Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Info] DNS Servers #590

Open
funilrys opened this issue Sep 6, 2020 · 18 comments
Open

[Info] DNS Servers #590

funilrys opened this issue Sep 6, 2020 · 18 comments
Assignees

Comments

@funilrys
Copy link
Member

funilrys commented Sep 6, 2020

Hello, World!
Hello, @Ultimate-Hosts-Blacklist/contributors!
Hello, @Ultimate-Hosts-Blacklist/blacklister!
Hello, @Ultimate-Hosts-Blacklist/whitelister!

I hope that everything goes well for you and your beloved one.

It's been a long time (cf. #293) since we had this idea of providing a DNS server and today think that we are that far.
It took us (@mitchellkrogza and I) some time (in our free time) to imagine, develop, stabilize and even get the resources for this.
But, here we are 😄

I'm glad to announce our Public DNS Server:

DNS Name safedns.allover.co.za safedns2.allover.co.za
IPv4 88.198.70.38 88.198.70.39
IPv6 2a01:4f8:140:5021::38 2a01:4f8:140:5021::39

Give it a try and let us know if something is disturbing you or if you have questions!

Have a nice day/night.
Stay safe and healthy.
Nissar

@DRSDavidSoft
Copy link

@funilrys Nice to hear this! Can you please add some documentation regarding the upstream server, filters used, logging, etc?

Also, I hope that you will also set up DNSCrypt and DNS-over-HTTPS on the same servers.

@spirillen
Copy link
Contributor

spirillen commented Sep 6, 2020

Hey @DRSDavidSoft I had DoH on my DNS servers, but since FF DO NOT respect the use-application-dns.net for disabling DoH support on clients I have disabled it, for not becoming part of Network hacking....

You can read a more in-depth comment on this at https://mypdns.org/my-privacy-dns/issues/-/issues/607. There are also a bunch of links to among other FireBug etc.

With this, even how good the intention originally was supposed to be, it can actually rather soon become the pure evil 😒 and my personal advice is, Don't put it up, unless you can and will provide a user account for using the DoH service.

Update note: fixing some grammar for readability.

@DRSDavidSoft
Copy link

@spirillen Good point. Since you brought this issue up, I'd like to also mention some of my opinions regarding this matter as well.

Please click here to expand the comment.

I agree that the way Mozilla is currently handling DoH on their browser is not optimal, however as they have stated, this is meant to be a temporary measure until a proper method to signal the browser is standardized:

The use of this domain is specified by Mozilla, as a limited-time measure until a method for signaling the presence of DNS-based content filtering is defined and adopted by an Internet standards body.

Personally, I don't believe in each browser using a separate encrypted channel to relay the DNS requests, especially when they default to either Cloudflare or Google DNS. My personal reason being that I will lose control over the DNS responses, such as blocking Adware and Malware (e.g. doubleclick.com, which is one of the domains Google uses to serve advertising).

However, in my opinion, the alternative should NOT be to simply disable DNS encryption, since now the ISP (or corporate) will be able to eavesdrop and/or spoof my DNS requests, especially those that are not hardened with DNSSEC.

Please see what an unencrypted DNS is returning for `youtube.com` in my country: (click to expand)

In this case, if I'd like to browse YouTube, I expect to get the IP address of Google servers, not the private-range address 10.10.34.35, which is simply returned by my ISP! :(

$ dig youtube.com @8.8.8.8

; <<>> DiG 9.11.9 <<>> youtube.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46609
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;youtube.com.                   IN      A

;; ANSWER SECTION:
youtube.com.            1       IN      A       10.10.34.35

;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 07 00:38:37 IDT 2020
;; MSG SIZE  rcvd: 45

What I personally prefer to use is a system-wide DNS resolver (such as Unbound or DNSCrypt-proxy) that upstreams to an encrypted server, preferably one that I run with my custom blacklists and whitelists. That way, my ISP, corporate, coffeeshop, etc, will NOT be able to see or modify my DNS requests. which is important to me.

