DNS thread

G'day Zig Forums, recently I've been searching for good DNS providers and would like to gather some opinions on which on to chose. Currently I'm torn between open-DNS and Cloudflare-DNS but I'd appreciate alternate options.

Attached: Screenshot from 2019-04-13 14-09-12.png (118x45, 4.42K)

Other urls found in this thread:

servers.opennic.org/
github.com/opennic/ldapServerEditor
digitalcourage.de/support/zensurfreier-dns-server
dismail.de/info.html#dns
blog.uncensoreddns.org/dns-servers/
securedns.eu/
dnscrypt.info/protocol/
de.wikipedia.org/wiki/DNS_over_TLS
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/
ctrl.blog/entry/unbound-tls-forwarding
en.wikipedia.org/wiki/OpenNIC
freedns.afraid.org
twitter.com/NSFWRedditGif

OpenDNS is Cisco Jewery (since it was bought out, at least). Cuckflare? Are you serious. Just use OpenNIC.

Not even as a shitpost.
Also, this is your daily reminder that DNS is a completely superfluous thing that has no technical right to be so deeply entrenched in the system. Remember to put your most commonly used sites in your hostfile.

Don't use cuckflare dns.
Opendns is fine but i personally would recommend opennic

Just download a hosts file and be your own DNS.

But how will I get all these JS libraries from CDNs?

opennicproject but their website turned to shit a few years ago.

i just use whatever comes from dhcp. too lazy to care and i want to die anyway so its only good if the cops come and shoot me.

run unbound as an upstream to pihole

Unbound.
Yeah if you want to make sure the glows in the dark always know which sites you access.

Haha yes let's give cloudlflare even more of a stranglehold on the internet.

This, grab yourself a no-log server and use dnscrypt. I've used dnsmasq's built-in dnscrypt support, but it seems that for dnscryptv2 you should run dnsmasq->dnscrypt-proxy->opennic server

servers.opennic.org/

I've used dns.watch for a while and it seems fairly solid.

Use Tor for sensitive stuff, mate. The remaining clear stuff will make you look normal to the glowing eyes.

Neither is good but you gotta pick one. At least cuckflare is fast

Attached: 123713465273.png (2396x1616, 253.92K)

I've been using OpenNIC for years with no issues. It's community-based so you gotta trust in some random guy online to keep his server online and keeping his promise to not log activity, but other than that it's been great.

In theory you could use GNUnet's GNS as an alternative to regular DNS, but I don't think there are tutorials for it.

Attached: 1551781434202.jpg (1080x1204, 157.45K)

OpenNIC has had a number of severe security flaws which remained unpatched for years, and other issues which remain unaddressed. There's not much in the way of active development toward improving their systems. If someone cared to disrupt OpenNIC, it wouldn't take much.

Only if you are trying to advertise what you are doing and get correlated.

I think you're confusing it with something else.
Google yields no results and to me it's just a website that tells me how to set things up.

No, I know quite well there are many issues because I'm the one who discovered them.

You don't know what opennicproject is and never discovered anything in your life.
Pics or didn't happen, gtfo failtroll.

Join their IRC and ask if you'd like to confirm it. I don't think they'd try to hide the fact that there have been issues. To be more specific, the most sever of which involved (multiple methods of) complete domain takeovers and DoS via inserting invalid DNS entries.

As long as you talk cryptic shit like that you might as well not say anything :-/
People who talk like you usually try to hide the fact that some mundane standard glitch was used, in this case a DNS one, that has nothing to do with the topic of discussion, in this case OpenNIC.

...so either link to a website or explain one of the issues you found :-/

why are you even here

Are you serious?
You can't just go around and claim OpenNIC is insecure (more insecure than other DNS providers) and not back it up.
Do you even science?

