/tech/ - Technology★

OpenDNS is Cisco Jewery (since it was bought out, at least). Cuckflare? Are you serious. Just use OpenNIC.

>cloudflare

Not even as a shitpost.

Also, this is your daily reminder that DNS is a completely superfluous thing that has no technical right to be so deeply entrenched in the system. Remember to put your most commonly used sites in your hostfile.

Don't use cuckflare dns.

Opendns is fine but i personally would recommend opennic

Just download a hosts file and be your own DNS.

>>1052081

But how will I get all these JS libraries from CDNs?

opennicproject but their website turned to shit a few years ago.

i just use whatever comes from dhcp. too lazy to care and i want to die anyway so its only good if the cops come and shoot me.

run unbound as an upstream to pihole

Unbound.

>kikeflare

Yeah if you want to make sure the glows in the dark always know which sites you access.

>>1052054 (OP)

>cloudflare dns

Haha yes let's give cloudlflare even more of a stranglehold on the internet.

>>1052077

This, grab yourself a no-log server and use dnscrypt. I've used dnsmasq's built-in dnscrypt support, but it seems that for dnscryptv2 you should run dnsmasq->dnscrypt-proxy->opennic server

https://servers.opennic.org/

>>1052054 (OP)

I've used dns.watch for a while and it seems fairly solid.

Use Tor for sensitive stuff, mate. The remaining clear stuff will make you look normal to the glowing eyes.

OpenNIC has had a number of severe security flaws which remained unpatched for years, and other issues which remain unaddressed. There's not much in the way of active development toward improving their systems. If someone cared to disrupt OpenNIC, it wouldn't take much.

>>1052227

Only if you are trying to advertise what you are doing and get correlated.

>>1052259

>OpenNIC has had a number of severe security flaws

I think you're confusing it with something else.

Google yields no results and to me it's just a website that tells me how to set things up.

>>1052292

No, I know quite well there are many issues because I'm the one who discovered them.

>>1052299

You don't know what opennicproject is and never discovered anything in your life.

Pics or didn't happen, gtfo failtroll.

>>1052302

Join their IRC and ask if you'd like to confirm it. I don't think they'd try to hide the fact that there have been issues. To be more specific, the most sever of which involved (multiple methods of) complete domain takeovers and DoS via inserting invalid DNS entries.

>>1052303

As long as you talk cryptic shit like that you might as well not say anything :-/

People who talk like you usually try to hide the fact that some mundane standard glitch was used, in this case a DNS one, that has nothing to do with the topic of discussion, in this case OpenNIC.

...so either link to a website or explain one of the issues you found :-/

>>1052317

why are you even here

>>1052355

Are you serious?

You can't just go around and claim OpenNIC is insecure (more insecure than other DNS providers) and not back it up.

Do you even science?

>>1052389

>>1052328

OpenNIC lacks the resources and drive necessary to actively develop and improve their systems.

The vulnerabilities I discovered weren't anything complex, just standard cases of naively trusting user input. This led to deleting/editing domains without ownership, inserting invalid DNS entries (DoS), and also editing the T1/T2 nameservers. I believe they've fixed the issues I've reported, but I had done penetration testing on them years prior and found similar issues at the time.

The unpatched T1/T2 code is available on Github, the issue is there's no authentication between edit.php's POST request to _edit.php: https://github.com/opennic/ldapServerEditor

bump3

Moot thread tbh in the days of more and more ISPs hijacking UDP port 53

Use dnscrypt-proxy as it forces you the user encrypted dns and the server operator to configure basic security/ssl as to encrypt the dns. OpenNIC and openDNS are just kike controlled opposition as poster above found out by their insecurity. Its a joke. Most dnscrypt-proxy servers are controlled by five eyes or the kikes in fake israel though.

>>1052054 (OP)

Using the mainstream ones (Google, Cloudflare, ...) or your ISP's default one is a bad idea if you care about privacy. Imo a DNS should be uncensored, free, and it shouldn't log anything.