In most cases, using an anonymized Cloudflare's 1.1.1.1 DoH resolver is fine, and I trust it more than Google. Of course, Quad9's 9.9.9.9 is also a good choice.

With that being said, not many people are well-versed in running a technical setup like this, or they simply just do not care. I believe Mozilla and Google's efforts to implement a built-in encrypted resolver are in the right place, in order to prevent unwanted DNS hijacking and governmental censorship, for those type of people.

With that being said, I also do NOT appreciate Firefox defaulting to another DNS server -- whether encrypted or not -- when I have explicitly implied that I intend to resolve the DNS through localhost (127.0.0.1). In DNSCrypt-proxy, the use-application-dns.net method is already used in a plugin (DNSCrypt/dnscrypt-proxy#964) to signal the plugin not to automatically upgrade the DNS resolver to an encrypted, alternative one.

Moreover, If I'd like to disable this "feature", I do not trust FF to adhere to their signaling method in the long run, and I only see this domain being useful in situations where you can't manually disable the behavior as outlined here https://www.mypdns.org/T607#6866. (e.g. for other computers running in my network which are managed by other users than me). I will always turn off this "feature" in my machine, and just set Firefox to use the localhost resolver.

I'd also like to mention that I believe Google's approach is more logical and thus better, as it only upgrades the DNS resolver if there exists an encrypted equivalent to the currently set DNS resolver (e.g. 8.8.8.8 or 1.1.1.1):

More concretely, Chrome will automatically switch to DNS-over-HTTPS if your current DNS provider supports it, and provide manual configuration options for users who wish to use a specific provider.

Thus, if any other DNS server is set by the user that doesn't support encryption, Chrome will not automatically try to use an alternative DNS resolver. This makes more sense to me than Mozilla's default approach.

Since I do not use Firefox as my main browser (for other reasons), I either use a De-Googled version of Chromium (such as Bromite), or I use Google Chrome when I'm feeling comfortable sharing my data with Google and would like to use Google services. In both cases, I have built-in telemetry disabled, and I use extensions such as uBlock Origin, HTTP Everywhere, Privacy Badger, Disconnect, and Nano Defender. In cases where I'm not using DuckDuckGo, I additionally use an extension called "Don't track me Google" to further reduce Google search tracking.

In any case, I'd still like to use an encrypted upstream DNS resolver, whenever possible.

@spirillen
Copy link
Contributor

spirillen commented Sep 6, 2020

Hey @DRSDavidSoft A couple of replies on that long thread. (Why didn't you add it to T607 now you signed up anyway 😃 That site is protected against all kind of tracking 👍 )

It would also help this thread from becoming de-routed as now.

I expect to get the IP address of Google servers, not the private-range address 10.10.34.35

This can actually be you are routed to a proxy here it's evil from a privacy issue, but again.. all google is one big privacy issue, and here a proxy can actually help obfuscating who is doing what on yt. So this is a 50/50 change for the better.

Cloudflare's 1.1.1.1 DoH resolver is fine, and I trust it more than Google. Of course, Quad9's 9.9.9.9 is also a good choice.

Cloudflare = all activity tracking
Quad9 = Despite it's financed by the British government and the politicians of NY, they DO NOT TRACK your activities and they also offers some protection by using various filter from ex. Bamber Consult, Z-CERN etc.

With that being said, not many people are well-versed in running a technical setup like this, or they simply just do not care.

Try to as @daniv5 if this was difficult even he never tried anything like this before!!! He was up and running in a few hours, with help from this starter script: https://mypdns.org/rpz/dns-rpz-integration/-/tree/master/PowerDNS-Recursor

I believe Mozilla and Google's efforts to implement a built-in encrypted resolver are in the right place, in order to prevent unwanted DNS hijacking and governmental censorship, for those type of people.

If bastards like google would/is doing this, trust me it isn't for your sake, it is purely for there own for getting even more data about you for brainwashing you.

I believe Google's approach is more

Could you post more about this in the T607, as I have completely blocked google here. That's include the spyware chromium.

De-Googled version of Chromium (such as Bromite), or I use Google Chrome

You should try to watch your log when you lunch any chrome variation 😒 You will purge them right away 😄 It's g license that say, in short, you can do as you like as long we get the tracking data.

I'd still like to use an encrypted upstream DNS resolver, whenever possible.

  1. Note
    Trust me, we are a lot of DNS (providers) that would like to offer this, sadly we hit a reality in limitations for doing this.

A SSL certificate based on IP addresses, is first and foremost extremely expensive and you can only obtain it through a limited number of providers. Next you need to be assigned the IP by RIPE, with all organization data etc. You shall then have those IP addresses setup by a hosting company, then find some papers with the RIPE letterhead to forward to the SSL application etc etc.... it's a jungle and it cost the the bucks of a big country's BNP.

Setting it up takes what 5 to 10 minutes ⏳

  1. Note

To not loose any of the control of contents being blacklisted and whitelisted and have other deciding this to you, there is only one solution..... Install your own resolver PowerDNS's recursor or ICS Bind9 on you own machine (My personal flavor is by far the PowerDNS recursor) and then use the RPZ and maintain your own whitelist, it should always rely on a personal choice, rather than other. And by a local resolver using RPZ you have the keys, nobody else.

Another note

Nice to see more people trying to do something good and setting up other open DNS servers 👍

@DRSDavidSoft
Copy link

@spirillen If it's alright with you, I don't mind posting to mypdns.org -- although maybe on a new document, since my reply is already getting kind of off-topic.

I'd like to apologize for the long reply beforehand, but since the topic is already posted here, I'll just reply here.

(Click to expand)

This can actually be you are routed to a proxy here it's evil from a privacy issue, but again.. all google is one big privacy issue, and here a proxy can actually help obfuscating who is doing what on yt. So this is a 50/50 change for the better.

I see your point, and I agree that if the IP address was being used as a reverse proxy, it would actually benefit the user privacy-wise, by anonymizing the source IP address. (Not that it'd be helpful in case the user is logged in.)

However, just to be clear -- this is NOT a proxy, it's simply a page hosted that displays "Access to this website has been denied". I was just using YouTube as an example, but this DNS hijacking also occurs for DuckDuckGo and also Telegram.org, a privacy-oriented messenger.

Even in case, this IP was being used to proxy my requests (and not to display an "access denied" page), I wouldn't want my ISP to perform DNS hijacking since this server could definitely be used as an MITM (Man-in-the-middle) attack vector. On unsecured port 80, they could see the plain requests and modify them. On secured port 443 (TLS/HTTPS), they could extract the domain name that I'm connecting to.

In both cases, they can see what domains my devices are trying to connect to, and they can modify or block the DNS response.

For this reason, I'm never using an unencrypted DNS server for my main devices and network.

Cloudflare = all activity tracking
Quad9 = Despite it's financed by the British government and the politicians of NY, they DO NOT TRACK your activities and they also offers some protection by using various filter from ex. Bamber Consult, Z-CERN etc.

Good to know, Quad9 is actually the preferable upstream server that I'd use. I'd still use Cloudflare, but only for anonymized incoming DNS requests.

Regarding Google and Cloudflare running DoH, I 100% agree with you on the fact that they run the service mostly for their own sake, and not the users. In either case, at some point, we should choose how much data we're willing to share with the Big 5 Companies (FAAMG). Personally, I'm comfortable to share some of my public data, and only that.

[...] He was up and running in a few hours, with help from this starter script: https://www.mypdns.org/source/pdns-recursor/

This is indeed a great solution, but as I said, provided the user is willing to set it up. I know many people that don't have the time or the budget to set it up on a server of their own, but are willing to use another people's servers.

