quad9 is privacy focused and supports both DNS-over-HTTPS and DNS-over-TLS.
this post was submitted on 15 Mar 2021
32 points (100.0% liked)
Privacy
33462 readers
484 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
I just set up Pi-hole / unbound on a raspberry pi zero w:
https://docs.pi-hole.net/guides/dns/unbound/
It’s not too difficult. All you need is the raspberry Pi zero W and a microSD card. You can power it via USB. You don’t even need to connect a monitor / keyboard for set up.
Does it not depend on other DNS provider or does it itself?
No, it doesn’t depend on another DNS provider.
Unbound requests DNS from authoritative root DNS providers so it doesn't depend on third party provider like Cloudflare, Google, Quad9.
So Unbound skips the conventional DNS provider and goes straight to the TLD servers? Do the TLD servers themselves all have DoH or will anyone listening upstream of the network still be able to sniff the queries for what domains you're accessing? In fact wouldn't you stick out like a sore thumb as someone who isn't a DNS provider querying TLD servers?
Yes that's how DNS resolution works. Any DNS resolver can either query another resolver (most commercial internet routers will query your ISP's resolver), or resolve the domain name themselves by querying DNS servers from right to left in the domain name.
For example, querying lemmy.ml involves:
- querying ICANN root servers for
mlDNS servers - querying
mlDNS servers forlemmy - querying
lemmyDNS servers for an IP address to connect to
Recursive resolution is a feature of the DNS system which ensures distribution of power among actors, so a single bad actors, even when very high in the hierarchy, can't have too much negative impact further down the chain. For example, if root servers are compromised, they couldn't stop lemmy.ml from resolving: they could stop the whole of ml from resolving (because ml is part of the zone they have authority for) but nothing more. This aspect of DNS limits temptation of censorship.
Wouldn't it still be plaintext though? Someone upstream the network (namely your ISP) datamining your network traffic would still be able to tell which domains you're requesting, right?
Short answer, yes. But Authoritative DNS over TLS (ADoT) is being standardized for encrypting resolver-to-authority queries.
Does Unbound support this already?
I've been using NextDNS for the past few months, and it's pretty great. It's listed on privacytools.io, is affordable, and has a plethora of options/filters. They've got great guides for using their DNS on quite literally any platform.
https://servers.opennicproject.org
Check there some.
I was wondering. Does opennic support icann root servers?
OpenNIC is an alternative root, so besides what @[email protected] said, you can configure any DNS resolver to serve both ICANN and OpenNIC roots. That's because they don't have conflicting top-level domains. If for example both claimed they were responsible for .lemmy then your resolver would have to choose who to consider responsible for it.
OpenNIC Tier 2 servers (the common ones used) are slave servers of OpenNIC Tier 1 servers (the root servers of OpenNIC) for the OpenNIC zones and these Tier 2 and Tier 1 servers make direct requests to ICANN root servers on theirselves.
There's a lot more than that, but here's a quick list compiled from filtering suspicious actors (for-profit etc..) from privacytools:
- applied-privacy.net (DoH, DoT)
- libredns.gr (DoH, DoT)
- nixnet.services (DoH, DoT)
- snopyta.org (DoH, DoT)
- uncensoreddns.org (DoH, DoT)
- blahdns.com (DoH, DoT, DoQ)
Not sure about PowerDNS and Quad9 because they appear shady from the outside but they may be options as well.
AdGuard, Quad9, Uncensored DNS, Tenta
This is controversial because they are "big bad" companies. But in some cases I think that is a plus because they have some responsibility to do as they say.
- Use a resolver that is a part of Mozilla's Trusted Recursive Resolver Program. Mozilla makes them agree to a solid privacy policy: https://wiki.mozilla.org/Security/DOH-resolver-policy#Conforming_Resolvers
- Google DNS. Obviously controversial but their privacy policy is very good. They keep "full" logs for at most 48 hours and only for debugging purposes.
The major concern for all of these is that they are allowed the keep anonymized logs forever. This means that if the hostname itself it sensitive then it can be recorded forever. (For example if you have "secret" subdomains).
The other option is running your own recursive resolver, this mostly nullifies the private subdomain issue as only the authoritative server will see it (other than network snoopers) however this has very real downsides.
- It exposes your IP address to many authoritative servers with no guarantees about the logs they keep.
- It can be slow as there is no shared cache.
- Requests from your resolver to the internet are not encrypted.
Disclaimer: I used to work at Google (but not on Google Public DNS) and have no affiliation with other named or referenced companies.
