DNS thread

Easton Peterson
Easton Peterson

G'day Zig Forums, recently I've been searching for good DNS providers and would like to gather some opinions on which on to chose. Currently I'm torn between open-DNS and Cloudflare-DNS but I'd appreciate alternate options.

Attached: Screenshot-from-2019-04-13-14-09-12.png (4.42 KB, 118x45)

Other urls found in this thread:

servers.opennic.org/
github.com/opennic/ldapServerEditor
digitalcourage.de/support/zensurfreier-dns-server
dismail.de/info.html#dns
blog.uncensoreddns.org/dns-servers/
securedns.eu/
dnscrypt.info/protocol/
de.wikipedia.org/wiki/DNS_over_TLS
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/
ctrl.blog/entry/unbound-tls-forwarding
en.wikipedia.org/wiki/OpenNIC
freedns.afraid.org

Mason Edwards
Mason Edwards

OpenDNS is Cisco Jewery (since it was bought out, at least). Cuckflare? Are you serious. Just use OpenNIC.

Justin Jackson
Justin Jackson

cloudflare
Not even as a shitpost.
Also, this is your daily reminder that DNS is a completely superfluous thing that has no technical right to be so deeply entrenched in the system. Remember to put your most commonly used sites in your hostfile.

Evan Anderson
Evan Anderson

Don't use cuckflare dns.
Opendns is fine but i personally would recommend opennic

Noah Young
Noah Young

Just download a hosts file and be your own DNS.

Easton Jones
Easton Jones

But how will I get all these JS libraries from CDNs?

Blake Wilson
Blake Wilson

opennicproject but their website turned to shit a few years ago.

Ethan Richardson
Ethan Richardson

i just use whatever comes from dhcp. too lazy to care and i want to die anyway so its only good if the cops come and shoot me.

Levi Bell
Levi Bell

run unbound as an upstream to pihole

Jose Wilson
Jose Wilson

Unbound.
kikeflare
Yeah if you want to make sure the glows in the dark always know which sites you access.

Evan Ramirez
Evan Ramirez

cloudflare dns
Haha yes let's give cloudlflare even more of a stranglehold on the internet.
This, grab yourself a no-log server and use dnscrypt. I've used dnsmasq's built-in dnscrypt support, but it seems that for dnscryptv2 you should run dnsmasq->dnscrypt-proxy->opennic server

servers.opennic.org/

Camden Hall
Camden Hall

I've used dns.watch for a while and it seems fairly solid.

Brayden Sullivan
Brayden Sullivan

Use Tor for sensitive stuff, mate. The remaining clear stuff will make you look normal to the glowing eyes.

Jaxon Rivera
Jaxon Rivera

opennic
now some totally trustworthy stranger has your dns records instead of some corp
Neither is good but you gotta pick one. At least cuckflare is fast

Attached: 123713465273.png (253.92 KB, 2396x1616)

Christopher Butler
Christopher Butler

I've been using OpenNIC for years with no issues. It's community-based so you gotta trust in some random guy online to keep his server online and keeping his promise to not log activity, but other than that it's been great.

In theory you could use GNUnet's GNS as an alternative to regular DNS, but I don't think there are tutorials for it.

Attached: 1551781434202.jpg (157.45 KB, 1080x1204)

Sebastian Young
Sebastian Young

OpenNIC has had a number of severe security flaws which remained unpatched for years, and other issues which remain unaddressed. There's not much in the way of active development toward improving their systems. If someone cared to disrupt OpenNIC, it wouldn't take much.

Tyler Evans
Tyler Evans

Only if you are trying to advertise what you are doing and get correlated.

Sebastian Walker
Sebastian Walker

OpenNIC has had a number of severe security flaws
I think you're confusing it with something else.
Google yields no results and to me it's just a website that tells me how to set things up.

Nathan Turner
Nathan Turner

No, I know quite well there are many issues because I'm the one who discovered them.

Luke Barnes
Luke Barnes

You don't know what opennicproject is and never discovered anything in your life.
Pics or didn't happen, gtfo failtroll.

Thomas Taylor
Thomas Taylor

Join their IRC and ask if you'd like to confirm it. I don't think they'd try to hide the fact that there have been issues. To be more specific, the most sever of which involved (multiple methods of) complete domain takeovers and DoS via inserting invalid DNS entries.

