (and Blink) in Safari and Chrome are doing a better job, but as you said, they usually come bundled with trackers and spyware from Google and Apple. With that being said, browsers like Bromite and Iridium completely take out the telemetry and spying stuff out of Chromium, which otherwise is my opinion is an excellent browser. https://www.privacytools.io/browsers/ Microsoft Edge and Opera also build on the Chromium code base, with their own telemetry baked in. I always monitor the traffic that my browsers generate, and I see that that's the case. However, I do not believe in their license agreement to collect my data, without my consent. i.e., I don't care about what they're asking, and will always block as much as unwanted traffic as I can. In Mozilla's case, it's better since you're not bound to such agreements, although Firefox still contains telemetry code. I think it's common sense to block any telemetry that you are aware of, regarding which piece of software you use.
I see, and again, I agree with your point on the SSL certificate. I wouldn't want to waste money to acquire a certificate from a third party that has to be renewed each year. However, I'd like to propose two suggestions:
If you're interested in running a DNSCrypt protocol server, please have a look at this: The DNSCrypt server (which is powered with Unbound) then can be set to use the local PowerDNS instance.
PowerDNS is indeed a great solution, however, I'm personally using a combination of DNSCrypt-proxy + Unbound on my server, in order to provide encryption. Instead of running my own recursive resolver, I've chosen to upstream to OpenNIC, which is an independent resolver not governed by IANA. They also resolve many non-standard TLDs, such as Additionally, the DNSCrypt-proxy resovler has the added benefit of wildcard blocking and CNAME blocking, in addition to cloaking and forwarding. For example, I can block I'm currently hoarding about ~70MBs of blacklist 😅 with about 2000 hand-picked whitelisted domains. My server is used at both my home network, and where I work (I have the role of sysadmin there). |
I think that would be a good idea, as I see yet more de-reouted comments to your last reply. Anyway a single note to your
What script language do you write in? You might be a VW people!!! |
@spirillen For web development, I write in ES8+ Javascript. I primarily use a Node.js stack for the back-end too, although I'm also well versed in PHP/7. What does VW stand for? |
VW Is VolksWagen 😋 (That's a German car factory cheating with there test software 🤣 ) VW = VeryWanted 👍 I'll hit you up on mypdns about the php => |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Side note: @funilrys @Somebodyisnobody Side storyIt happens as internal talk between me and funilrys on keybase about the performance between Bind vs (dnsdist + recursor) for how big blacklist the diff system can handle as I found this in my OPNSense firewall about Bind
As this is no issue with the recursor I use 😏 Then there was some issues with the UFW firewall on our cdb about letting simple DNS queries through, even the udp 53 ports was wide open. Turned out to again being the fucked up While I was investigating the DNS queries this came to me Then I would try these DNS and this happens... drill p57b8b9a5.dip.t-ipconnect.de @88.198.70.38
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40754
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; p57b8b9a5.dip.t-ipconnect.de. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
t-ipconnect.de. 3600 IN SOA dns00.btx.dtag.de. hostmaster.t-ipnet.net. 2020120100 1800 900 7257600 3600
;; ADDITIONAL SECTION:
;; Query time: 849 msec A little second test to the Local bind lookup Local dnsdist + recursor
All queries to the root servers But fun aside, there are lacking information's on the above questions!! |
@Somebodyisnobody I'm sure it was @mitchellkrogza's dog 😄 But I fixed it so that it redirects here (correctly) 😸 To answer your questions, there is no logging behind |
About the missing WHOIS information, it's pretty common in Germany to have no personal information in the WHOIS record. My family for example has domains for more than 10 years now, and there is no information about us in there. Keep in mind that the equivalent of the "GPDR" existed and evolved in Germany since 1977 as the "Bundesdatenschutzgesetz (BDSG)". But I still have to document myself about the law in South Africa. @mitchellkrogza may clarify that for you. But it's really not surprising for me to have some information retracted in there. |
It depends on the country of the registrar. For example for .de TLDs you go to the german denic. They do redact but you can query this information with reason on https://www.denic.de/webwhois/. The whois record looked above like https://www.instra.com/en/whois/whois-result/burton_email. So for me personally better write nothing in the whois-record than this "REDACTED" thing... I talked multiple times with [email protected]. They really care about abusing their domains. |
Yes indeed, you you can ask for detail but only if you have the right for it. It's really up to the registrars anyway… |
Hello, about firefox doh dns over https : "I also do NOT appreciate Firefox defaulting to another DNS server -- whether encrypted or not -- when I have explicitly implied that I intend to resolve the DNS through localhost it seems firefox in recent update has changed mechanism of dns over https and it can be set to strict and can't be overridden and there is even whitelist for dns.... so we hope there will be dns servers doh dns over https for our beloved Ultimate Hosts Blacklist ! Thank you for these awesome lists ans dns ! |
We are now reachable through the |
Great ! 💯 🥇 |
Hello, World!
Hello, @Ultimate-Hosts-Blacklist/contributors!
Hello, @Ultimate-Hosts-Blacklist/blacklister!
Hello, @Ultimate-Hosts-Blacklist/whitelister!
I hope that everything goes well for you and your beloved one.
It's been a long time (cf. #293) since we had this idea of providing a DNS server and today think that we are that far.
It took us (@mitchellkrogza and I) some time (in our free time) to imagine, develop, stabilize and even get the resources for this.
But, here we are 😄
I'm glad to announce our Public DNS Server:
88.198.70.38
88.198.70.39
2a01:4f8:140:5021::38
2a01:4f8:140:5021::39
Give it a try and let us know if something is disturbing you or if you have questions!
Have a nice day/night.
Stay safe and healthy.
Nissar
The text was updated successfully, but these errors were encountered: