(((DNS over HTTPS)))

Eli Fisher
Eli Fisher

Cloudflare and Mozilla are teaming up to push DNS over HTTPS (DoH). For your privacy, right? This one will really make you think.

Your DNS query before (((DoH))):

ID: 1234
Q/R: Query, Standard, No-recursion
1 question
www.example123.tld
A
IN

Your DNS query after (((DoH))):

GET /dns-query?dns=xxxxxxxxxx HTTP/1.1
Host: www.example123.tld
Accept: application/dns-message
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0)
(blank line)

Ah, I see. So it divulges even more information than before. Wait - wasn't this supposed to protect my privacy? And because this is HTTP it follows that the DNS server gets to set and read cookies in my browser. Hmn...now who could possibly be behind something like this?

Don't fall for jewish tricks.

Attached: doh.png (116.18 KB, 1024x250)

Other urls found in this thread:

codeberg.org/crimeflare/cloudflare-tor
1.1.1.1/dns/
developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
doh.captnemo.in/dns-query

Ryder Nelson
Ryder Nelson

even more information
you forgot the part where your coffee shop, ISP, school, etc, cannot tell what domains you are querying for anymore.

Matthew Kelly
Matthew Kelly

But now CF glowers will know every domain you query. Even if you go to a non-CF hosted site that has zero trackers they will know.

The coffee shop owner isn't much a threat. CF is.

Attached: Prime-Minister-Julia-Gillard-DMZ-600x800.jpg (59.38 KB, 600x800)

Nathaniel Davis
Nathaniel Davis

Nice to focus on the coffee shop and not the ISP, school, workplace.

Grayson Cox
Grayson Cox

Cloudflare isn't the only dns server that supports DNS over HTTPS.
Additionally, 1.1.1.1 doesn't keep any logs

Connor Barnes
Connor Barnes

None of those can track you once you leave their network.

With this CF scam they will be able to capture every domain you query no matter what network you are on. They tricked plenty of dumb goyim in to using (((1.1.1.1))) so why not push this?

Aiden Perry
Aiden Perry

Additionally, 1.1.1.1 doesn't keep any logs

Attached: lolwat.gif (2.31 MB, 498x214)

Jason Wood
Jason Wood

Let me rephrase that. Cloudflare never logs personally identifiable information including your IP address. The rest of their logs are purged within 24 hours. Cloudflare is annually audited in order to prove that they are indeed doing this. I have talked to Cloudflare employees and they have confirmed that they do not log IPs. If you are extra paranoid you can use their hidden service
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion instead of 1.1.1.1.

Ethan Collins
Ethan Collins

Thank your reassurance Mr. Schlomo, I don't know what I would do without you.

Attached: 88659d7ee178795dd12696e87d1946ffb8febebf6b2284db7b40decba484fe50.gif (1.83 MB, 333x358)

Jason Ross
Jason Ross

I am genuinely curious if OPs like this are trolling or genuinely stupid. One of the downsides of a smaller board is that one dedicated shitter can completely set the mood on it.

Juan Collins
Juan Collins

Fuck off

Jace Howard
Jace Howard

Oh, look, the resident agents have arrived to the thread.

Nathaniel Carter
Nathaniel Carter

Why? Is it because what Cloudflare is doing doesn't mach up with your schizophrenic narrative?

Easton Reyes
Easton Reyes

dumbfuck
codeberg.org/crimeflare/cloudflare-tor

Jaxson Nguyen
Jaxson Nguyen

We are exclusively talking about the privacy respecting DNS server 1.1.1.1 retard.

Carson Torres
Carson Torres

muh schizo
Tell your handlers to add some mew tricks to your shilling manual, they're getting old. What's next, "take your pills"?

Parker Bennett
Parker Bennett

and after that they will start sending your passwords to google

Owen Rodriguez
Owen Rodriguez

prove it's privacy respecting or fuck off

Jaxon Young
Jaxon Young

empty demands for 'proof'
He can't 'prove' it is privacy respecting any more than you can 'prove' it isn't, fucktard. God I hate people like you.

Michael Bell
Michael Bell

bunch of NEETs are upset people are spying on their chinese cartoon images
Why?

Alexander Baker
Alexander Baker

he has made the claim, he has to provide the proof or shut the fuck up

Christopher Murphy
Christopher Murphy

faggot #1 makes assertion he can't prove
<faggot #2 contradicts faggot #1 with an assertion he has no hope of proving either
faggot #1 doubles down
<faggot #2 demands proof of faggot #1's unprovable assertion
<hurr checkmate faggot #1
I hate the internet and all its stupidity.

