ORSN DNS servers vs OpenNic

What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck -- *The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. *

I use: nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8 works fine. Google as gateway of last resort :) niftybunny Where ignorance is bliss, 'Tis folly to be wise. Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew <chuck.mcandrew@leblibrary.com> wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On Fri, 4 Aug 2017 16:18:23 +0200 niftybunny <abuse@to-surf-and-protect.net> wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
A common gotcha, only the first three will be used, the rest are apparently ignored. `man resolv.conf`: Up to MAXNS (currently 3, see <resolv.h>) name servers may be listed, one per keyword. -- With respect, Roman

On Fri, Aug 4, 2017 at 3:18 PM, niftybunny <abuse@to-surf-and-protect.net> wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
I'd add also 77.88.8.8 (https://dns.yandex.ru) and 80.80.80.80 (http://freenom.world) to the list. What do you think about the following configuration? Tor -> DNS cache -> 1. Your own recursive DNS resolver 2. (if it fails) Your ISP's DNS resolver 3. (if it fails) Open DNS servers (maybe random of them?)
niftybunny
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew <chuck.mcandrew@leblibrary.com> wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Best regards, Boris Nagaev

On 4. Aug 2017, at 18:43, Nagaev Boris <bnagaev@gmail.com> wrote:
On Fri, Aug 4, 2017 at 3:18 PM, niftybunny <abuse@to-surf-and-protect.net <mailto:abuse@to-surf-and-protect.net>> wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
I'd add also 77.88.8.8 (https://dns.yandex.ru <https://dns.yandex.ru/>) and 80.80.80.80 (http://freenom.world <http://freenom.world/>) to the list.
What do you think about the following configuration?
Tor -> DNS cache -> 1. Your own recursive DNS resolver 2. (if it fails) Your ISP's DNS resolver 3. (if it fails) Open DNS servers (maybe random of them?)
Try it out and please tell us in a few weeks how it is going. Btw, there are a lot of big ISPs that use Google DNS per default … I am looking at you DigitalOcean, OVH and reseller etc … As a german subject I trust the CCC and their DNS servers. They are a pain in the ass to our government …. niftybunny “Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.” ― Terry Pratchett, Snuff
niftybunny
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew <chuck.mcandrew@leblibrary.com> wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Best regards, Boris Nagaev _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>

On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;) https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity... https://nymity.ch/tor-dns/tor-dns.pdf Matt

I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again. niftybunny “Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.” ― Terry Pratchett, Snuff
On 4. Aug 2017, at 16:23, Matt Traudt <sirmatt@ksu.edu> wrote:
On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;)
https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity...
https://nymity.ch/tor-dns/tor-dns.pdf
Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Check this list and choose the ones with the lowest ping from your node: https://www.lifewire.com/free-and-public-dns-servers-2626062 Make sure to avoid DNS servers marketed as "secure" (for example, do NOT use "Comodo Secure DNS") since they perform arbitrary censorship/redirection. Also, do not use Google as it already sees
30% of all Tor exit traffic.
On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks. On Fri, Aug 4, 2017 at 7:29 AM, niftybunny <abuse@to-surf-and-protect.net> wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
niftybunny
“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”
― Terry Pratchett, Snuff
On 4. Aug 2017, at 16:23, Matt Traudt <sirmatt@ksu.edu> wrote:
On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;)
https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity...
https://nymity.ch/tor-dns/tor-dns.pdf
Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On 5 Aug 2017, at 00:29, niftybunny <abuse@to-surf-and-protect.net> wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
Apparently this warning happens when you have one DNS server in response to malformed requests (like ".foo.bar"). I would not be too concerned about it if it's followed by: "[notice] eventdns: Nameserver IP:53 is back up" We'll try to work out whats happening and downgrade the warning in these cases: https://trac.torproject.org/projects/tor/ticket/23113 For client privacy and performance, it's best to have a local cache or caching resolver first in the list. For reliability, it's best to have another two entries in the list on unrelated infrastructure (for example, one at the ISP, and one elsewhere). T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------

I use pure IPv6 on a bind caching nameserver: 2001:4860:4860::8844; 2001:1608:10:25::1c04:b12f; 2600::1; Considering the throughput of my exit node and the amount of dns cached, I not leaking as much as you might expect. On Fri, Aug 4, 2017 at 2:38 PM, teor <teor2345@gmail.com> wrote:
On 5 Aug 2017, at 00:29, niftybunny <abuse@to-surf-and-protect.net> wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
Apparently this warning happens when you have one DNS server in response to malformed requests (like ".foo.bar").
I would not be too concerned about it if it's followed by: "[notice] eventdns: Nameserver IP:53 is back up"
We'll try to work out whats happening and downgrade the warning in these cases: https://trac.torproject.org/projects/tor/ticket/23113
For client privacy and performance, it's best to have a local cache or caching resolver first in the list.
For reliability, it's best to have another two entries in the list on unrelated infrastructure (for example, one at the ISP, and one elsewhere).
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/04/2017 04:11 PM, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using
Look into [1] Therefore I decided to use the DNS of my AS. Because AS does already see my IP, there'S no need to involve a third party in getting IP info too. And I used dnsmasq to use DNSSEC, my configuration notes are in [2] [1] https://nymity.ch/tor-dns/ [2] https://zwiebeltoralf.de/torserver.html - -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWYStYxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpToLWAP9QFobQH+wc69VlcDuEtDuhXrFn wgFzqhq5YvU/Hb7wlgD7B/phzmlYpi5ZWLN17RhA1w0ocvQ8anRS7msyAsOExAw= =xbcc -----END PGP SIGNATURE-----

On my LAN I'm using Unbound, forwarding all requests to "root servers". I've read it's not really cool for a high traffic server, to preserve those root servers...? But for home, I think it's perfect. For an exit, why not using too a dns cache as Igor said, may be less agressive for the root servers ? : On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks. Is it a good idea to use those roots servers ? I'm not 100% sure about requests because of MITM attack, but better than GoogleDNS ?

On 6 Aug 2017, at 02:57, Petrusko <petrusko@riseup.net> wrote:
On my LAN I'm using Unbound, forwarding all requests to "root servers".
I've read it's not really cool for a high traffic server, to preserve those root servers...? But for home, I think it's perfect.
For an exit, why not using too a dns cache as Igor said, may be less agressive for the root servers ? :
On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks.
Is it a good idea to use those roots servers ? I'm not 100% sure about requests because of MITM attack, but better than GoogleDNS ?
Using a caching, recursive resolver should be fine. (Then the root servers only answer queries for top-level domains.) T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------

So Unbound looks like nice for this features ;) Easy to set up in a Linux/Windows box as server, it can be used on localhost when connecting to unknown wifi... low memory/cpu usage. It's used everyday for home/work since on long time ago... surf, etc... teor :
Using a caching, recursive resolver should be fine. (Then the root servers only answer queries for top-level domains.)
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
participants (10)
-
Chuck McAndrew
-
eric gisse
-
Igor Mitrofanov
-
Matt Traudt
-
Nagaev Boris
-
niftybunny
-
Petrusko
-
Roman Mamedov
-
teor
-
Toralf Förster