Kayden Howard
Kayden Howard

As long as you talk cryptic shit like that you might as well not say anything :-/
People who talk like you usually try to hide the fact that some mundane standard glitch was used, in this case a DNS one, that has nothing to do with the topic of discussion, in this case OpenNIC.

Tyler Parker
Tyler Parker

...so either link to a website or explain one of the issues you found :-/

Christian Evans
Christian Evans

why are you even here

Joseph Martin
Joseph Martin

Are you serious?
You can't just go around and claim OpenNIC is insecure (more insecure than other DNS providers) and not back it up.
Do you even science?

Wyatt Adams
Wyatt Adams

OpenNIC lacks the resources and drive necessary to actively develop and improve their systems.
The vulnerabilities I discovered weren't anything complex, just standard cases of naively trusting user input. This led to deleting/editing domains without ownership, inserting invalid DNS entries (DoS), and also editing the T1/T2 nameservers. I believe they've fixed the issues I've reported, but I had done penetration testing on them years prior and found similar issues at the time.
The unpatched T1/T2 code is available on Github, the issue is there's no authentication between edit.php's POST request to _edit.php: github.com/opennic/ldapServerEditor

Blake Turner
Blake Turner

bump3

William Mitchell
William Mitchell

Moot thread tbh in the days of more and more ISPs hijacking UDP port 53

Jose Roberts
Jose Roberts

Use dnscrypt-proxy as it forces you the user encrypted dns and the server operator to configure basic security/ssl as to encrypt the dns. OpenNIC and openDNS are just kike controlled opposition as poster above found out by their insecurity. Its a joke. Most dnscrypt-proxy servers are controlled by five eyes or the kikes in fake israel though.

Julian Rogers
Julian Rogers

HAPAS ARE SUPERIOR TO WHITES

Owen Walker
Owen Walker

HAPAS ARE SUPERIOR TO WHITES

Caleb Powell
Caleb Powell

HAPAS ARE SUPERIOR TO WHITES

Jason Parker
Jason Parker

HAPAS ARE SUPERIOR TO WHITES

Jaxon Long
Jaxon Long

HAPAS ARE SUPERIOR TO WHITES

Jayden Reed
Jayden Reed

HAPAS ARE SUPERIOR TO WHITES

Carson Barnes
Carson Barnes

HAPAS ARE SUPERIOR TO WHITES

Connor Rogers
Connor Rogers

HAPAS ARE SUPERIOR TO WHITES

Nathaniel Myers
Nathaniel Myers

HAPAS ARE SUPERIOR TO WHITES

Jonathan Ortiz
Jonathan Ortiz

HAPAS ARE SUPERIOR TO WHITES

Kayden Bailey
Kayden Bailey

Using the mainstream ones (Google, Cloudflare, ...) or your ISP's default one is a bad idea if you care about privacy. Imo a DNS should be uncensored, free, and it shouldn't log anything.
Here are some that I like:
digitalcourage.de/support/zensurfreier-dns-server (located in Germany)
dismail.de/info.html#dns (located in Germany)
blog.uncensoreddns.org/dns-servers/ (located in Denmark and USA)
securedns.eu/ (probably located in the Netherlands)

Note that DNS is always unencrypted by default. If you really want to prevent anyone from looking at your internet traffic by collecting your dns requests, you can check out DNSCrypt dnscrypt.info/protocol/ or DNS over TLS de.wikipedia.org/wiki/DNS_over_TLS
Not all servers support DNScrypt though and even fewer support DNS over TLS. However, digitalcourage and dismail do for example.

Lucas Moore
Lucas Moore

I smell some satanic fuckery here.

Isaiah Miller
Isaiah Miller

Looks like some Soros-funded controlled opposition to me.

Michael Murphy
Michael Murphy

Why is there so much racism in this thread?

Cameron Martinez
Cameron Martinez

I smell rats.

Michael Richardson
Michael Richardson

Fuck off moshe.

Brayden Sanchez
Brayden Sanchez

This isn't going to work. Try again.