Here are some that I like:

https://digitalcourage.de/support/zensurfreier-dns-server (located in Germany)

https://dismail.de/info.html#dns (located in Germany)

https://blog.uncensoreddns.org/dns-servers/ (located in Denmark and USA)

https://securedns.eu/ (probably located in the Netherlands)

Note that DNS is always unencrypted by default. If you really want to prevent anyone from looking at your internet traffic by collecting your dns requests, you can check out DNSCrypt https://dnscrypt.info/protocol/ or DNS over TLS https://de.wikipedia.org/wiki/DNS_over_TLS

Not all servers support DNScrypt though and even fewer support DNS over TLS. However, digitalcourage and dismail do for example.

>>1052227

I agree, you should use Tor for sensitive stuff.

Here is a DNS provider over Tor:

https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/

More on: https://developers.cloudflare.com/1.1.1.1/fun-stuff/dns-over-tor/

>>1052082

>JS libraries

You don't need anything other than hosts.txt

>>1052082

decentraleyes

>>1052054 (OP)

You can set `DNSPort` in `/etc/tor/torrc` and use it as resolver.

or install unbound for local resolving

If you really need one:

censurfridns.dk over TLS (use unbound as client)

https://www.ctrl.blog/entry/unbound-tls-forwarding

>>1060515

Tor only forwards the DNS request to an exit node which does the name resolution. It can still be fucked with either by the exit node or anything in-between the exit node and the DNS server. Using Tor on it's own is not a solution. DoH, DoT, or dnscrypt over Tor is much better.

>>1060515

>reddit spacing

>>1052299

do you by any chance have an idea how to contact the dot chan host/admin?

only good one is your own. everything else is datamining botnet.

>>1052054 (OP)

Shamelessly shilling for OpenNIC. It's an alternative DNS root that mirrors ICAANs horseshit. Setup your own DNS server for this.

https://en.wikipedia.org/wiki/OpenNIC

>>1052077

Is OpenNIC another DNS provider, or are they different than that?

How do I change my default DNS server on OpenWRT?

>>1064971

The documentation is shit so I'll spoonfeed you

Run the command

uci add_list dhcp.@dnsmasq[0].dhcp_option='6,$DNSSERVER,$DNSSERVER'

Where $DNSSERVER is a DNS server, you can specify as many as you want, just separate them with commas. The also comma-separated 6 at the start is needed, read more about it on the dnsmasq man page.

You may also want to run this:

uci add dhcp.@dnsmasq[0].noresolv='1'

dnsmasq adds your ISP's dns servers to your list of servers by default, this disables that.

If you're satisfied, run uci commit and reload the dnsmasq configuration. Now you have custom DNS for plain old dhcp.

For dhcpv6 OpenWRT uses a different daemon, called odhcpcd. To set the dns servers it suggests run:

uci add_listdhcp.odhcpd.dns='$DNSSERVER $DNSSERVER'

This overrides any ISP-suggested servers by default.

$DNSSERVER is any dns server, the list is separated by spaces. Do the usual uci commit and reload the config file once you're satisfied.

Note that you can set an ipv4 server for dhcpv6 and an ipv6 server for dhcp, the dns protocol is the same, but if you serve an ipv6 dns on a dhcp network with no ipv6 then your dhcp server is serving a broken config, the same applies for ipv4 on a dhcpv6 network assuming we do one day drop ipv4. So I recommend you stick to ipv6 dns servers on dhcpv6 and ipv4 dns servers on dhcp to avoid trouble.

By the way I personally recommend you use dnscrypt-proxy on your router and run the router as a DNS server, or if your router is too low end for that then run the dnscrypt-proxy right on your computer. Though if you have normalfags in your network and a weak router you can at the very least do this to give them opennic servers instead of NSA ones.

What is the point of running DNS over the Tor network if the browsing you do is not through Tor as well? Your ISP can tell which IPs you connect to and it is trivial do to reverse DNS lookups. What is the benefit of adding Tor instead of only using dnscrypt? Only reason I can think of is anonymity from the person(s) running the DNS server.

