Hello, i'm a student, so I lack many networking notions. Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy? Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
The best option for DNS is doing DNS resolution yourself, the Tor relay guide wiki talks about how to do this on common Linux distros and FreeBSD https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays On 22/01/19 4:43 PM, dns1983@riseup.net wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
OK. I think that I'll buy a new virtual server in an anonymously way, set my DNS server and than use that server for my exit relays and my devices too. I have just to think how to anonymize queries from my home network. Thanks Il 22 gennaio 2019 10:05:41 CET, Rose <rosethorn@riseup.net> ha scritto:
The best option for DNS is doing DNS resolution yourself, the Tor relay guide wiki talks about how to do this on common Linux distros and FreeBSD
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
On 22/01/19 4:43 PM, dns1983@riseup.net wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
If you run Tor on your devices in your home network, you can use the option 'DNSPort <port>', so for example, if you did 'DNSPort 53' (default port for DNS), and set your DNS to 127.0.0.1, you can make it so all your DNS queries go over Tor anonymously. On 22/01/19 5:13 PM, dns1983@riseup.net wrote:
OK. I think that I'll buy a new virtual server in an anonymously way, set my DNS server and than use that server for my exit relays and my devices too. I have just to think how to anonymize queries from my home network.
Thanks
Il 22 gennaio 2019 10:05:41 CET, Rose <rosethorn@riseup.net> ha scritto:
The best option for DNS is doing DNS resolution yourself, the Tor relay guide wiki talks about how to do this on common Linux distros and FreeBSD
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
On 22/01/19 4:43 PM, dns1983@riseup.net wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità. ------------------------------------------------------------------------ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
------------------------------------------------------------------------ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
*the option should go in your torrc On 22/01/19 5:26 PM, Rose wrote:
If you run Tor on your devices in your home network, you can use the option 'DNSPort <port>', so for example, if you did 'DNSPort 53' (default port for DNS), and set your DNS to 127.0.0.1, you can make it so all your DNS queries go over Tor anonymously.
On 22/01/19 5:13 PM, dns1983@riseup.net wrote:
OK. I think that I'll buy a new virtual server in an anonymously way, set my DNS server and than use that server for my exit relays and my devices too. I have just to think how to anonymize queries from my home network.
Thanks
Il 22 gennaio 2019 10:05:41 CET, Rose <rosethorn@riseup.net> ha scritto:
The best option for DNS is doing DNS resolution yourself, the Tor relay guide wiki talks about how to do this on common Linux distros and FreeBSD
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
On 22/01/19 4:43 PM, dns1983@riseup.net wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità. ------------------------------------------------------------------------ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
------------------------------------------------------------------------ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Ah, I didn't know It, obviously ;). Thanks Il 22 gennaio 2019 10:29:39 CET, Rose <rosethorn@riseup.net> ha scritto:
*the option should go in your torrc
On 22/01/19 5:26 PM, Rose wrote:
If you run Tor on your devices in your home network, you can use the option 'DNSPort <port>', so for example, if you did 'DNSPort 53' (default port for DNS), and set your DNS to 127.0.0.1, you can make it so all your DNS queries go over Tor anonymously.
On 22/01/19 5:13 PM, dns1983@riseup.net wrote:
OK. I think that I'll buy a new virtual server in an anonymously way, set my DNS server and than use that server for my exit relays and my devices too. I have just to think how to anonymize queries from my home network.
Thanks
Il 22 gennaio 2019 10:05:41 CET, Rose <rosethorn@riseup.net> ha scritto:
The best option for DNS is doing DNS resolution yourself, the Tor relay guide wiki talks about how to do this on common Linux distros and FreeBSD
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
On 22/01/19 4:43 PM, dns1983@riseup.net wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I
don't
exactly know how choose a third part DNS server. I read that
cloudfare
servers are audited by third parties but I'm not sure that I can
trust.
do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate
la
brevità.
