Cloudflare and Mozilla are teaming up to push DNS over HTTPS (DoH). For your privacy, right? This one will really make you think.
Your DNS query before (((DoH))): ID: 1234Q/R: Query, Standard, No-recursion1 questionwww.example123.tldAIN Your DNS query after (((DoH))): GET /dns-query?dns=xxxxxxxxxx HTTP/1.1Host: www.example123.tldAccept: application/dns-messageAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0)(blank line) Ah, I see. So it divulges even more information than before. Wait - wasn't this supposed to protect my privacy? And because this is HTTP it follows that the DNS server gets to set and read cookies in my browser. Hmn...now who could possibly be behind something like this?
Nice to focus on the coffee shop and not the ISP, school, workplace.
Grayson Cox
Cloudflare isn't the only dns server that supports DNS over HTTPS. Additionally, 1.1.1.1 doesn't keep any logs
Connor Barnes
None of those can track you once you leave their network.
With this CF scam they will be able to capture every domain you query no matter what network you are on. They tricked plenty of dumb goyim in to using (((1.1.1.1))) so why not push this?
Let me rephrase that. Cloudflare never logs personally identifiable information including your IP address. The rest of their logs are purged within 24 hours. Cloudflare is annually audited in order to prove that they are indeed doing this. I have talked to Cloudflare employees and they have confirmed that they do not log IPs. If you are extra paranoid you can use their hidden service dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion instead of 1.1.1.1.
Ethan Collins
Thank your reassurance Mr. Schlomo, I don't know what I would do without you.
I am genuinely curious if OPs like this are trolling or genuinely stupid. One of the downsides of a smaller board is that one dedicated shitter can completely set the mood on it.
Juan Collins
Fuck off
Jace Howard
Oh, look, the resident agents have arrived to the thread.
Nathaniel Carter
Why? Is it because what Cloudflare is doing doesn't mach up with your schizophrenic narrative?
With DoH, you're shifting your trust from local network owner and ISP to the DoH provider. If you trust your ISP more than Mozilla/CF don't use DoH. If you trust Mozilla/CF more, use their DoH service. If you trust neither, use a completely different DoH service like doh.captnemo.in/dns-query but then you're trusting some guy from India more than ISP or Moz/CF. Or if you don't trust DoH, you could use a service with DNS-over-TLS or DNSCrypt.
Carson Ward
That's a trap, because many sites use cloudflare. Imagine you're using their DNS server - they know that someone using TOR is at a certain time checking what's the IP address of let me say 8ch.net, then because 8ch.net is a website using cloudflare they know your IP and they can easily connect these two events. So now they know you use TOR, your IP address and what websites you visit, when you don't want to be followed.
Noah Adams
How the fuck would they backtrace someone's tor traffic you fucking schizo? They have no way of telling where that traffic is coming from, with or without their DNS
I'm talking about a case, where someone only uses cloudflare's DNS over TOR, while browsing clearnet. But actually I don't know why would someone even do such a stupid setup.
Jaxon Mitchell
So your source for CF being safe is the word of CF. All these scumbag Silicon Valley companies are in bed with the US intelligence agency's. You are the product not the customer.
Joseph Davis
Hahaha. Its all about control over goyim, there is no "we play nice", it's just PR lie.
Daniel Hill
It's not that far-fetched. It is standard practice when using tor to never access personally identifying information over tor (e.g. your bank account). If a user configures his DNS resolver to use Cloudflare's onion service by default, the correlation attack you described becomes a reality the first time he switches to clearnet to access a personal faceberg or bank account. Using the onion service for DNS is a bad idea. Don't do it.
Samuel Reed
What exactly are you worried about? With or without 1.1.1.1 they know the ip you used to visit the site.
Samuel Stewart
CloudFlare has now identified you as a tor user, and can correlate that with your personal accounts.
Hunter Carter
What's wrong with being a Tor user? I'm even open in giving anyone free darknet hosting.
Owen Thomas
This isn't Uplink you stupid nigger
Henry Morales
Harm? What's harm? Harm to who or what? Nice try, cia
Carter Smith
what is dnscrypt? chopped liver?
Connor Brown
How easy is to setup own DNS mirror, so I can set DNS server to localhost and instead of downloading specific records I would just download the whole database, giving no specific informations about websites I visit. Anyone here doing this?
Gabriel Harris
Isn't that a pretty massive database?
Chase Powell
Its obvious Cloudflare is a honeypot but there are other DNS providers with DoH you know. Like Quad9, Cleanbrowsing, Adguard etc.
I use some OpenNIC server with DoH support personally.
Samuel Ortiz
In OpenBSD and NetBSD, unbound is already installed, you just have to enable it in /etc/rc.conf.local. On other BSD and Linux you might have to install the package. Then you simply point your /etc/resolv.conf to 127.0.0.1 and you're in business. But there's no entire database to download from any single place. DNS is distributed, with records spread out on thousands of servers everywhere. And I'm getting the impression that nowadays AXFR queries are mostly blocked, because pretty much every time I try it, I get denied. It used to be the other way around, not sure when or why they changed this. But I had another idea, which was to simply cache the local domainIP mappings forever, completely ignoring the TTL values. But this will probably require a source code change, the configuration doesn't appear to support this (only some cases when it will serve expired data when it can't connect to remote DNS to get fresh values). Anyway this basically means you'll only lookup hostnames once while unbound is running. The other, more extreme option is /etc/hosts. I've used this method on really bad wifi networks that usually timed out my http requests (but I had Links set to retry forever, so eventually it would download the page...)