OpenNIC lacks the resources and drive necessary to actively develop and improve their systems.
The vulnerabilities I discovered weren't anything complex, just standard cases of naively trusting user input. This led to deleting/editing domains without ownership, inserting invalid DNS entries (DoS), and also editing the T1/T2 nameservers. I believe they've fixed the issues I've reported, but I had done penetration testing on them years prior and found similar issues at the time.
The unpatched T1/T2 code is available on Github, the issue is there's no authentication between edit.php's POST request to _edit.php: github.com/opennic/ldapServerEditor

bump3

Moot thread tbh in the days of more and more ISPs hijacking UDP port 53

Use dnscrypt-proxy as it forces you the user encrypted dns and the server operator to configure basic security/ssl as to encrypt the dns. OpenNIC and openDNS are just kike controlled opposition as poster above found out by their insecurity. Its a joke. Most dnscrypt-proxy servers are controlled by five eyes or the kikes in fake israel though.

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

Using the mainstream ones (Google, Cloudflare, ...) or your ISP's default one is a bad idea if you care about privacy. Imo a DNS should be uncensored, free, and it shouldn't log anything.
Here are some that I like:
digitalcourage.de/support/zensurfreier-dns-server (located in Germany)
dismail.de/info.html#dns (located in Germany)
blog.uncensoreddns.org/dns-servers/ (located in Denmark and USA)
securedns.eu/ (probably located in the Netherlands)

Note that DNS is always unencrypted by default. If you really want to prevent anyone from looking at your internet traffic by collecting your dns requests, you can check out DNSCrypt dnscrypt.info/protocol/ or DNS over TLS de.wikipedia.org/wiki/DNS_over_TLS
Not all servers support DNScrypt though and even fewer support DNS over TLS. However, digitalcourage and dismail do for example.

I smell some satanic fuckery here.

Looks like some Soros-funded controlled opposition to me.

Why is there so much racism in this thread?

I smell rats.

Fuck off moshe.

This isn't going to work. Try again.

I agree, you should use Tor for sensitive stuff.
Here is a DNS provider over Tor:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
More on: developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

You don't need anything other than hosts.txt

decentraleyes

You can set `DNSPort` in `/etc/tor/torrc` and use it as resolver.

or install unbound for local resolving

If you really need one:


censurfridns.dk over TLS (use unbound as client)

ctrl.blog/entry/unbound-tls-forwarding

Tor only forwards the DNS request to an exit node which does the name resolution. It can still be fucked with either by the exit node or anything in-between the exit node and the DNS server. Using Tor on it's own is not a solution. DoH, DoT, or dnscrypt over Tor is much better.

...

do you by any chance have an idea how to contact the dot chan host/admin?

only good one is your own. everything else is datamining botnet.

Shamelessly shilling for OpenNIC. It's an alternative DNS root that mirrors ICAANs horseshit. Setup your own DNS server for this.
en.wikipedia.org/wiki/OpenNIC

Install dnscrypt-proxy, configure it to not use DoH and avoid servers which claim to log you. Encrypted DNS with the best servers possible.
If you want to get a little more complicated disable the built in caching, install unbound, and use that to cache (and forward uncached requests to dnscrypt-proxy). You can also proxy DNS requests to add anonymity to security.

Attached: vacuum.jpg (1024x768, 63.02K)

Is OpenNIC another DNS provider, or are they different than that?

How do I change my default DNS server on OpenWRT?

The documentation is shit so I'll spoonfeed you

Run the command
uci add_list dhcp.@dnsmasq[0].dhcp_option='6,$DNSSERVER,$DNSSERVER'
Where $DNSSERVER is a DNS server, you can specify as many as you want, just separate them with commas. The also comma-separated 6 at the start is needed, read more about it on the dnsmasq man page.
You may also want to run this:
uci add dhcp.@dnsmasq[0].noresolv='1'
dnsmasq adds your ISP's dns servers to your list of servers by default, this disables that.
If you're satisfied, run uci commit and reload the dnsmasq configuration. Now you have custom DNS for plain old dhcp.

For dhcpv6 OpenWRT uses a different daemon, called odhcpcd. To set the dns servers it suggests run:
uci add_listdhcp.odhcpd.dns='$DNSSERVER $DNSSERVER'
This overrides any ISP-suggested servers by default.
$DNSSERVER is any dns server, the list is separated by spaces. Do the usual uci commit and reload the config file once you're satisfied.