Colton Russell
Colton Russell

I agree, you should use Tor for sensitive stuff.
Here is a DNS provider over Tor:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
More on: developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

Aiden Bell
Aiden Bell

JS libraries
You don't need anything other than hosts.txt

Adrian Jenkins
Adrian Jenkins

decentraleyes

William Carter
William Carter

You can set `DNSPort` in `/etc/tor/torrc` and use it as resolver.

or install unbound for local resolving

If you really need one:

censurfridns.dk over TLS (use unbound as client)

ctrl.blog/entry/unbound-tls-forwarding

Connor Campbell
Connor Campbell

Tor only forwards the DNS request to an exit node which does the name resolution. It can still be fucked with either by the exit node or anything in-between the exit node and the DNS server. Using Tor on it's own is not a solution. DoH, DoT, or dnscrypt over Tor is much better.

William Jenkins
William Jenkins

reddit spacing

Charles Cooper
Charles Cooper

do you by any chance have an idea how to contact the dot chan host/admin?

Aaron Roberts
Aaron Roberts

only good one is your own. everything else is datamining botnet.

Justin Gonzalez
Justin Gonzalez

Shamelessly shilling for OpenNIC. It's an alternative DNS root that mirrors ICAANs horseshit. Setup your own DNS server for this.
en.wikipedia.org/wiki/OpenNIC

Levi Torres
Levi Torres

Install dnscrypt-proxy, configure it to not use DoH and avoid servers which claim to log you. Encrypted DNS with the best servers possible.
If you want to get a little more complicated disable the built in caching, install unbound, and use that to cache (and forward uncached requests to dnscrypt-proxy). You can also proxy DNS requests to add anonymity to security.

Attached: vacuum.jpg (63.02 KB, 1024x768)

Lucas Edwards
Lucas Edwards

Is OpenNIC another DNS provider, or are they different than that?

Dylan Robinson
Dylan Robinson

How do I change my default DNS server on OpenWRT?

Jonathan Turner
Jonathan Turner

The documentation is shit so I'll spoonfeed you

Run the command
uci add_list [email protected][0].dhcp_option='6,$DNSSERVER,$DNSSERVER'
Where $DNSSERVER is a DNS server, you can specify as many as you want, just separate them with commas. The also comma-separated 6 at the start is needed, read more about it on the dnsmasq man page.
You may also want to run this:
uci add [email protected][0].noresolv='1'
dnsmasq adds your ISP's dns servers to your list of servers by default, this disables that.
If you're satisfied, run uci commit and reload the dnsmasq configuration. Now you have custom DNS for plain old dhcp.

For dhcpv6 OpenWRT uses a different daemon, called odhcpcd. To set the dns servers it suggests run:
uci add_listdhcp.odhcpd.dns='$DNSSERVER $DNSSERVER'
This overrides any ISP-suggested servers by default.
$DNSSERVER is any dns server, the list is separated by spaces. Do the usual uci commit and reload the config file once you're satisfied.

Note that you can set an ipv4 server for dhcpv6 and an ipv6 server for dhcp, the dns protocol is the same, but if you serve an ipv6 dns on a dhcp network with no ipv6 then your dhcp server is serving a broken config, the same applies for ipv4 on a dhcpv6 network assuming we do one day drop ipv4. So I recommend you stick to ipv6 dns servers on dhcpv6 and ipv4 dns servers on dhcp to avoid trouble.

By the way I personally recommend you use dnscrypt-proxy on your router and run the router as a DNS server, or if your router is too low end for that then run the dnscrypt-proxy right on your computer. Though if you have normalfags in your network and a weak router you can at the very least do this to give them opennic servers instead of NSA ones.

Hunter Adams
Hunter Adams

Don't do that.
Instead use tor as a SOCKS5 proxy for dnscrypt-proxy and give it some generous caching.
That way you have non-cianigger client-encrypted DNS over an anonymous transport.

Attached: 1558449365-100800282-scrot.png (48.08 KB, 956x526)

John Bell
John Bell

What is the point of running DNS over the Tor network if the browsing you do is not through Tor as well? Your ISP can tell which IPs you connect to and it is trivial do to reverse DNS lookups. What is the benefit of adding Tor instead of only using dnscrypt? Only reason I can think of is anonymity from the person(s) running the DNS server.

Lincoln Perry
Lincoln Perry

my government/isp has banned all chans and lewd sites so i have to use a vpn every time.

i've tried dnsycrpt-proxy with my gentoo and lfs install exactly like how the repo's wiki says but no dice. it doesn't unblock anything, it just resolves the sites i'm able to access with the botnet nameservers anyways.

anything else i can try other than being stuck with vpn?

