Cloudflare and Mozilla are teaming up to push DNS over HTTPS (DoH). For your privacy, right? This one will really make you think.
Your DNS query before (((DoH))): ID: 1234Q/R: Query, Standard, No-recursion1 questionwww.example123.tldAIN Your DNS query after (((DoH))): GET /dns-query?dns=xxxxxxxxxx HTTP/1.1Host: www.example123.tldAccept: application/dns-messageAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0)(blank line) Ah, I see. So it divulges even more information than before. Wait - wasn't this supposed to protect my privacy? And because this is HTTP it follows that the DNS server gets to set and read cookies in my browser. Hmn...now who could possibly be behind something like this?
Let me rephrase that. Cloudflare never logs personally identifiable information including your IP address. The rest of their logs are purged within 24 hours. Cloudflare is annually audited in order to prove that they are indeed doing this. I have talked to Cloudflare employees and they have confirmed that they do not log IPs. If you are extra paranoid you can use their hidden service dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion instead of 126.96.36.199.
Thank your reassurance Mr. Schlomo, I don't know what I would do without you.
With DoH, you're shifting your trust from local network owner and ISP to the DoH provider. If you trust your ISP more than Mozilla/CF don't use DoH. If you trust Mozilla/CF more, use their DoH service. If you trust neither, use a completely different DoH service like doh.captnemo.in/dns-query but then you're trusting some guy from India more than ISP or Moz/CF. Or if you don't trust DoH, you could use a service with DNS-over-TLS or DNSCrypt.
That's a trap, because many sites use cloudflare. Imagine you're using their DNS server - they know that someone using TOR is at a certain time checking what's the IP address of let me say 8ch.net, then because 8ch.net is a website using cloudflare they know your IP and they can easily connect these two events. So now they know you use TOR, your IP address and what websites you visit, when you don't want to be followed.
How the fuck would they backtrace someone's tor traffic you fucking schizo? They have no way of telling where that traffic is coming from, with or without their DNS
I'm talking about a case, where someone only uses cloudflare's DNS over TOR, while browsing clearnet. But actually I don't know why would someone even do such a stupid setup.
So your source for CF being safe is the word of CF. All these scumbag Silicon Valley companies are in bed with the US intelligence agency's. You are the product not the customer.
Hahaha. Its all about control over goyim, there is no "we play nice", it's just PR lie.
It's not that far-fetched. It is standard practice when using tor to never access personally identifying information over tor (e.g. your bank account). If a user configures his DNS resolver to use Cloudflare's onion service by default, the correlation attack you described becomes a reality the first time he switches to clearnet to access a personal faceberg or bank account. Using the onion service for DNS is a bad idea. Don't do it.
What exactly are you worried about? With or without 188.8.131.52 they know the ip you used to visit the site.
CloudFlare has now identified you as a tor user, and can correlate that with your personal accounts.
What's wrong with being a Tor user? I'm even open in giving anyone free darknet hosting.
This isn't Uplink you stupid nigger
Harm? What's harm? Harm to who or what? Nice try, cia
what is dnscrypt? chopped liver?
How easy is to setup own DNS mirror, so I can set DNS server to localhost and instead of downloading specific records I would just download the whole database, giving no specific informations about websites I visit. Anyone here doing this?
Isn't that a pretty massive database?
Its obvious Cloudflare is a honeypot but there are other DNS providers with DoH you know. Like Quad9, Cleanbrowsing, Adguard etc.
I use some OpenNIC server with DoH support personally.
In OpenBSD and NetBSD, unbound is already installed, you just have to enable it in /etc/rc.conf.local. On other BSD and Linux you might have to install the package. Then you simply point your /etc/resolv.conf to 127.0.0.1 and you're in business. But there's no entire database to download from any single place. DNS is distributed, with records spread out on thousands of servers everywhere. And I'm getting the impression that nowadays AXFR queries are mostly blocked, because pretty much every time I try it, I get denied. It used to be the other way around, not sure when or why they changed this. But I had another idea, which was to simply cache the local domainIP mappings forever, completely ignoring the TTL values. But this will probably require a source code change, the configuration doesn't appear to support this (only some cases when it will serve expired data when it can't connect to remote DNS to get fresh values). Anyway this basically means you'll only lookup hostnames once while unbound is running. The other, more extreme option is /etc/hosts. I've used this method on really bad wifi networks that usually timed out my http requests (but I had Links set to retry forever, so eventually it would download the page...)
ok >Alternate gets DDOSed to fuck every day by (((pure coincidence))) Life is so much better with companies like CF and Google in charge now.
i used to do it years ago. should probably get it set up again.
also isnt unbound mostly some soy toy? i keep hearing it in combination with the rpi and those arent for any high performance things. all the serious stuff used bind the last time i checked.