Note that you can set an ipv4 server for dhcpv6 and an ipv6 server for dhcp, the dns protocol is the same, but if you serve an ipv6 dns on a dhcp network with no ipv6 then your dhcp server is serving a broken config, the same applies for ipv4 on a dhcpv6 network assuming we do one day drop ipv4. So I recommend you stick to ipv6 dns servers on dhcpv6 and ipv4 dns servers on dhcp to avoid trouble.


By the way I personally recommend you use dnscrypt-proxy on your router and run the router as a DNS server, or if your router is too low end for that then run the dnscrypt-proxy right on your computer. Though if you have normalfags in your network and a weak router you can at the very least do this to give them opennic servers instead of NSA ones.

Don't do that.
Instead use tor as a SOCKS5 proxy for dnscrypt-proxy and give it some generous caching.
That way you have non-cianigger client-encrypted DNS over an anonymous transport.

Attached: 1558449365-100800282_scrot.png (956x526, 48.08K)

What is the point of running DNS over the Tor network if the browsing you do is not through Tor as well? Your ISP can tell which IPs you connect to and it is trivial do to reverse DNS lookups. What is the benefit of adding Tor instead of only using dnscrypt? Only reason I can think of is anonymity from the person(s) running the DNS server.

my government/isp has banned all chans and lewd sites so i have to use a vpn every time.

i've tried dnsycrpt-proxy with my gentoo and lfs install exactly like how the repo's wiki says but no dice. it doesn't unblock anything, it just resolves the sites i'm able to access with the botnet nameservers anyways.

anything else i can try other than being stuck with vpn?

Attached: terry2.jpg (600x900, 186.92K)

You need to disable the SNI header of your TLS handshakes. To do that install libressl and remove SNI in the source code of the library.

SNI is a unencrypted handshake with the URL you are trying to access and that's how they block you even though your dns is encrypted. South korea was famous for this. Don't use encrypted SNI because it has the same issues as regular SNI.

SNI was originally so you would trust a domain with a single certificate for subdomains. So say you wanted to access google.myporn.net, with SNI you only need to trust googles certificate for that subdomain. But without SNI you have to have two certificates, one for google.net and one for google.myporn.net.

SNI is just a shitty backdoor and needs to be removed. Don't use websites using said technology because they intentionally make all their subdomains use the same certificate thereby making it easier to decrypt the traffic. Instead of finding multiple private keys to decrypt all you need is a single key for all subdomains to decrypt.


TLDR; Don't use SNI in any form and remove it at the source code level.

The reason you can access it with VPN is because all your ISP/government sees is the SNI for the VPN, the SNI for the website you access is encrypted using the VPN tunnell. But why let the government/ISP block you VPN based on SNI too? Just remove SNI altogether.

An important thing is that you need to be able to trust the DNS provider to provide the actual IP addresses corresponding to the domain names you query. Why would you trust some random entities with that? Would you install root certificates from random entities just based on their claims to be trustworthy?

It's a nice thought, but what do you propose to get away from dns? Someone's gotta map those names to ip addresses. Is it stored locally? What happens when an that's stored is old or out of date?

I run my own unbound DNS server in forwarding mode.
I use a number of DNS-over-TLS providers with a random access to them (unbound does this by default).

Here's my forward section:

#hostname combined with a fact that you have latest openssl (maybe libressl too, idk) after the address enables a secure TLS session.

Though I find that putting Tor as a default proxy for everything is surprisingly painless as far as my Web usage is concerned.

What kind of hosts file does that? All I know of is Steven Black, and that one just filters domains, not provides them. Isn't that, in essenc, what a DNS is?

I used to use Tor really frequently, but it made clearnet usage hard, especially when paying bills and stuff. Google's captcha straight-up blacklisted my because my "ISP flagged this IP as suspicious". God, fuck that.

I think it makes little to no sense to use Tor when paying RL-tied bills and do other essentially non-anonymous.
Google Captcha is just shit and I avoid it as much as I can. I literally can fail it 10 times over, this is no fucking joke.