Owen Murphy
Owen Murphy

1.1.1.1/dns/
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.
developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
Moreover, you can access 1.1.1.1 as a Tor hidden service at this address:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:
Cloudflare will never sell your data or use it to target ads. Period.
All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:
Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.

Colton Richardson
Colton Richardson

With DoH, you're shifting your trust from local network owner and ISP to the DoH provider. If you trust your ISP more than Mozilla/CF don't use DoH. If you trust Mozilla/CF more, use their DoH service. If you trust neither, use a completely different DoH service like doh.captnemo.in/dns-query but then you're trusting some guy from India more than ISP or Moz/CF. Or if you don't trust DoH, you could use a service with DNS-over-TLS or DNSCrypt.

Carson Ward
Carson Ward

Moreover, you can access 1.1.1.1 as a Tor hidden service at this address:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
That's a trap, because many sites use cloudflare. Imagine you're using their DNS server - they know that someone using TOR is at a certain time checking what's the IP address of let me say 8ch.net, then because 8ch.net is a website using cloudflare they know your IP and they can easily connect these two events. So now they know you use TOR, your IP address and what websites you visit, when you don't want to be followed.

Noah Adams
Noah Adams

Imagine you're using their DNS server - they know that someone using TOR is at a certain time checking what's the IP address of let me say 8ch.net, then because 8ch.net is a website using cloudflare they know your IP and they can easily connect these two events.
How the fuck would they backtrace someone's tor traffic you fucking schizo? They have no way of telling where that traffic is coming from, with or without their DNS

Luis Gutierrez
Luis Gutierrez

mew tricks
????

Attached: 1411850110066.gif (604.26 KB, 400x300)

Easton Bell
Easton Bell

How the fuck would they backtrace someone's tor traffic you fucking schizo? They have no way of telling where that traffic is coming from, with or without their DNS
I'm talking about a case, where someone only uses cloudflare's DNS over TOR, while browsing clearnet. But actually I don't know why would someone even do such a stupid setup.

Jaxon Mitchell
Jaxon Mitchell

So your source for CF being safe is the word of CF.
All these scumbag Silicon Valley companies are in bed with the US intelligence agency's. You are the product not the customer.

Joseph Davis
Joseph Davis

Hahaha. Its all about control over goyim, there is no "we play nice", it's just PR lie.

Daniel Hill
Daniel Hill

But actually I don't know why would someone even do such a stupid setup.
It's not that far-fetched. It is standard practice when using tor to never access personally identifying information over tor (e.g. your bank account). If a user configures his DNS resolver to use Cloudflare's onion service by default, the correlation attack you described becomes a reality the first time he switches to clearnet to access a personal faceberg or bank account.
Using the onion service for DNS is a bad idea. Don't do it.

Samuel Reed
Samuel Reed

What exactly are you worried about? With or without 1.1.1.1 they know the ip you used to visit the site.

Samuel Stewart
Samuel Stewart

CloudFlare has now identified you as a tor user, and can correlate that with your personal accounts.

Hunter Carter
Hunter Carter

What's wrong with being a Tor user? I'm even open in giving anyone free darknet hosting.

Owen Thomas
Owen Thomas

1.1.1.1 doesn't keep any logs
This isn't Uplink you stupid nigger

Henry Morales
Henry Morales

"All debug logs, which we keep just long enough to ensure no one is using the service to cause harm"
Harm? What's harm? Harm to who or what?
Nice try, cia

Carter Smith
Carter Smith

what is dnscrypt? chopped liver?

Connor Brown
Connor Brown

How easy is to setup own DNS mirror, so I can set DNS server to localhost and instead of downloading specific records I would just download the whole database, giving no specific informations about websites I visit. Anyone here doing this?

Gabriel Harris
Gabriel Harris

Isn't that a pretty massive database?

Chase Powell
Chase Powell

Its obvious Cloudflare is a honeypot but there are other DNS providers with DoH you know. Like Quad9, Cleanbrowsing, Adguard etc.

I use some OpenNIC server with DoH support personally.