tor-relays mailing list tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la
brevità.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
This is what I do: My tor exit node runs on its own, but I have a full caching bind server on a different VM. This services some domains I run, with ACLs to do regular DNS. I use the following DNS servers: 2606:4700:4700::1111 -- Cloudflare 2001:1608:10:25::1c04:b12f -- https://dns.watch/ 2600::1 -- Sprint No individual DNS provider inspires me with amazing confidence, however the caching server turns my bind instance into a pretty solidly constructed one. 1) I don't really think v6 snooping/monitoring is "there yet". Thin gruel, but still. 2) DNS doesn't go out the same stack in the case of v4 requests and doesn't go out the same ip for v6. Sure, you can associate to within the same /64 but that's just more effort any attacker would have to do. 3) I cache a LOT. Check out these nameserver cache statistics: services /var/log/named # grep -i cache stats ++ Cache Statistics ++ [View: internal (Cache: internal)] 251588520 cache hits 452018 cache misses 50306019 cache hits (from query) 63441802 cache misses (from query) I cache a LOT. Think of your threat model - what are you worried about? Is DNS really your concern? On Tue, Jan 22, 2019 at 2:53 AM <dns1983@riseup.net> wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
In the threat model that I worry about, DNS are part of the problem. If a malicious entity can put together DNS data with other big data, It can increases its power and becomes a more dangerous threat. But as I said, I lack many networking notions. Anyway I find very satisfying the solutions you proposed to me. Thank you very much. Cheers Ale Il 23/01/19 00:42, eric gisse ha scritto:
This is what I do:
My tor exit node runs on its own, but I have a full caching bind server on a different VM. This services some domains I run, with ACLs to do regular DNS.
I use the following DNS servers:
2606:4700:4700::1111 -- Cloudflare 2001:1608:10:25::1c04:b12f -- https://dns.watch/ 2600::1 -- Sprint
No individual DNS provider inspires me with amazing confidence, however the caching server turns my bind instance into a pretty solidly constructed one.
1) I don't really think v6 snooping/monitoring is "there yet". Thin gruel, but still. 2) DNS doesn't go out the same stack in the case of v4 requests and doesn't go out the same ip for v6. Sure, you can associate to within the same /64 but that's just more effort any attacker would have to do. 3) I cache a LOT.
Check out these nameserver cache statistics:
services /var/log/named # grep -i cache stats ++ Cache Statistics ++ [View: internal (Cache: internal)] 251588520 cache hits 452018 cache misses 50306019 cache hits (from query) 63441802 cache misses (from query)
I cache a LOT.
Think of your threat model - what are you worried about? Is DNS really your concern?
On Tue, Jan 22, 2019 at 2:53 AM <dns1983@riseup.net> wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
adversaries can already see what IP addresses you are connecting to, even though they can't see your DNS queries, they can easily just do a reverse DNS on the IP addresses you connect to, to find out what you were doing. On 23/01/19 2:32 PM, dns1983@riseup.net wrote:
In the threat model that I worry about, DNS are part of the problem. If a malicious entity can put together DNS data with other big data, It can increases its power and becomes a more dangerous threat.
But as I said, I lack many networking notions.
Anyway I find very satisfying the solutions you proposed to me. Thank you very much.
Cheers
Ale
Il 23/01/19 00:42, eric gisse ha scritto:
This is what I do:
My tor exit node runs on its own, but I have a full caching bind server on a different VM. This services some domains I run, with ACLs to do regular DNS.
I use the following DNS servers:
2606:4700:4700::1111 -- Cloudflare 2001:1608:10:25::1c04:b12f -- https://dns.watch/ 2600::1 -- Sprint
No individual DNS provider inspires me with amazing confidence, however the caching server turns my bind instance into a pretty solidly constructed one.
1) I don't really think v6 snooping/monitoring is "there yet". Thin gruel, but still. 2) DNS doesn't go out the same stack in the case of v4 requests and doesn't go out the same ip for v6. Sure, you can associate to within the same /64 but that's just more effort any attacker would have to do. 3) I cache a LOT.