>>1065576

You need to disable the SNI header of your TLS handshakes. To do that install libressl and remove SNI in the source code of the library.

SNI is a unencrypted handshake with the URL you are trying to access and that's how they block you even though your dns is encrypted. South korea was famous for this. Don't use encrypted SNI because it has the same issues as regular SNI.

SNI was originally so you would trust a domain with a single certificate for subdomains. So say you wanted to access google.myporn.net, with SNI you only need to trust googles certificate for that subdomain. But without SNI you have to have two certificates, one for google.net and one for google.myporn.net.

SNI is just a shitty backdoor and needs to be removed. Don't use websites using said technology because they intentionally make all their subdomains use the same certificate thereby making it easier to decrypt the traffic. Instead of finding multiple private keys to decrypt all you need is a single key for all subdomains to decrypt.

TLDR; Don't use SNI in any form and remove it at the source code level.

>>1065598

The reason you can access it with VPN is because all your ISP/government sees is the SNI for the VPN, the SNI for the website you access is encrypted using the VPN tunnell. But why let the government/ISP block you VPN based on SNI too? Just remove SNI altogether.

>>1055415

An important thing is that you need to be able to trust the DNS provider to provide the actual IP addresses corresponding to the domain names you query. Why would you trust some random entities with that? Would you install root certificates from random entities just based on their claims to be trustworthy?

>>1072230

It's a nice thought, but what do you propose to get away from dns? Someone's gotta map those names to ip addresses. Is it stored locally? What happens when an that's stored is old or out of date?

I run my own unbound DNS server in forwarding mode.

I use a number of DNS-over-TLS providers with a random access to them (unbound does this by default).

Here's my forward section:

>forward-zone:

> name: "."

> forward-tls-upstream: yes

> forward-addr: 1.1.1.1@853#cloudflare-dns.com

> forward-addr: 1.0.0.1@853#cloudflare-dns.com

> forward-addr: 9.9.9.9@853#dns.quad9.net

> forward-addr: 149.112.112.112@853#dns.quad9.net

> forward-addr: 8.8.8.8@853#dns.google

> forward-addr: 8.8.4.4@853#dns.google

> forward-addr: 91.239.100.100@853#anycast.censurfridns.dk

> forward-addr: 89.233.43.71@853#unicast.censurfridns.dk

> forward-addr: 146.185.167.43@853#dot.securedns.eu

> forward-addr: 80.241.218.68@853#fdns1.dismail.de

> forward-addr: 46.182.19.48@853#dns2.digitalcourage.de

#hostname combined with a fact that you have latest openssl (maybe libressl too, idk) after the address enables a secure TLS session.

Though I find that putting Tor as a default proxy for everything is surprisingly painless as far as my Web usage is concerned.

>>1052081

What kind of hosts file does that? All I know of is Steven Black, and that one just filters domains, not provides them. Isn't that, in essenc, what a DNS is?

>>1072267

I used to use Tor really frequently, but it made clearnet usage hard, especially when paying bills and stuff. Google's captcha straight-up blacklisted my because my "ISP flagged this IP as suspicious". God, fuck that.

>>1072270

I think it makes little to no sense to use Tor when paying RL-tied bills and do other essentially non-anonymous.

Google Captcha is just shit and I avoid it as much as I can. I literally can fail it 10 times over, this is no fucking joke.

>>1072272

>and do other essentially non-anonymous

*and doing other essentially non-anonymous stuff

>>1072272

>10 times

Oh, those are rookie numbers. I've literally spent dozens of minutes solving captchas only to rejected at the end. I'd show proof, but I don't feel like wasting my evening. In the end, I have to pay my bills online. If not out of practical necessity then simply out of principle for the fact that not everyone can go to a brick and mortar place for every service; thus, captcha is a horrible necessity that I have to confront every time I manage my insurance, banking, services. Its fucking awful, and no one should have to tolerate ISP's strong arming you into capitulating simple liberties. It's fucked. It's so fucked.