You should try to watch your log when you lunch any chrome variation 😒 You will purge them right away 😄 It's g license that say, in short, you can do as you like as long we get the tracking data.

I see, and I completely agree with your points. However, as a web developer and a user, I really dislike the Gecko engine, and parts of the Firefox interface. Webkit (and Blink) in Safari and Chrome are doing a better job, but as you said, they usually come bundled with trackers and spyware from Google and Apple. With that being said, browsers like Bromite and Iridium completely take out the telemetry and spying stuff out of Chromium, which otherwise is my opinion is an excellent browser.

https://www.privacytools.io/browsers/

Microsoft Edge and Opera also build on the Chromium code base, with their own telemetry baked in. I always monitor the traffic that my browsers generate, and I see that that's the case.

However, I do not believe in their license agreement to collect my data, without my consent. i.e., I don't care about what they're asking, and will always block as much as unwanted traffic as I can.

In Mozilla's case, it's better since you're not bound to such agreements, although Firefox still contains telemetry code.

I think it's common sense to block any telemetry that you are aware of, regarding which piece of software you use.

Trust me, we are a lot of DNS (providers) that would like to offer this, sadly we hit a reality in limitations for doing this.

I see, and again, I agree with your point on the SSL certificate. I wouldn't want to waste money to acquire a certificate from a third party that has to be renewed each year.

However, I'd like to propose two suggestions:

  1. Let's Encrypt is a non-profit certificate authority that provides SSL certificates for free, that can be used to run a DoH server.

  2. DNSCrypt is an alternative protocol to DNS-over-HTTPS, with the added benefit of using pre-shared public keys, instead of a peer-verified trusted certificate:

Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider. This public key is used to verify a set of certificates, retrieved using conventional DNS queries. These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours.

If you're interested in running a DNSCrypt protocol server, please have a look at this:

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/How-to-setup-your-own-DNSCrypt-server-in-less-than-10-minutes

The DNSCrypt server (which is powered with Unbound) then can be set to use the local PowerDNS instance.

To not loose any of the control of contents being blacklisted and whitelisted and have other deciding this to you, there is only one solution..... Install your own resolver PowerDNS's recursor or ICS Bind9 on you own machine

PowerDNS is indeed a great solution, however, I'm personally using a combination of DNSCrypt-proxy + Unbound on my server, in order to provide encryption.

Instead of running my own recursive resolver, I've chosen to upstream to OpenNIC, which is an independent resolver not governed by IANA. They also resolve many non-standard TLDs, such as .null, .libre, and etc.

Additionally, the DNSCrypt-proxy resovler has the added benefit of wildcard blocking and CNAME blocking, in addition to cloaking and forwarding.

For example, I can block *.baddomain.com, and if a domain like example-test.com points to something.baddomain.com, it will also be blocked in this setup.

I'm currently hoarding about ~70MBs of blacklist 😅 with about 2000 hand-picked whitelisted domains. My server is used at both my home network, and where I work (I have the role of sysadmin there).

@spirillen
Copy link
Contributor

@DRSDavidSoft

If it's alright with you, I don't mind posting to mypdns.org -- although maybe on a new document, since my reply is already getting kind of off-topic.

I think that would be a good idea, as I see yet more de-reouted comments to your last reply.

Anyway a single note to your

However, as a web developer and a user

What script language do you write in? You might be a VW people!!!

@DRSDavidSoft
Copy link

@spirillen For web development, I write in ES8+ Javascript. I primarily use a Node.js stack for the back-end too, although I'm also well versed in PHP/7. What does VW stand for?

@spirillen
Copy link
Contributor

spirillen commented Sep 7, 2020

@spirillen For web development, I write in ES8+ Javascript. I primarily use a Node.js stack for the back-end too, although I'm also well versed in PHP/7. What does VW stand for?

VW Is VolksWagen 😋 (That's a German car factory cheating with there test software 🤣 )

VW = VeryWanted 👍 I'll hit you up on mypdns about the php =>

@spirillen

This comment has been minimized.