Samuel Ortiz
Samuel Ortiz

In OpenBSD and NetBSD, unbound is already installed, you just have to enable it in /etc/rc.conf.local. On other BSD and Linux you might have to install the package. Then you simply point your /etc/resolv.conf to 127.0.0.1 and you're in business.
But there's no entire database to download from any single place. DNS is distributed, with records spread out on thousands of servers everywhere. And I'm getting the impression that nowadays AXFR queries are mostly blocked, because pretty much every time I try it, I get denied. It used to be the other way around, not sure when or why they changed this.
But I had another idea, which was to simply cache the local domain<->IP mappings forever, completely ignoring the TTL values. But this will probably require a source code change, the configuration doesn't appear to support this (only some cases when it will serve expired data when it can't connect to remote DNS to get fresh values). Anyway this basically means you'll only lookup hostnames once while unbound is running.
The other, more extreme option is /etc/hosts. I've used this method on really bad wifi networks that usually timed out my http requests (but I had Links set to retry forever, so eventually it would download the page...)

Elijah Morales
Elijah Morales

If you trust neither, use a completely different DoH service
ok
Don't trust CF DoH/1.1.1.1 botnet
I'll just use alternate DoH!
Alternate gets DDOSed to fuck every day by (((pure coincidence)))
Oh well, they better get CF DDOS protection service!
Life is so much better with companies like CF and Google in charge now.

Camden Harris
Camden Harris

i used to do it years ago. should probably get it set up again.

Noah Brown
Noah Brown

also isnt unbound mostly some soy toy? i keep hearing it in combination with the rpi and those arent for any high performance things. all the serious stuff used bind the last time i checked.

William Hughes
William Hughes

Bind is bloated and performs poorly, but it's the standard so everyone uses it. You'll be getting equivalent if not better performance by using powerdns or unbound, although unbound doesn't support authoritative dns.

Isaac Bennett
Isaac Bennett

Unbound is simpler to setup and doesn't have decades of crust BIND has. Both Open and NetBSD ship it in their base.
ripi fags use it not because it is soy but because it is easy to config and wont drag down the low powered pi.

Nathaniel Bell
Nathaniel Bell

What makes it worse than DNS over TLS (DoT)?

Let me rephrase that. Cloudflare never logs personally identifiable information including your IP address.
But it has a big weakness which is getting intercepted by a rogue intelligence agency somewhere in the cluster-of-fuck data centers and act like they don't know anything. At this day and age, it's not a crime unless we've been found is the LEA/3LA motto.
The rest of their logs are purged within 24 hours.
How reassuring, but the agencies are covertly up and running all day that it won't matter anyway.
Cloudflare is annually audited in order to prove that they are indeed doing this.
So? Audits internally? They can just turn blind eye to known 3LAs.
I have talked to Cloudflare employees and they have confirmed that they do not log IPs.
So?
Salting the IP doesn't mean it's "not logged" and unidentifiable. Zig Forums does that too but we had the s u n s h i n e incident before which decrypted the suposed unidentifiable IPs from boards and sent to LEA plain text. Also a preprocessor debug 'bug' or a unpatched CVE can be their friend for plaintext extraction.
If you are extra paranoid you can use their hidden service
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion instead of 1.1.1.1.
And here you are suggesting an broken warrant-cannary project who kicked devs off so the glows can freely move with Soros' oncoming commands. If you're using tbb after the big leap to ESR you're fucked (or just tbb alone is a disasterware).

Logan Robinson
Logan Robinson

not using chinese firewall that blocks all the problematic-kike ASN
Unbased
<hiding your internets under pooland (india) or poohland (china) because there's like 3 billion people way beyond the threshold of what glows/nose/dickpic agencies can manage.

Adam Ortiz
Adam Ortiz

Unbound is popular to limited performance embedded devices like OpenWrt. But you can also use bind. Well it doesn't matter, the former is just easier to toy.

Owen Bennett
Owen Bennett

We will never log your IP address
They just salted your IP with some shit to make it unreadable for humans.
(the way other companies identify you).
Now this makes the statement specific and much limited. It says companies but to intelligence agencies == maybe.
And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.
Big corp just makes it even more unnerving.
Moreover, you can access 1.1.1.1 as a Tor hidden service at this address:
dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
cia nigger project for cloaking MIL under foreign soil was not supposed to be for normie-use but if you enjoy taking it in the assad and mossad then go.
Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:
Cloudflare will never sell your data or use it to target ads. Period.
What I'd like to hear is never collect. There's no point to "sellout" something if there's nothing to collect. If any, the intelligence agencies would be paying you. Just how innocent you are? Most governments around the world are corrupt and companies profit by being lying fucks and commit a public apology in case the beans spill, oh they can also control the flow of news now, how convenient that people will never remember any of that.
All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
Debug logs are red light. You think you had to say something about it because it is crucial but in turn just makes you even more suspicious.
Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
You mean your ray ID? You just salted the fuck and call it "no longer identifiable". Not retain = you delete them and still sit in the drives ready for testdisk recovery lmao.
Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
Operational? That's a broad word.
Cloudflare will only retain or use what is being asked, not who is asking it.
???? So you're saying you only use it for yourself but if you partake in this "Operations" that doesn't make the people who are asking it use your user data but it's you who use it correct?
Unless otherwise notified to users, that information may be used for the following limited purposes:
Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.
Irrelevant.

