DNS Services - Can We Get A List Going And Feedback?

Discussion in 'privacy technology' started by DasFox, Feb 6, 2012.

Thread Status:
Not open for further replies.
  1. addi6584
    Offline

    addi6584 Registered Member

    not sure what you're looking for specifically
    http://www.dnssec.net/
    http://www.opendns.com/technology/dnscrypt/
    http://unbound.net/

    all are documented quite well no?

    if you are concerned about your DNS queries being spoofed/hijacked, run your own dns servers. they will naturally wind up being faster and more secure that any 3rd party dns server which is why unbound was recommended. a recursive validating server that caches does a pretty great job of ensuring you are not being returned bs data. the more you use it (ie the more it caches) the faster it gets. unbound since it runs 100% from memory returns results from its cache faster than its possible for you to send it requests. its by far the fastest and one of the most secure dns servers you can run
    Last edited: Feb 19, 2012
  2. DasFox
    Offline

    DasFox Registered Member


    Sorry I wasn't clear, I'm just saying it would be nice to get a simplified break down explaining things to people..

    1. Why anyone would need a caching DNS resolver?
    2. Why should anyone even use these DNS, when their ISP provides?
    3. Why should we want DNSSEC?
    4. Do we need to be careful using any of them, because many are run by small organizations and individuals, so then trust possibly becomes an issue as well...

    And anything else I might of missed...

    I got the feeling when I posted this, everyone assumed everyone knows what this is all about...
  3. DasFox
    Offline

    DasFox Registered Member

    Well I just had someone tell me this recently;

    DNScrypt is a nice addition to DNS already secured by DNSSEC. DNSSEC solves more important security issues than DNScrypt.

    If you want to make your DNS more secure, I recommend using a DNSSEC validating DNS server first. Unbound for a static DNS server, or Unbound + DNSSEC-Triggerd for a mobile workstation, are very good solutions in this space. And you are not bound to DNS servers run by a single entity (OpenDNS).

    In case of DNScrypt and OpenDNS, ask "Cui Bono (http://en.wikipedia.org/wiki/Cui_bono)". Why is OpenDNS pushing this? Even though it is free, there might be a business reason behind it. Be careful about your data. Same reason why I would be careful using Google DNS server - 8.8.8.8.


    This really makes me sit up and think, about not using dnscrypt...

    But with these other choices being recommended above, does anyone know if these are solutions that can be applied on the single end-user for desktops and laptops?

    THANKS
  4. linuxforall
    Offline

    linuxforall Registered Member

    In my region Google DNS consistently beat others and thats why its my default.
  5. happyyarou666
    Offline

    happyyarou666 Registered Member

    ummm one question i got here , do i need this if i have a vpn?

    p.s: i use norton dns as my default dns as recommended by some wilders members by it being the safest dns?, on my router and os or should i go with something else?
    Last edited: Feb 28, 2012
  6. PaulyDefran
    Offline

    PaulyDefran Registered Member

  7. happyyarou666
    Offline

    happyyarou666 Registered Member

    i see so i should remove norton dns then or leave it set on my router ?

    btw dont get nothing with the dns leaktest and with dns oars everythings green , aka my ip is set to static in windows , hence why i dont have no leaks in the first place ;)
  8. DasFox
    Offline

    DasFox Registered Member


    I've never used a VPNs DNS...

    By the way found another DNS;

    http://proxydns.co/

    Also this is a great link;

    http://www.nlnetlabs.nl/

    I've been told by an expert in the field that Dnssec-Trigger is a good way to go for the personal computer user;

    http://www.nlnetlabs.nl/projects/dnssec-trigger/

    I'm really surprised there is not a lot more talk going on Wilders about DNS security, there's really a lot more to it then people realize and how DNS can also compromise your safety...
    Last edited: Mar 5, 2012
  9. popcorn
    Offline

    popcorn Registered Member

    Hi
    Forgive me if I misunderstand but I fought that if you use a VPN all DNS is routed through the tunnel to the VPN's providers DNS server.
  10. CasperFace
    Offline

    CasperFace Registered Member

    It depends. If you keep the virtual network adapter on its default setting (to configure DNS automatically) then your DNS requests will be resolved by whichever server(s) your VPN provider has delegated for you. The other option is to manually configure the settings in the virtual network adapter, which enables you to use a different set of DNS addresses of your choosing. Either way, all DNS requests will be routed through the tunnel.
  11. mirimir
    Offline

    mirimir Registered Member

    That's what you should expect, by default. But you can use any public DNS server, with everything rounted through the tunnel.

    Edit: What CasperFace said ;) In Linux, you just edit /etc/resolv.conf .
  12. popcorn
    Offline

    popcorn Registered Member

    ok thanks for clearing that up for me.
  13. DasFox
    Offline

    DasFox Registered Member

    This post going by the road and dying shows me people on Wilders do not understand the dangers and risks of using their own DNS or having DNS leaks in VPN situations where they are more concerned over privacy and many other matters to DNS hijacking and I'm not talking about Web Servers but on your computer...

    So people, we really need to keep this bumped and if you just don't know it yet then I highly recommend you start Googling around and looking into all this, then we might see a change in attitude towards DNS!

    This should also be at the TOP of your PRIVACY/SECURITY LIST! :)
  14. marktor
    Offline

    marktor Registered Member

  15. Snowden
    Offline

    Snowden Registered Member

  16. mirimir
    Offline

    mirimir Registered Member

    I get your point. But DNS is a huge and complicated issue, and few users (even privacy freaks) will likely get into it seriously.

    All reputable VPN providers push DNS servers, which should replace those specified for your regular network connection. Although VPN providers typically push DNS servers with private IP addresses, I suspect that they're usually just redirects to OpenDNS or whatever.

    But sometimes things don't work out as planned (especially on Mac, Linux and BSD machines). It's easy to check which DNS servers your machine is configured to use. On Windows, just run "ipconfig /all". On Linux, run "cat /etc/resolv.conf". On any OS, you can run the DNS nameserver spoofability test at -https://www.grc.com/dns/dns.htm . That will reveal which DNS servers you're using (and how vulnerable they are to Kaminsky-style spoofing).

    Whether you're using VPNs or not, some malware can reconfigure your machine to use its own DNS servers. Your web traffic would then get redirected to the attacker's servers. See -https://www.wilderssecurity.com/showthread.php?t=322523 for a timely example. You can check for that as described above.

    There's also the risk of leaking traffic (including DNS queries) when your VPN connection fails. You can prevent such leaks through routing and firewall rules. There's lots on Wilders about how to do that.

    A related issue is censorship. For example, the US DHS took down the hip-hop blog DaJaz1.com for over a year. They replaced its authoritative name servers with their own, which redirected traffic to the boilerplate "seized by ICE" page. Using custom DNS servers, it's possible to evade such takedowns. Indeed, there are custom DNS servers which are devoted to evading all sorts of Internet censorship. But you need to trust them ;)
Thread Status:
Not open for further replies.