New DNS Service Launched by IBM Vows to Keep Your Browsing Habits Secret

Discussion in 'privacy technology' started by IvoShoen, Nov 16, 2017.

  1. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    849
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    No secondary DNS. No idea where their servers are located. It's a big jump from here to the US.
     
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    I just set it up in DNSjumper and switched over to it. Will test it out for a few days to see how it goes.
     
  4. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
  5. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    It works! The DNS-over-TLS really works :eek:

    upload_2017-11-17_3-8-13.png

    Here's how to reproduce under Linux.

    Step 1.
    Get file called digit-1.4.3.tar.gz from https://ant.isi.edu/software/tdns/digit/index.html
    For some reason, for me there were problem uncompressing that file under Linux but no problem with Windows. I have recompressed it just in case if someone else has this strange problem too.
    Can be downloaded from:

    Code:
    https://www.orwell1984.today/digit-1.4.3.tar.xz
    http://ukp5un24mpxbqcpu.onion/digit-1.4.3.tar.xz
    
    Step 2.
    Uncompress & build with:

    tar -xaf digit-1.4.3.tar.xz && cd digit-1.4.3 && ./configure --without-gnutls && make


    You have to make sure that you have the following packages installed:
    gcc, binutils, make, tar and xz (called also xz-utils in some Linux distros)
    And also openssl development files (*.h header and *.so files) usually those you get from openssl-dev or openssl-development or something similar, depending of your distro.

    Step 3.
    Temporarily add the following firewall rules, just in case, so that it *really* is using port 853 and not 53.

    iptables -P OUTPUT DROP
    iptables -I OUTPUT 1 -p tcp --dport 853 -j ACCEPT

    That will block all outgoing, except those that use TCP protocol and destination port 853 (default port for DNS-over-TLS).

    Step 4.
    Create file that has few domains you want to lookup. For example list.txt
    Code:
    www.google.com
    www.facebook.com
    www.wilderssecurity.com
    etc.....
    
    Step 5.
    Run it!

    ./digit -f list.txt -r 9.9.9.9 -V -t ssl

    You should see something like the following if it works
    Code:
    https://www.orwell1984.today/DNS_over_TLS_results.txt
    
    For more great stuff about DNS privacy:

    https://dnsprivacy.org/wiki/display/DP/DNS Privacy Clients
    https://dnsprivacy.org/wiki/display/DP/Using Unbound as a DNS Privacy server
     
  6. compleo

    compleo Registered Member

    Joined:
    May 3, 2016
    Posts:
    134
    In the instructional vid in the link provided in the OP. It shows preferred DNS server & place the number 9 in all boxes.

    But, in the boxes below, alternate DNS server it's left blank?



    Also on my computer in DNS Management the preferred DNS numbers are different than the internet protocol version 4 tcp/ipv4 preferred numbers. But, the alternate numbers are the same.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    https://www.prnewswire.com/news-releases/ibm-packet-clearing-house-and-global-cyber-alliance-collaborate-to-protect-businesses-and-consumers-from-internet-threats-300557424.html
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Sadly, Steve Gibson's DNS Benchmark tells me there are 43 faster public alternatives, as I feared being in Australia.

    Interestingly, I used Norton ConnectSafe level 1 as secondary DNS and it was 'unreliable'.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I trust everyone has checked out the founding members of this service. And that they are checking against various blacklists.

    The browsing habits may be "secret" from marketeers, but not from others. I guess that's always a problem with DNS though.
     
  10. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    I prefer UDP over TCP, it seems to me to be less exploitable. Dnscrypt does not meet IETF specification, otherwise it is pretty much the same thing.

    Code:
    https://browserleaks.com/ip/66.185.117.242
    The same for Europe. Average ms is around 680, Google and OpenDNS are 500% faster, but we will see a few months later.
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    What about IPv6 settings? :)
     
  12. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    UDP less exploitable? How so? It is more restricted (single UDP packet size less than 64k if counting IPv4 headers) and less reliable (packet's get lost and in early days it was widely known as "Useless Data Protocol" before they changed name to "User Datagram Protocol")

    Yeah, DnsCrypt has been unofficial "standard" for long time (and before it there was a thing called DnsCurve) but these things really
    need standard. Otherwise they will never get used in the core of the Dns, like for example, DNSSEC has been used for several years now in the root DNS servers.

    The things is, when you use Google DNS, OpenDNS, this new DNS or any other 3rd party DNS you found from net, you always have to
    trust the person/company/organization running it. That's why my own DNS servers talk directly to root DNS servers without middle-men because if you can't trust root DNS then .... well .... pack to hostfiles you go like in early days :D
    (Or to DNSless system after it's ready ....)
     
  13. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    Exactly, I will rather allow UDP than TCP in the firewall, for various reasons. UDP is connectionless, that is the way I like it.
    As for reliability, I have not seen a single packet lost, not in the last few years, otherwise it would not be used for DNS requests.
     

    Attached Files:

  14. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
  15. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    UDP was orginally choosen for DNS because it was lightweight. That's the only reason. Otherwise it's just as unreliable, unordered and restricted as it was in day zero.

    And I see DNS UDP packets get lost all the time with my monitoring software.

    EDIT: Also, usually DNS uses TCP lookup as a fallback method if UDP lookup fails for some reason (and it *does* fail from time to time). So you could very well be using TCP actually without you knowing it.

    Also, Windows systems (at least up to 7) are stupid in that way that they:
    A) don't have a concept of system-wide DNS settings (a la resolv.conf in Linux-world)
    B) they can't be forced to use TCP-only for lookups that can be done in Linux-world
    with the help of not very well know option "use-vc" in resolv.conf

    http://man7.org/linux/man-pages/man5/resolv.conf.5.html
     
    Last edited: Nov 17, 2017
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    https://quad9.net/#/faq
     
  17. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I am in contact with Quad9. They do have "a few POPs" in Australia. They are investigating performance issues.

    POP = Point Of Presence?
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    For some reason, instead of using an Aussie server I'm routed through Burbank, CA US. :eek:

    ... More to come.
     
  20. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Hmmm... All this talk about DNS made me check my local caching & recursive DNS server configuration and see if disabling UDP completely and using just TCP made any difference.
    And the results? The TCP-only setup feeled actually little bit (but not much) faster! Even with previously unvisited sites. Maybe because I use fastopen in both client & server connections ....

    Using encrypted 9.9.9.9 was also good speed but I will still probably setup my own encrypted DNS server and use that instead ....

    Maybe I write tutorial later howto really lock your DNS settings ... with or without encryption
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Last edited: Dec 20, 2017
  22. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    362
    It shows both the primary and secondary are unreliable for me and they are both at the bottom of the speed list the only thing they beat in speed was a dead server.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    This is a much shortened version.

    It turns out after chatting for over a month with Quad9 Support that my ISP is not playing the game and will not allow connection to the Australian POPs, (Point Of Presences) meaning I am connecting to California instead. This will affect anyone in Australia who has Telstra / Bigpond as their service provider.

    Choices?
    1. Use Quad9 knowing their service is slow.
    2. Use a different DNS provider.
    3. Change service providers.
    4. I don't know of a 4th option but am open to suggestions.
     
  24. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Option 4: Take control and setup your own DNS and encrypt the traffic.

    https://www.wilderssecurity.com/threads/taking-control-of-dns-for-linux-users-part-2.399021/
     
  25. Socio

    Socio Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    362
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.