DNS thread

Easton Peterson
Easton Peterson

G'day Zig Forums, recently I've been searching for good DNS providers and would like to gather some opinions on which on to chose. Currently I'm torn between open-DNS and Cloudflare-DNS but I'd appreciate alternate options.

Attached: Screenshot-from-2019-04-13-14-09-12.png (4.42 KB, 118x45)

Other urls found in this thread:

servers.opennic.org/
github.com/opennic/ldapServerEditor
digitalcourage.de/support/zensurfreier-dns-server
dismail.de/info.html#dns
blog.uncensoreddns.org/dns-servers/
securedns.eu/
dnscrypt.info/protocol/
de.wikipedia.org/wiki/DNS_over_TLS
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/
ctrl.blog/entry/unbound-tls-forwarding
en.wikipedia.org/wiki/OpenNIC

Mason Edwards
Mason Edwards

OpenDNS is Cisco Jewery (since it was bought out, at least). Cuckflare? Are you serious. Just use OpenNIC.

Justin Jackson
Justin Jackson

cloudflare
Not even as a shitpost.
Also, this is your daily reminder that DNS is a completely superfluous thing that has no technical right to be so deeply entrenched in the system. Remember to put your most commonly used sites in your hostfile.

Evan Anderson
Evan Anderson

Don't use cuckflare dns.
Opendns is fine but i personally would recommend opennic

Noah Young
Noah Young

Just download a hosts file and be your own DNS.

Easton Jones
Easton Jones

But how will I get all these JS libraries from CDNs?

Blake Wilson
Blake Wilson

opennicproject but their website turned to shit a few years ago.

Ethan Richardson
Ethan Richardson

i just use whatever comes from dhcp. too lazy to care and i want to die anyway so its only good if the cops come and shoot me.

Levi Bell
Levi Bell

run unbound as an upstream to pihole

Jose Wilson
Jose Wilson

Unbound.
kikeflare
Yeah if you want to make sure the glows in the dark always know which sites you access.

Evan Ramirez
Evan Ramirez

cloudflare dns
Haha yes let's give cloudlflare even more of a stranglehold on the internet.
This, grab yourself a no-log server and use dnscrypt. I've used dnsmasq's built-in dnscrypt support, but it seems that for dnscryptv2 you should run dnsmasq->dnscrypt-proxy->opennic server

servers.opennic.org/

Camden Hall
Camden Hall

I've used dns.watch for a while and it seems fairly solid.

Brayden Sullivan
Brayden Sullivan

Use Tor for sensitive stuff, mate. The remaining clear stuff will make you look normal to the glowing eyes.

Jaxon Rivera
Jaxon Rivera

opennic
now some totally trustworthy stranger has your dns records instead of some corp
Neither is good but you gotta pick one. At least cuckflare is fast

Attached: 123713465273.png (253.92 KB, 2396x1616)

Christopher Butler
Christopher Butler

I've been using OpenNIC for years with no issues. It's community-based so you gotta trust in some random guy online to keep his server online and keeping his promise to not log activity, but other than that it's been great.

In theory you could use GNUnet's GNS as an alternative to regular DNS, but I don't think there are tutorials for it.

Attached: 1551781434202.jpg (157.45 KB, 1080x1204)

Sebastian Young
Sebastian Young

OpenNIC has had a number of severe security flaws which remained unpatched for years, and other issues which remain unaddressed. There's not much in the way of active development toward improving their systems. If someone cared to disrupt OpenNIC, it wouldn't take much.

Tyler Evans
Tyler Evans

Only if you are trying to advertise what you are doing and get correlated.

Sebastian Walker
Sebastian Walker

OpenNIC has had a number of severe security flaws
I think you're confusing it with something else.
Google yields no results and to me it's just a website that tells me how to set things up.

Nathan Turner
Nathan Turner

No, I know quite well there are many issues because I'm the one who discovered them.

Luke Barnes
Luke Barnes

You don't know what opennicproject is and never discovered anything in your life.
Pics or didn't happen, gtfo failtroll.

Thomas Taylor
Thomas Taylor

Join their IRC and ask if you'd like to confirm it. I don't think they'd try to hide the fact that there have been issues. To be more specific, the most sever of which involved (multiple methods of) complete domain takeovers and DoS via inserting invalid DNS entries.

Kayden Howard
Kayden Howard

As long as you talk cryptic shit like that you might as well not say anything :-/
People who talk like you usually try to hide the fact that some mundane standard glitch was used, in this case a DNS one, that has nothing to do with the topic of discussion, in this case OpenNIC.

Tyler Parker
Tyler Parker

...so either link to a website or explain one of the issues you found :-/

Christian Evans
Christian Evans

why are you even here

Joseph Martin
Joseph Martin

Are you serious?
You can't just go around and claim OpenNIC is insecure (more insecure than other DNS providers) and not back it up.
Do you even science?