Andrew Hernandez
Andrew Hernandez

We will never log your IP address.
You really do. Transposing it with hexdec alphanum clearly makes it invalid as an IP address.

Hunter Cruz
Hunter Cruz

You do realize how much it would cost to store this ungodly amount of data right.

Ryder Bennett
Ryder Bennett

I'm 100% sure you're a federal agent. You agents really use the same arguments over and over, don't you?
muh nothing to hide
muh just use a VPN
muh "we don't store no logs lol ;-)"
muh "ungodly amounts of data" (even though Google logs every search and physical location of logged in users, and gives away like 20GB of storage to anyone who's willing to let them spy on him, which is nothing compared to storing a few domains per user per day).
The NSA isn't just some dude with a P4 in his basement doing it for hobby. No, the NSA receives trillions of dollars per year of federal budgets (both public and classified), more than the net worth of Google, Amazon, Microsoft and Facebook combined. I'm pretty sure they can afford some extra hard drives for their datacenters.
Logging which domains each user requested isn't much more data intensive than phone records, which were being logged already in the fucking 70s.

Angel Cruz
Angel Cruz

So the only bit of privacy I lose if CF is lying about not logging personal information is that they know I use Tor for at least DNS. I do not really care about that.
So your source for CF being safe is the word of CF.
Yes, and I've also talked to engineer there who confirms they do not log IPs or any other personal data.

<they are logging an encrypted version of your IP
No, they are not. If it's possible to reverse it legally counts are personal information which they are not storing.
Sorry about the late response. This site's hidden service has been broken.

Daniel Perez
Daniel Perez

Sounds doable, must try it.

Julian Smith
Julian Smith

This is hillarious, you're either incredibly naive or simply a shill. It's not like "SSL added and removed here ;^)" didn't happen at google, while their engineers were blissfully unaware. And that only affected google! With CF who are proxying a large portion of the web, tons of sites are affected. And now they want to take over DNS too? This should be sending you all kinds of red flags.

James Diaz
James Diaz

I already knew about cloudflare but not to this extent. Thank you.

Thomas Fisher
Thomas Fisher

unbound + dnscrypt-proxy with an OpenNIC server that doesn't keep logs is the only way to fly.

Justin Miller
Justin Miller

Yes, and I've also talked to engineer there who confirms they do not log IPs or any other personal data.
Do you also think an undercover cop has to admit they are a cop if ask "are you a cop"?

Look at their web proxy service. It is a strait up MiTM attack that breaks SSL.
Cloudflare is literally the NSA.

Attached: IMG-9313.PNG (53.41 KB, 956x455)

Anthony Watson
Anthony Watson

OpenNIC server that doesn't keep log
Prove it.

Elijah Howard
Elijah Howard

you should know if your server logs.

Robert Martin
Robert Martin

OpenNIC is top level. That means it's still going to send queries to solve individual domains. Unbound will give you caching, that's true, but operating systems generally have some form of caching built in.
So it's doesn't really sound worth it at all. After all your ISP will still see the connections to the individual IPs, and then it can run reverse DNS to get the domain(s) for the site (and who are we kidding, they probably will).

Cameron Myers
Cameron Myers

then it can run reverse DNS to get the domain(s) for the site
That isn't all that useful with VHOSTing. There could be 9000 domains on a single IP or in the case of (((cloudflare))) over 6 million.

Gabriel King
Gabriel King

If it's going to a cloudflare datacenter or any other big provider then they'll de-anonymize it for the government.

Zachary Gray
Zachary Gray

there's no way they would keep logs / spy on me
Your hate should be directed inwards

Aaron Jackson
Aaron Jackson

Yes, and I've also talked to engineer there who confirms
STFU FAGGOT

Asher Martinez
Asher Martinez

so i was using a different dns for nothing, and my isp was just intercepting it the entire time? stupid technology

Jeremiah James
Jeremiah James

Code(((berg)))

Daniel Allen
Daniel Allen

5073 suicide youtube stream in 20 minutes gg/Xq2uYaa