*and doing other essentially non-anonymous stuff

Oh, those are rookie numbers. I've literally spent dozens of minutes solving captchas only to rejected at the end. I'd show proof, but I don't feel like wasting my evening. In the end, I have to pay my bills online. If not out of practical necessity then simply out of principle for the fact that not everyone can go to a brick and mortar place for every service; thus, captcha is a horrible necessity that I have to confront every time I manage my insurance, banking, services. Its fucking awful, and no one should have to tolerate ISP's strong arming you into capitulating simple liberties. It's fucked. It's so fucked.

Try unbound+dnscrypt-proxy

unbound.conf configuration:
forward-zone: name: "." forward-addr: 127.0.0.1@5353
dnscrypt-proxy.toml configuration:
listen_addresses = ['127.0.0.1:5353', '[::1]:5353']doh_servers = falserequire_dnssec = truerequire_nolog = truecache = false

I've tried proxying this setup through Tor and even if you disable UDP and max out timeouts it doesn't work, though.

I don't like the idea of using Dnscrypt because using it doesn't hide the fact you have a Dnscrypt session and thus it's more easily intercepted. Now, having a DoT over a standard port 853 also does us not much good, but I think it's just stronger hiding. Unfortunately, in general TLS connection is probably more prone to attacks, but the hope is the TLS implementation on both sides is secure, and I really LIKE the idea of a single-point reliable encryption, since that would mean I should care only about one point of failure. I wouldn't mind to nest Dnscrypt session inside a TLS session though.
I don't know how DNS over Tor is supposed to work exactly. Like, you could proxy any requests through it, I guess, but that's not how applications request it if they use Tor as a SOCKS proxy with DNS enabled. The DNS over SOCKS is a separate protocol entirely. Right now I don't have any web requests in my unbound log because it all gets fed to Tor client.

Use dnscrypt through a meek tor bridge. Problem solved.

Block all UDP at the firewall level and put this in unbound.conf
server: interface: 127.0.0.1 interface: ::1 port: 53 num-threads: 4 logfile: "/etc/unbound/unbound.log" domain-insecure: "onion" private-domain: "onion" do-not-query-localhost: no local-zone: "onion." nodefaultforward-zone: name: "onion" forward-addr: 127.0.0.1@5353forward-zone: name: "." # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53 forward-addr: 127.0.0.1@40

dnscrypt-proxy.toml
proxy = "socks5://127.0.0.1:9050"listen_addresses = ['127.0.0.1:40', '[::1]:40']
And like that you can dnscrypt-proxy through tor. Unbound fowards onion adressess to tor's normal dns port and sends everything else to dnscrypt-proxy. dnscrypt-proxy then sends everything over a socks5 proxy port which is just tor and just werkz. Remember to put in your torrc

It should go without saying that resolv.conf should point to 127.0.0.1:53 as to send everything to unbound for sorting.

That's because glowniggers nodes filter dnscrypt traffic on port 53 by default. Stop using glownigger nodes and stop sending your dns over tor over port 53 you stupid fuck.

im using cuckflare rn. I had to change my dns.

freedns.afraid.org
Website looks old, so that means it's either good because its K.I.S.S. or that it's old unmaintained crap.

Thanks for this. I've been deciding whether to setup unbound on my laptop, and initially decided against it since I only knew about google and cloudfare's servers for DoT. I'm now using securedns.eu's server, which is fast enough that I barely notice any slowdown. Just to add for anyone considering it, you must also include:


This requires installing the 'ca-certificates' package on GNU/Linux, which is most likely installed already.

Oh, yeah, totally forgot, pointing at your trusted cert bundle is a must for TLS to work at all. It's just it's not in the forward section, whoops.
That path is distro specific BTW.

OpenNIC
p
e
n
N
I
C

or Quad Nine

BIG yikes

It doesn't. Hosts translates domain names into IPs. And that's literally what DNS does. Hosts file is just your local DNS, similar to DNS cache.
Adblocking hosts files just translate ad domains into 0.0.0.0. You're not forced to do so. You can translate a domain into whatever IP you want.
You can log your network's DNS requests for a month on your router, phone or rPi and just use that as your hosts file. Look into how to make an rPi your DNS.