Wyatt Adams
Wyatt Adams

OpenNIC lacks the resources and drive necessary to actively develop and improve their systems.
The vulnerabilities I discovered weren't anything complex, just standard cases of naively trusting user input. This led to deleting/editing domains without ownership, inserting invalid DNS entries (DoS), and also editing the T1/T2 nameservers. I believe they've fixed the issues I've reported, but I had done penetration testing on them years prior and found similar issues at the time.
The unpatched T1/T2 code is available on Github, the issue is there's no authentication between edit.php's POST request to _edit.php: github.com/opennic/ldapServerEditor

Blake Turner
Blake Turner

bump3

William Mitchell
William Mitchell

Moot thread tbh in the days of more and more ISPs hijacking UDP port 53

Jose Roberts
Jose Roberts

Use dnscrypt-proxy as it forces you the user encrypted dns and the server operator to configure basic security/ssl as to encrypt the dns. OpenNIC and openDNS are just kike controlled opposition as poster above found out by their insecurity. Its a joke. Most dnscrypt-proxy servers are controlled by five eyes or the kikes in fake israel though.

Julian Rogers
Julian Rogers

HAPAS ARE SUPERIOR TO WHITES

Owen Walker
Owen Walker

HAPAS ARE SUPERIOR TO WHITES

Caleb Powell
Caleb Powell

HAPAS ARE SUPERIOR TO WHITES

Jason Parker
Jason Parker

HAPAS ARE SUPERIOR TO WHITES

Jaxon Long
Jaxon Long

HAPAS ARE SUPERIOR TO WHITES

Jayden Reed
Jayden Reed

HAPAS ARE SUPERIOR TO WHITES

Carson Barnes
Carson Barnes

HAPAS ARE SUPERIOR TO WHITES

Connor Rogers
Connor Rogers

HAPAS ARE SUPERIOR TO WHITES

Nathaniel Myers
Nathaniel Myers

HAPAS ARE SUPERIOR TO WHITES

Jonathan Ortiz
Jonathan Ortiz

HAPAS ARE SUPERIOR TO WHITES

Kayden Bailey
Kayden Bailey

Using the mainstream ones (Google, Cloudflare, ...) or your ISP's default one is a bad idea if you care about privacy. Imo a DNS should be uncensored, free, and it shouldn't log anything.
Here are some that I like:
digitalcourage.de/support/zensurfreier-dns-server (located in Germany)
dismail.de/info.html#dns (located in Germany)
blog.uncensoreddns.org/dns-servers/ (located in Denmark and USA)
securedns.eu/ (probably located in the Netherlands)

Note that DNS is always unencrypted by default. If you really want to prevent anyone from looking at your internet traffic by collecting your dns requests, you can check out DNSCrypt dnscrypt.info/protocol/ or DNS over TLS de.wikipedia.org/wiki/DNS_over_TLS
Not all servers support DNScrypt though and even fewer support DNS over TLS. However, digitalcourage and dismail do for example.

Lucas Moore
Lucas Moore

I smell some satanic fuckery here.

Isaiah Miller
Isaiah Miller

Looks like some Soros-funded controlled opposition to me.

Michael Murphy
Michael Murphy

Why is there so much racism in this thread?

Cameron Martinez
Cameron Martinez

I smell rats.

Michael Richardson
Michael Richardson

Fuck off moshe.

Brayden Sanchez
Brayden Sanchez

This isn't going to work. Try again.

Colton Russell
Colton Russell

I agree, you should use Tor for sensitive stuff.
Here is a DNS provider over Tor:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/
More on: developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

Aiden Bell
Aiden Bell

JS libraries
You don't need anything other than hosts.txt

Adrian Jenkins
Adrian Jenkins

decentraleyes

William Carter
William Carter

You can set `DNSPort` in `/etc/tor/torrc` and use it as resolver.

or install unbound for local resolving

If you really need one:

censurfridns.dk over TLS (use unbound as client)

ctrl.blog/entry/unbound-tls-forwarding

Connor Campbell
Connor Campbell

Tor only forwards the DNS request to an exit node which does the name resolution. It can still be fucked with either by the exit node or anything in-between the exit node and the DNS server. Using Tor on it's own is not a solution. DoH, DoT, or dnscrypt over Tor is much better.

William Jenkins
William Jenkins

reddit spacing

Charles Cooper
Charles Cooper

do you by any chance have an idea how to contact the dot chan host/admin?

Aaron Roberts
Aaron Roberts

only good one is your own. everything else is datamining botnet.