Elijah Morales
ok >Alternate gets DDOSed to fuck every day by (((pure coincidence))) Life is so much better with companies like CF and Google in charge now.
Camden Harris
i used to do it years ago. should probably get it set up again.
Noah Brown
also isnt unbound mostly some soy toy? i keep hearing it in combination with the rpi and those arent for any high performance things. all the serious stuff used bind the last time i checked.
William Hughes
Bind is bloated and performs poorly, but it's the standard so everyone uses it. You'll be getting equivalent if not better performance by using powerdns or unbound, although unbound doesn't support authoritative dns.
Isaac Bennett
Unbound is simpler to setup and doesn't have decades of crust BIND has. Both Open and NetBSD ship it in their base. ripi fags use it not because it is soy but because it is easy to config and wont drag down the low powered pi.
Nathaniel Bell
What makes it worse than DNS over TLS (DoT)?
But it has a big weakness which is getting intercepted by a rogue intelligence agency somewhere in the cluster-of-fuck data centers and act like they don't know anything. At this day and age, it's not a crime unless we've been found is the LEA/3LA motto. How reassuring, but the agencies are covertly up and running all day that it won't matter anyway. So? Audits internally? They can just turn blind eye to known 3LAs. So? Salting the IP doesn't mean it's "not logged" and unidentifiable. Zig Forums does that too but we had the s u n s h i n e incident before which decrypted the suposed unidentifiable IPs from boards and sent to LEA plain text. Also a preprocessor debug 'bug' or a unpatched CVE can be their friend for plaintext extraction. And here you are suggesting an broken warrant-cannary project who kicked devs off so the glows can freely move with Soros' oncoming commands. If you're using tbb after the big leap to ESR you're fucked (or just tbb alone is a disasterware).
Logan Robinson
Unbased
Adam Ortiz
Unbound is popular to limited performance embedded devices like OpenWrt. But you can also use bind. Well it doesn't matter, the former is just easier to toy.
Owen Bennett
They just salted your IP with some shit to make it unreadable for humans. Now this makes the statement specific and much limited. It says companies but to intelligence agencies == maybe. Big corp just makes it even more unnerving. cia nigger project for cloaking MIL under foreign soil was not supposed to be for normie-use but if you enjoy taking it in the assad and mossad then go. What I'd like to hear is never collect. There's no point to "sellout" something if there's nothing to collect. If any, the intelligence agencies would be paying you. Just how innocent you are? Most governments around the world are corrupt and companies profit by being lying fucks and commit a public apology in case the beans spill, oh they can also control the flow of news now, how convenient that people will never remember any of that. Debug logs are red light. You think you had to say something about it because it is crucial but in turn just makes you even more suspicious. You mean your ray ID? You just salted the fuck and call it "no longer identifiable". Not retain = you delete them and still sit in the drives ready for testdisk recovery lmao. Operational? That's a broad word. ???? So you're saying you only use it for yourself but if you partake in this "Operations" that doesn't make the people who are asking it use your user data but it's you who use it correct? Irrelevant.
Andrew Hernandez
You really do. Transposing it with hexdec alphanum clearly makes it invalid as an IP address.
Hunter Cruz
You do realize how much it would cost to store this ungodly amount of data right.
Ryder Bennett
I'm 100% sure you're a federal agent. You agents really use the same arguments over and over, don't you? The NSA isn't just some dude with a P4 in his basement doing it for hobby. No, the NSA receives trillions of dollars per year of federal budgets (both public and classified), more than the net worth of Google, Amazon, Microsoft and Facebook combined. I'm pretty sure they can afford some extra hard drives for their datacenters. Logging which domains each user requested isn't much more data intensive than phone records, which were being logged already in the fucking 70s.
Angel Cruz
So the only bit of privacy I lose if CF is lying about not logging personal information is that they know I use Tor for at least DNS. I do not really care about that.
Yes, and I've also talked to engineer there who confirms they do not log IPs or any other personal data.
Daniel Perez
Sounds doable, must try it.
Julian Smith
This is hillarious, you're either incredibly naive or simply a shill. It's not like "SSL added and removed here ;^)" didn't happen at google, while their engineers were blissfully unaware. And that only affected google! With CF who are proxying a large portion of the web, tons of sites are affected. And now they want to take over DNS too? This should be sending you all kinds of red flags.
James Diaz
I already knew about cloudflare but not to this extent. Thank you.
Thomas Fisher
unbound + dnscrypt-proxy with an OpenNIC server that doesn't keep logs is the only way to fly.
Justin Miller
Do you also think an undercover cop has to admit they are a cop if ask "are you a cop"?
Look at their web proxy service. It is a strait up MiTM attack that breaks SSL. Cloudflare is literally the NSA.
OpenNIC is top level. That means it's still going to send queries to solve individual domains. Unbound will give you caching, that's true, but operating systems generally have some form of caching built in. So it's doesn't really sound worth it at all. After all your ISP will still see the connections to the individual IPs, and then it can run reverse DNS to get the domain(s) for the site (and who are we kidding, they probably will).
Cameron Myers
That isn't all that useful with VHOSTing. There could be 9000 domains on a single IP or in the case of (((cloudflare))) over 6 million.
Gabriel King
If it's going to a cloudflare datacenter or any other big provider then they'll de-anonymize it for the government.
Zachary Gray
Your hate should be directed inwards
Aaron Jackson
STFU FAGGOT
Asher Martinez
so i was using a different dns for nothing, and my isp was just intercepting it the entire time? stupid technology
Jeremiah James
Code(((berg)))
Daniel Allen
5073 suicide youtube stream in 20 minutes gg/Xq2uYaa