Telling people on privacy communities to use Google products is closest to the worst advice you can give, atleast as far as this century timeline is concerned.
Just because it is not the advice that is expected does not make it bad advice. Obviously these names have some questionable behaviours but in this case they often have separate privacy policies for their DNS services (or the Mozilla endpoint for their DNS services) which makes it much better than the other Google products which are lumped behind a single privacy policy which isn't very privacy friendly.
Unfortunately it is impossible to know for sure they are complying with the privacy policy, but this applies to all providers, no matter how large or what businesses they have other than providing DNS. So while you shouldn't blindly follow some random post on the internet you should may give these providers a second look-over and consider that these large companies have some privacy benefits if their privacy policy is accurate.
Hello, i'm sorry you had to personally be downvoted for Google's misbehavior. I may have disagreements with your (past?) ethics/politics (i genuinely hope you can sleep at night after working for Google/Instacart) but i checked out your blog and there's some cool stuff on there so i'm taking a minute to answer :)
Unfortunately it is impossible to know for sure they are complying with the privacy policy, but this applies to all providers
That is precisely why we should evaluate the trust we place in a given actor who provides us with services. In the case of Google, i give it exactly 0/20. But to be honest, it's not just Google, any for-profit entity gets 0/20 because our interests are fundamentally opposed: making money to survive in this capitalist hell is something we all have to do (and we all get our hands dirty to some extent, i'm not here to judge), but making money as a collective goal is guaranteed to have bad outcomes for everyone (except the shareholders, because these vampires always find a way to survive).
When money is made in a non-profit settings with equal pay for everyone and full transparency on goals and funds, then the interests of the association/cooperative don't have to be opposed to ours as end-users. I'd rather donate for services from a non-profit who'll still be around for at least a decade (like Framasoft) than place my trust blindly in a commercial actor who's part of the system ruining everyone's lives and destroying the environment, and i think the same goes for a lot of people here.
Google is pretty much part of the military industrial complex by now, and has been acting against the interest of users/humanity for well over a decade. They're also collaborating with governments and copyright holders across the globe to take down content and imprison people (i'm NOT talking about child pornography here). Also, the centralized model of Internet and surveillance they promote is directly responsible for ecological damage: Internet without trackers wouldn't require so much resources both client and server side.
Google do not deserve a new chance, ever again. All that's left to do with Google (or any private company for that matter) is to burn it down in opposition (as people in Berlin's Kreuzberg neighborhood have done) and/or walkout (as Google employees themselves have done). We're better off building alternatives on our own, and you're welcome to help! :)
Feel free to check out libreho.st, chatons.org and tildeverse.org for example lists of non-profit service providers who may need help developing/integration/deploying services. Take care
I am not sure you will understand, so I will just excuse myself. You clearly know everything.
Edit: seems you are a true redditor, downvoting as revenge for disagreement
He was making a good point. Huge multinationals often have departments with wildly different behaviors/policies. These departments are often in conflict with one another, or don't know so much about one another. I agree with you trusting anything remotely associated to Google is utterly stupid when it comes to privacy, but the argument exposed was not stupid.
It was in fact solid insider's advice, to know to exploit differences between branches of a given tentacular company in some circumstances. For example, Debian's cooperation with Lenovo for better hardware support is in fact a collaboration with a specific department within Lenovo, and has a lot of blocking points from other departments.
EDIT: Also another good point was that selfhosting services (eg. services just for "me") often leaks more metadata than using shared services which other folks connect to as well.
You have no idea what you are dealing with, with these CIA/DARPA shell entities. These are not multinationals randomly built out of a drive for capitalism, but meant to bring upon us a dystopia worse than any nightmares you have seen or heard.
He thinks the laws made up for these shell entities via lobbying and governmental hgemonic interests are actual laws and protocols that are made to protect our interests. They are not. He is too realistic and obedient to believe all this crap.
I may sound delusional, perhaps conspiratorial, but everything continues to unfold before us and so many people like him keep denying it. I have no idea why I am doing what I am doing, and yet I can tell there is more than just a world domination goal. They want to render us hopeless.
I can tell there is more than just a world domination goal
You do sound slightly conspirational and delusional. Of course people are gonna fuck up other people, because that's precisely what capitalism is about, and we're conditioned from a very young age to feed into this narrative.
However, a lot of people try to avoid such dynamic, even in big evil corporations. Spitting on the face of these precise people is not gonna help anyone :)
Condemnation is the essential sign of resistance against status quo. I am not a capitalist.
If I read between the lines and see conspiracies, then others are too obedient realists.