Attached: terry2.jpg (186.92 KB, 600x900)

Gavin Wright
Gavin Wright

You need to disable the SNI header of your TLS handshakes. To do that install libressl and remove SNI in the source code of the library.

SNI is a unencrypted handshake with the URL you are trying to access and that's how they block you even though your dns is encrypted. South korea was famous for this. Don't use encrypted SNI because it has the same issues as regular SNI.

SNI was originally so you would trust a domain with a single certificate for subdomains. So say you wanted to access google.myporn.net, with SNI you only need to trust googles certificate for that subdomain. But without SNI you have to have two certificates, one for google.net and one for google.myporn.net.

SNI is just a shitty backdoor and needs to be removed. Don't use websites using said technology because they intentionally make all their subdomains use the same certificate thereby making it easier to decrypt the traffic. Instead of finding multiple private keys to decrypt all you need is a single key for all subdomains to decrypt.

TLDR; Don't use SNI in any form and remove it at the source code level.

Andrew Thomas
Andrew Thomas

The reason you can access it with VPN is because all your ISP/government sees is the SNI for the VPN, the SNI for the website you access is encrypted using the VPN tunnell. But why let the government/ISP block you VPN based on SNI too? Just remove SNI altogether.

Alexander Torres
Alexander Torres

An important thing is that you need to be able to trust the DNS provider to provide the actual IP addresses corresponding to the domain names you query. Why would you trust some random entities with that? Would you install root certificates from random entities just based on their claims to be trustworthy?

Gabriel Wood
Gabriel Wood

It's a nice thought, but what do you propose to get away from dns? Someone's gotta map those names to ip addresses. Is it stored locally? What happens when an that's stored is old or out of date?

Nathaniel Brooks
Nathaniel Brooks

I run my own unbound DNS server in forwarding mode.
I use a number of DNS-over-TLS providers with a random access to them (unbound does this by default).

Here's my forward section:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: [email protected]#dns.quad9.net
forward-addr: [email protected]#dns.quad9.net
forward-addr: [email protected]#dns.google
forward-addr: [email protected]#dns.google
forward-addr: [email protected]#anycast.censurfridns.dk
forward-addr: [email protected]#unicast.censurfridns.dk
forward-addr: [email protected]#dot.securedns.eu
forward-addr: [email protected]#fdns1.dismail.de
forward-addr: [email protected]#dns2.digitalcourage.de

#hostname combined with a fact that you have latest openssl (maybe libressl too, idk) after the address enables a secure TLS session.

Though I find that putting Tor as a default proxy for everything is surprisingly painless as far as my Web usage is concerned.

Grayson White
Grayson White

What kind of hosts file does that? All I know of is Steven Black, and that one just filters domains, not provides them. Isn't that, in essenc, what a DNS is?

Matthew Clark
Matthew Clark

I used to use Tor really frequently, but it made clearnet usage hard, especially when paying bills and stuff. Google's captcha straight-up blacklisted my because my "ISP flagged this IP as suspicious". God, fuck that.

Alexander Cook
Alexander Cook

I think it makes little to no sense to use Tor when paying RL-tied bills and do other essentially non-anonymous.
Google Captcha is just shit and I avoid it as much as I can. I literally can fail it 10 times over, this is no fucking joke.

Kevin Reed
Kevin Reed

and do other essentially non-anonymous
*and doing other essentially non-anonymous stuff

Dominic Martinez
Dominic Martinez

10 times
Oh, those are rookie numbers. I've literally spent dozens of minutes solving captchas only to rejected at the end. I'd show proof, but I don't feel like wasting my evening. In the end, I have to pay my bills online. If not out of practical necessity then simply out of principle for the fact that not everyone can go to a brick and mortar place for every service; thus, captcha is a horrible necessity that I have to confront every time I manage my insurance, banking, services. Its fucking awful, and no one should have to tolerate ISP's strong arming you into capitulating simple liberties. It's fucked. It's so fucked.

Isaac Moore
Isaac Moore

Try unbound+dnscrypt-proxy

unbound.conf configuration:
forward-zone:
name: "."
forward-addr: [email protected]

dnscrypt-proxy.toml configuration:
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
doh_servers = false
require_dnssec = true
require_nolog = true
cache = false

I've tried proxying this setup through Tor and even if you disable UDP and max out timeouts it doesn't work, though.