Justin Gonzalez
Justin Gonzalez

Shamelessly shilling for OpenNIC. It's an alternative DNS root that mirrors ICAANs horseshit. Setup your own DNS server for this.
en.wikipedia.org/wiki/OpenNIC

Levi Torres
Levi Torres

Install dnscrypt-proxy, configure it to not use DoH and avoid servers which claim to log you. Encrypted DNS with the best servers possible.
If you want to get a little more complicated disable the built in caching, install unbound, and use that to cache (and forward uncached requests to dnscrypt-proxy). You can also proxy DNS requests to add anonymity to security.

Attached: vacuum.jpg (63.02 KB, 1024x768)

Lucas Edwards
Lucas Edwards

Is OpenNIC another DNS provider, or are they different than that?

Dylan Robinson
Dylan Robinson

How do I change my default DNS server on OpenWRT?

Jonathan Turner
Jonathan Turner

The documentation is shit so I'll spoonfeed you

Run the command
uci add_list [email protected][0].dhcp_option='6,$DNSSERVER,$DNSSERVER'
Where $DNSSERVER is a DNS server, you can specify as many as you want, just separate them with commas. The also comma-separated 6 at the start is needed, read more about it on the dnsmasq man page.
You may also want to run this:
uci add [email protected][0].noresolv='1'
dnsmasq adds your ISP's dns servers to your list of servers by default, this disables that.
If you're satisfied, run uci commit and reload the dnsmasq configuration. Now you have custom DNS for plain old dhcp.

For dhcpv6 OpenWRT uses a different daemon, called odhcpcd. To set the dns servers it suggests run:
uci add_listdhcp.odhcpd.dns='$DNSSERVER $DNSSERVER'
This overrides any ISP-suggested servers by default.
$DNSSERVER is any dns server, the list is separated by spaces. Do the usual uci commit and reload the config file once you're satisfied.

Note that you can set an ipv4 server for dhcpv6 and an ipv6 server for dhcp, the dns protocol is the same, but if you serve an ipv6 dns on a dhcp network with no ipv6 then your dhcp server is serving a broken config, the same applies for ipv4 on a dhcpv6 network assuming we do one day drop ipv4. So I recommend you stick to ipv6 dns servers on dhcpv6 and ipv4 dns servers on dhcp to avoid trouble.

By the way I personally recommend you use dnscrypt-proxy on your router and run the router as a DNS server, or if your router is too low end for that then run the dnscrypt-proxy right on your computer. Though if you have normalfags in your network and a weak router you can at the very least do this to give them opennic servers instead of NSA ones.

Hunter Adams
Hunter Adams

Don't do that.
Instead use tor as a SOCKS5 proxy for dnscrypt-proxy and give it some generous caching.
That way you have non-cianigger client-encrypted DNS over an anonymous transport.

Attached: 1558449365-100800282-scrot.png (48.08 KB, 956x526)

John Bell
John Bell

What is the point of running DNS over the Tor network if the browsing you do is not through Tor as well? Your ISP can tell which IPs you connect to and it is trivial do to reverse DNS lookups. What is the benefit of adding Tor instead of only using dnscrypt? Only reason I can think of is anonymity from the person(s) running the DNS server.

Lincoln Perry
Lincoln Perry

my government/isp has banned all chans and lewd sites so i have to use a vpn every time.

i've tried dnsycrpt-proxy with my gentoo and lfs install exactly like how the repo's wiki says but no dice. it doesn't unblock anything, it just resolves the sites i'm able to access with the botnet nameservers anyways.

anything else i can try other than being stuck with vpn?

Attached: terry2.jpg (186.92 KB, 600x900)

Gavin Wright
Gavin Wright

You need to disable the SNI header of your TLS handshakes. To do that install libressl and remove SNI in the source code of the library.

SNI is a unencrypted handshake with the URL you are trying to access and that's how they block you even though your dns is encrypted. South korea was famous for this. Don't use encrypted SNI because it has the same issues as regular SNI.

SNI was originally so you would trust a domain with a single certificate for subdomains. So say you wanted to access google.myporn.net, with SNI you only need to trust googles certificate for that subdomain. But without SNI you have to have two certificates, one for google.net and one for google.myporn.net.

SNI is just a shitty backdoor and needs to be removed. Don't use websites using said technology because they intentionally make all their subdomains use the same certificate thereby making it easier to decrypt the traffic. Instead of finding multiple private keys to decrypt all you need is a single key for all subdomains to decrypt.

TLDR; Don't use SNI in any form and remove it at the source code level.

Andrew Thomas
Andrew Thomas

The reason you can access it with VPN is because all your ISP/government sees is the SNI for the VPN, the SNI for the website you access is encrypted using the VPN tunnell. But why let the government/ISP block you VPN based on SNI too? Just remove SNI altogether.

Disable AdBlock to view this page

Disable AdBlock to view this page

Confirm your age

This website may contain content of an adult nature. If you are under the age of 18, if such content offends you or if it is illegal to view such content in your community, please EXIT.

Enter Exit

About Privacy

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our advertising and analytics partners.

Accept Exit