Bind is bloated and performs poorly, but it's the standard so everyone uses it. You'll be getting equivalent if not better performance by using powerdns or unbound, although unbound doesn't support authoritative dns.
Unbound is simpler to setup and doesn't have decades of crust BIND has. Both Open and NetBSD ship it in their base. ripi fags use it not because it is soy but because it is easy to config and wont drag down the low powered pi.
What makes it worse than DNS over TLS (DoT)?
But it has a big weakness which is getting intercepted by a rogue intelligence agency somewhere in the cluster-of-fuck data centers and act like they don't know anything. At this day and age, it's not a crime unless we've been found is the LEA/3LA motto. How reassuring, but the agencies are covertly up and running all day that it won't matter anyway. So? Audits internally? They can just turn blind eye to known 3LAs. So? Salting the IP doesn't mean it's "not logged" and unidentifiable. Zig Forums does that too but we had the s u n s h i n e incident before which decrypted the suposed unidentifiable IPs from boards and sent to LEA plain text. Also a preprocessor debug 'bug' or a unpatched CVE can be their friend for plaintext extraction. And here you are suggesting an broken warrant-cannary project who kicked devs off so the glows can freely move with Soros' oncoming commands. If you're using tbb after the big leap to ESR you're fucked (or just tbb alone is a disasterware).
Unbound is popular to limited performance embedded devices like OpenWrt. But you can also use bind. Well it doesn't matter, the former is just easier to toy.
They just salted your IP with some shit to make it unreadable for humans. Now this makes the statement specific and much limited. It says companies but to intelligence agencies == maybe. Big corp just makes it even more unnerving. cia nigger project for cloaking MIL under foreign soil was not supposed to be for normie-use but if you enjoy taking it in the assad and mossad then go. What I'd like to hear is never collect. There's no point to "sellout" something if there's nothing to collect. If any, the intelligence agencies would be paying you. Just how innocent you are? Most governments around the world are corrupt and companies profit by being lying fucks and commit a public apology in case the beans spill, oh they can also control the flow of news now, how convenient that people will never remember any of that. Debug logs are red light. You think you had to say something about it because it is crucial but in turn just makes you even more suspicious. You mean your ray ID? You just salted the fuck and call it "no longer identifiable". Not retain = you delete them and still sit in the drives ready for testdisk recovery lmao. Operational? That's a broad word. ???? So you're saying you only use it for yourself but if you partake in this "Operations" that doesn't make the people who are asking it use your user data but it's you who use it correct? Irrelevant.
You really do. Transposing it with hexdec alphanum clearly makes it invalid as an IP address.
You do realize how much it would cost to store this ungodly amount of data right.
I'm 100% sure you're a federal agent. You agents really use the same arguments over and over, don't you? The NSA isn't just some dude with a P4 in his basement doing it for hobby. No, the NSA receives trillions of dollars per year of federal budgets (both public and classified), more than the net worth of Google, Amazon, Microsoft and Facebook combined. I'm pretty sure they can afford some extra hard drives for their datacenters. Logging which domains each user requested isn't much more data intensive than phone records, which were being logged already in the fucking 70s.
So the only bit of privacy I lose if CF is lying about not logging personal information is that they know I use Tor for at least DNS. I do not really care about that.
Yes, and I've also talked to engineer there who confirms they do not log IPs or any other personal data.
Sounds doable, must try it.
This is hillarious, you're either incredibly naive or simply a shill. It's not like "SSL added and removed here ;^)" didn't happen at google, while their engineers were blissfully unaware. And that only affected google! With CF who are proxying a large portion of the web, tons of sites are affected. And now they want to take over DNS too? This should be sending you all kinds of red flags.
I already knew about cloudflare but not to this extent. Thank you.
unbound + dnscrypt-proxy with an OpenNIC server that doesn't keep logs is the only way to fly.
Do you also think an undercover cop has to admit they are a cop if ask "are you a cop"?
Look at their web proxy service. It is a strait up MiTM attack that breaks SSL. Cloudflare is literally the NSA.
OpenNIC is top level. That means it's still going to send queries to solve individual domains. Unbound will give you caching, that's true, but operating systems generally have some form of caching built in. So it's doesn't really sound worth it at all. After all your ISP will still see the connections to the individual IPs, and then it can run reverse DNS to get the domain(s) for the site (and who are we kidding, they probably will).
That isn't all that useful with VHOSTing. There could be 9000 domains on a single IP or in the case of (((cloudflare))) over 6 million.
If it's going to a cloudflare datacenter or any other big provider then they'll de-anonymize it for the government.
Your hate should be directed inwards
so i was using a different dns for nothing, and my isp was just intercepting it the entire time? stupid technology
5073 suicide youtube stream in 20 minutes gg/Xq2uYaa