Josiah Butler
Josiah Butler

I don't like the idea of using Dnscrypt because using it doesn't hide the fact you have a Dnscrypt session and thus it's more easily intercepted. Now, having a DoT over a standard port 853 also does us not much good, but I think it's just stronger hiding. Unfortunately, in general TLS connection is probably more prone to attacks, but the hope is the TLS implementation on both sides is secure, and I really LIKE the idea of a single-point reliable encryption, since that would mean I should care only about one point of failure. I wouldn't mind to nest Dnscrypt session inside a TLS session though.
I've tried proxying this setup through Tor and even if you disable UDP and max out timeouts it doesn't work, though.
I don't know how DNS over Tor is supposed to work exactly. Like, you could proxy any requests through it, I guess, but that's not how applications request it if they use Tor as a SOCKS proxy with DNS enabled. The DNS over SOCKS is a separate protocol entirely. Right now I don't have any web requests in my unbound log because it all gets fed to Tor client.

Chase Bailey
Chase Bailey

Use dnscrypt through a meek tor bridge. Problem solved.
Block all UDP at the firewall level and put this in unbound.conf

server:
interface: 127.0.0.1
interface: ::1
port: 53
num-threads: 4
logfile: "/etc/unbound/unbound.log"
domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
local-zone: "onion." nodefault

forward-zone:
name: "onion"
forward-addr: [email protected]
forward-zone:
name: "."
# 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53
forward-addr: [email protected]

dnscrypt-proxy.toml

proxy = "socks5://127.0.0.1:9050"
listen_addresses = ['127.0.0.1:40', '[::1]:40']

And like that you can dnscrypt-proxy through tor. Unbound fowards onion adressess to tor's normal dns port and sends everything else to dnscrypt-proxy. dnscrypt-proxy then sends everything over a socks5 proxy port which is just tor and just werkz. Remember to put in your torrc
SocksPort 9050

Hudson Gray
Hudson Gray

It should go without saying that resolv.conf should point to 127.0.0.1:53 as to send everything to unbound for sorting.

Christopher Kelly
Christopher Kelly

That's because glowniggers nodes filter dnscrypt traffic on port 53 by default. Stop using glownigger nodes and stop sending your dns over tor over port 53 you stupid fuck.

Alexander Williams
Alexander Williams

im using cuckflare rn. I had to change my dns.

Christian Morris
Christian Morris

freedns.afraid.org
Website looks old, so that means it's either good because its K.I.S.S. or that it's old unmaintained crap.

Matthew Garcia
Matthew Garcia

Thanks for this. I've been deciding whether to setup unbound on my laptop, and initially decided against it since I only knew about google and cloudfare's servers for DoT. I'm now using securedns.eu's server, which is fast enough that I barely notice any slowdown. Just to add for anyone considering it, you must also include:

tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"

This requires installing the 'ca-certificates' package on GNU/Linux, which is most likely installed already.

Brayden Ramirez
Brayden Ramirez

Oh, yeah, totally forgot, pointing at your trusted cert bundle is a must for TLS to work at all. It's just it's not in the forward section, whoops.
That path is distro specific BTW.

Henry Brooks
Henry Brooks

OpenNIC
p
e
n
N
I
C

Jacob Sanchez
Jacob Sanchez

or Quad Nine

Jayden Morgan
Jayden Morgan

cisco
ibm
BIG yikes

Samuel Ramirez
Samuel Ramirez

filters domains, not provides them.
It doesn't. Hosts translates domain names into IPs. And that's literally what DNS does. Hosts file is just your local DNS, similar to DNS cache.
Steven Black
Adblocking hosts files just translate ad domains into 0.0.0.0. You're not forced to do so. You can translate a domain into whatever IP you want.
You can log your network's DNS requests for a month on your router, phone or rPi and just use that as your hosts file. Look into how to make an rPi your DNS.

Disable AdBlock to view this page

Disable AdBlock to view this page

Confirm your age

This website may contain content of an adult nature. If you are under the age of 18, if such content offends you or if it is illegal to view such content in your community, please EXIT.

Enter Exit

About Privacy

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our advertising and analytics partners.

Accept Exit