>>1072267

Try unbound+dnscrypt-proxy

unbound.conf configuration:

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@5353

dnscrypt-proxy.toml configuration:

listen_addresses = ['127.0.0.1:5353', '[::1]:5353']
doh_servers = false
require_dnssec = true
require_nolog = true
cache = false

I've tried proxying this setup through Tor and even if you disable UDP and max out timeouts it doesn't work, though.

>>1072283

I don't like the idea of using Dnscrypt because using it doesn't hide the fact you have a Dnscrypt session and thus it's more easily intercepted. Now, having a DoT over a standard port 853 also does us not much good, but I think it's just stronger hiding. Unfortunately, in general TLS connection is probably more prone to attacks, but the hope is the TLS implementation on both sides is secure, and I really LIKE the idea of a single-point reliable encryption, since that would mean I should care only about one point of failure. I wouldn't mind to nest Dnscrypt session inside a TLS session though.

>I've tried proxying this setup through Tor and even if you disable UDP and max out timeouts it doesn't work, though.

I don't know how DNS over Tor is supposed to work exactly. Like, you could proxy any requests through it, I guess, but that's not how applications request it if they use Tor as a SOCKS proxy with DNS enabled. The DNS over SOCKS is a separate protocol entirely. Right now I don't have any web requests in my unbound log because it all gets fed to Tor client.

>>1072287

Use dnscrypt through a meek tor bridge. Problem solved.

>>1072283

Block all UDP at the firewall level and put this in unbound.conf

server:
	interface: 127.0.0.1
	interface: ::1
	port: 53
	num-threads: 4
	logfile: "/etc/unbound/unbound.log"
	domain-insecure: "onion"
	private-domain: "onion"
	do-not-query-localhost: no
	local-zone: "onion." nodefault

forward-zone:
    name: "onion"
    forward-addr: 127.0.0.1@5353
forward-zone:
        name: "."
        # 127.0.0.1 is DNSCrypt's --local-address; 40 is the port DNSCrypt is using, which is probably either 40 or 53
        forward-addr: 127.0.0.1@40

dnscrypt-proxy.toml

proxy = "socks5://127.0.0.1:9050"
listen_addresses = ['127.0.0.1:40', '[::1]:40']

And like that you can dnscrypt-proxy through tor. Unbound fowards onion adressess to tor's normal dns port and sends everything else to dnscrypt-proxy. dnscrypt-proxy then sends everything over a socks5 proxy port which is just tor and just werkz. Remember to put in your torrc

>SocksPort 9050

>>1072290

It should go without saying that resolv.conf should point to 127.0.0.1:53 as to send everything to unbound for sorting.

>>1072283

That's because glowniggers nodes filter dnscrypt traffic on port 53 by default. Stop using glownigger nodes and stop sending your dns over tor over port 53 you stupid fuck.

im using cuckflare rn. I had to change my dns.

https://freedns.afraid.org

Website looks old, so that means it's either good because its K.I.S.S. or that it's old unmaintained crap.

>>1072267

Thanks for this. I've been deciding whether to setup unbound on my laptop, and initially decided against it since I only knew about google and cloudfare's servers for DoT. I'm now using securedns.eu's server, which is fast enough that I barely notice any slowdown. Just to add for anyone considering it, you must also include:

>tls-cert-bundle: "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"

This requires installing the 'ca-certificates' package on GNU/Linux, which is most likely installed already.

>>1072484

Oh, yeah, totally forgot, pointing at your trusted cert bundle is a must for TLS to work at all. It's just it's not in the forward section, whoops.

That path is distro specific BTW.

OpenNIC

p

e

n

N

I

C

>>1072990

or Quad Nine

>>1073000

>cisco

>ibm

BIG yikes

>>1072269

>filters domains, not provides them.

It doesn't. Hosts translates domain names into IPs. And that's literally what DNS does. Hosts file is just your local DNS, similar to DNS cache.

>Steven Black

Adblocking hosts files just translate ad domains into 0.0.0.0. You're not forced to do so. You can translate a domain into whatever IP you want.

You can log your network's DNS requests for a month on your router, phone or rPi and just use that as your hosts file. Look into how to make an rPi your DNS.