@Somebodyisnobody

This comment has been minimized.

@spirillen
Copy link
Contributor

spirillen commented Jan 6, 2021

Side note: @funilrys @Somebodyisnobody

Side story

It happens as internal talk between me and funilrys on keybase about the performance between Bind vs (dnsdist + recursor) for how big blacklist the diff system can handle as I found this in my OPNSense firewall about Bind

1.2

  • Add Log Viewer
  • Removed too big PornAll list

As this is no issue with the recursor I use 😏

Then there was some issues with the UFW firewall on our cdb about letting simple DNS queries through, even the udp 53 ports was wide open. Turned out to again being the fucked up systemd-resolverd + dnsmasq (which they would soon stop distribute that shit by default)

While I was investigating the DNS queries this came to me

image

Then I would try these DNS and this happens...

drill p57b8b9a5.dip.t-ipconnect.de @88.198.70.38
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40754
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 
;; QUESTION SECTION:
;; p57b8b9a5.dip.t-ipconnect.de.        IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
t-ipconnect.de. 3600    IN      SOA     dns00.btx.dtag.de. hostmaster.t-ipnet.net. 2020120100 1800 900 7257600 3600

;; ADDITIONAL SECTION:

;; Query time: 849 msec

A little second test to the get upgraded to recursor religion 😉

Local bind lookup
;; Query time: 2914 msec

Local dnsdist + recursor
;; Query time: 555 msec

  • dnsdist
    ;; Query time: 253 msec

All queries to the root servers

But fun aside, there are lacking information's on the above questions!!

@funilrys
Copy link
Member Author

funilrys commented Jan 24, 2021

@Somebodyisnobody I'm sure it was @mitchellkrogza's dog 😄

But I fixed it so that it redirects here (correctly) 😸

To answer your questions, there is no logging behind safedns and safedns2 DNS server. I'll document those things in the README later.

@funilrys
Copy link
Member Author

funilrys commented Jan 24, 2021

About the missing WHOIS information, it's pretty common in Germany to have no personal information in the WHOIS record. My family for example has domains for more than 10 years now, and there is no information about us in there.

Keep in mind that the equivalent of the "GPDR" existed and evolved in Germany since 1977 as the "Bundesdatenschutzgesetz (BDSG)".

But I still have to document myself about the law in South Africa. @mitchellkrogza may clarify that for you. But it's really not surprising for me to have some information retracted in there.

@Somebodyisnobody
Copy link
Member

About the missing WHOIS information, it's pretty common in Germany to have no personal information in the WHOIS record. My family for example has domains for more than 10 years now, and there is no information about us in there.

It depends on the country of the registrar. For example for .de TLDs you go to the german denic. They do redact but you can query this information with reason on https://www.denic.de/webwhois/. The whois record looked above like https://www.instra.com/en/whois/whois-result/burton_email. So for me personally better write nothing in the whois-record than this "REDACTED" thing... I talked multiple times with [email protected]. They really care about abusing their domains.

@funilrys
Copy link
Member Author

Yes indeed, you you can ask for detail but only if you have the right for it.

It's really up to the registrars anyway…
That shouldn't change one thing: we - as a natural person - should have the right to refuse that our personal data ends in there.

@trimechee
Copy link

trimechee commented Jun 17, 2023

Hello, about firefox doh dns over https :

"I also do NOT appreciate Firefox defaulting to another DNS server -- whether encrypted or not -- when I have explicitly implied that I intend to resolve the DNS through localhost

it seems firefox in recent update has changed mechanism of dns over https and it can be set to strict and can't be overridden and there is even whitelist for dns....

so we hope there will be dns servers doh dns over https for our beloved Ultimate Hosts Blacklist ! Thank you for these awesome lists ans dns !

@funilrys
Copy link
Member Author

We are now reachable through the 5353 port.

@trimechee
Copy link

Great ! 💯 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

No branches or pull requests

8 participants