Check out these nameserver cache statistics:
services /var/log/named # grep -i cache stats ++ Cache Statistics ++ [View: internal (Cache: internal)] 251588520 cache hits 452018 cache misses 50306019 cache hits (from query) 63441802 cache misses (from query)
I cache a LOT.
Think of your threat model - what are you worried about? Is DNS really your concern?
On Tue, Jan 22, 2019 at 2:53 AM <dns1983@riseup.net> wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Of course. But, as far as I know, you can host multiple domains to the same ip. So, in such case, if you only know the ip you can't tell what domain I visit. It's just that I don't understand why the public dns providers claim to improve privacy. Il 23/01/19 09:01, Rose ha scritto:
adversaries can already see what IP addresses you are connecting to, even though they can't see your DNS queries, they can easily just do a reverse DNS on the IP addresses you connect to, to find out what you were doing.
On 23/01/19 2:32 PM, dns1983@riseup.net wrote:
In the threat model that I worry about, DNS are part of the problem. If a malicious entity can put together DNS data with other big data, It can increases its power and becomes a more dangerous threat.
But as I said, I lack many networking notions.
Anyway I find very satisfying the solutions you proposed to me. Thank you very much.
Cheers
Ale
Il 23/01/19 00:42, eric gisse ha scritto:
This is what I do:
My tor exit node runs on its own, but I have a full caching bind server on a different VM. This services some domains I run, with ACLs to do regular DNS.
I use the following DNS servers:
2606:4700:4700::1111 -- Cloudflare 2001:1608:10:25::1c04:b12f -- https://dns.watch/ 2600::1 -- Sprint
No individual DNS provider inspires me with amazing confidence, however the caching server turns my bind instance into a pretty solidly constructed one.
1) I don't really think v6 snooping/monitoring is "there yet". Thin gruel, but still. 2) DNS doesn't go out the same stack in the case of v4 requests and doesn't go out the same ip for v6. Sure, you can associate to within the same /64 but that's just more effort any attacker would have to do. 3) I cache a LOT.
Check out these nameserver cache statistics:
services /var/log/named # grep -i cache stats ++ Cache Statistics ++ [View: internal (Cache: internal)] 251588520 cache hits 452018 cache misses 50306019 cache hits (from query) 63441802 cache misses (from query)
I cache a LOT.
Think of your threat model - what are you worried about? Is DNS really your concern?
On Tue, Jan 22, 2019 at 2:53 AM <dns1983@riseup.net> wrote:
Hello,
i'm a student, so I lack many networking notions.
Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
Thanks -- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Wed, 23 Jan 2019 11:23:50 +0100 dns1983@riseup.net wrote:
Of course. But, as far as I know, you can host multiple domains to the same ip. So, in such case, if you only know the ip you can't tell what domain I visit.
If your adversary is able to catch your packets, then he's able to see packet headers, like source and destination IP addresses, also he can see content of the packets. Although modern HTTPS traffic is encrypted, but the very start of the TLS handshake isn't, so such adversary can see domain (SNI[1] field in ClientHello[2]) to which you connect to. [1] https://en.wikipedia.org/wiki/Server_Name_Indication [2] https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
Ok, i understood. So, for my purposes it's not useful to change dns servers. I'll continue to use my ISP DNS servers or those of my virtual server provider. Thanks Il 23 gennaio 2019 15:54:34 CET, Dmitrii Tcvetkov <demfloro@demfloro.ru> ha scritto:
On Wed, 23 Jan 2019 11:23:50 +0100 dns1983@riseup.net wrote:
Of course. But, as far as I know, you can host multiple domains to the same ip. So, in such case, if you only know the ip you can't tell what domain I visit.
If your adversary is able to catch your packets, then he's able to see packet headers, like source and destination IP addresses, also he can see content of the packets. Although modern HTTPS traffic is encrypted, but the very start of the TLS handshake isn't, so such adversary can see domain (SNI[1] field in ClientHello[2]) to which you connect to.
[1] https://en.wikipedia.org/wiki/Server_Name_Indication [2] https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake
-- Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità.
participants (4)
-
Dmitrii Tcvetkov -
dns1983@riseup.net -
eric gisse -
Rose