Q: Simple DNSCrypt, Cloudflare, Quad9, YouTube & more?

Discussion in 'privacy technology' started by zapjb, Apr 2, 2018.

  1. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    I don't know, searched here & elsewhere so I'm asking.


    W7P64.

    Is using Simple DNSCrypt really beneficial or more of a pita?

    Can the Cloudflare & the Quad9 DNS servers be trusted?

    Will using this setup mess with YouTube, Yahoo Sports NHL game of the day, YAHOO! VIEW, GMail & other sites that deliver services based on my location?


    Thanks.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I don't think that it should have any effect on it. AFAIK only domain name resolution request is performed by those servers. Connection to those services is the same as before.
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    I use DNSCrypt with Unbound in OpenBSD and used in Gnu/Linux and everything have been fine.
    Location is recognized by your IP address and/or browser's headers sent to server.

    BTW You can change automatically recognized location by Youtube settings, even without signing in.
    https://screenshots.firefox.com/N4T4Vz5MNMWFxrG5/www.youtube.com
    This will generate URL with location setting, which you can bookamark.
     
    Last edited: Apr 2, 2018
  4. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    Installed it.

    Running DNS leak test at dnsleaktest.com the Standard test is taking forever.

    How can I tell it's working?
     
  5. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    What does
    Code:
    nslookup www.wilderssecurity.com
    prints in cmd.exe?
     
  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
  7. IvoShoen

    IvoShoen Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    849
    You can also use Cloudfare as a Simple DNSCrypt resolver. It is fast for me.
     
  8. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
  9. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  10. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Does anyone know anything about Quad9? Was using Norton DNS until it ended in November. Want to try Quad9, but looked up their corporate address on their website and it is a mail drop called "You Send Me." They have a very professional website and get good reviews. I am just hesitant when they have no real address/building.
     

    Attached Files:

  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I googled quad9 and everything I found was positive, but you probably saw the same stuff. I've been using 1.1.1.1 ( Cloudflare aka Quad1 ) on Firefox and getting good performance. I may set Quad9 ( 9.9.9.9 ) on my Ethernet adapter and see how it performs. Cloudflare and Quad9 appear to have similar features, eg queries over DoH and DoT. I'm not aware of a reason to prefer one over the other at the moment :)
     
  12. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Quad9 offers malicious domain blocking where Cloudflare does not. Otherwise similar in privacy.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    :thumb:

    FYI there are apps for Android for easily switching to 1.1.1.1 or 9.9.9.9. I've tried both and so far 9.9.9.9 is faster and more consistent; I sometimes get site unreachable errors when using 1.1.1.1. I'm going to experiment on my PC as well.
     
  14. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Thanks Victek. I am trying Quad9 on my desktop since I haven't found anything negative about them.
     
  15. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Cisco's OpenDNS is better at blocking malicious domains than Quad9, at least that was the case in 2017.
    hxxps://medium . com/@nykolas.z/dns-security-filters-compared-quad9-x-opendns-x-comodo-secure-x-norton-connectsafe-x-yandex-safe-a00ace3bf21f

    Cloudflare does not block malicious domain, but when it comes to privace is more trustworthy, as they have more privacy-friendly privacy policy and are audited by external company.
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
  17. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    This looks like a good spot...

    I've been using DoH in Firefox 64.0.x and 60esr for some time in Windows 7 and 10.

    In the latest FF releases, you can toggle DoH realtime to play with it via:
    Options > General > Network Settings
    Check Enable DNS over HTTPS
    That sets the safe & simple mode 2 and mozilla.cloudfare-dns prefs

    But getting fancy requires manual tweaks in about:config.

    Last month I went from mode 2 to 3 to bootstrap the address.

    network.trr.mode = 3
    network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
    network.trr.bootstrapAddress = 1.1.1.1

    (For mode 2, the bootstrapAddress pref is blank.)

    For sites outside of the "mainstream," there's an occasional, rare actually, "Hmm. We’re having trouble finding that site." page but a click on Try again will bring up the page.

    I tried Quad9's https://dns.quad9.net/dns-query in mode 2 with success, but 9.9.9.9 mode 3 returned too many of that "trouble finding" indicating a dependence on System DNS.

    Open about:networking, select DNS, TRR will report true. As will any competent TCP/IP utility, shown here for mode 3:

    FFox-DoH.jpg

    In mode 2, the IP address will be for mozilla.cloudflare-dns.com/dns-query, whatever that might be at any given point in time or place.

    FWIW at this stage of the game, in 64.0.x you can set network.security.esni.enabled to true.

    Useful:
    https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
    https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
    https://www.cloudflare.com/ssl/encrypted-sni/
    https://whoismydns.com/
    https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https
     
    Last edited: Jan 29, 2019
  18. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,554
    Location:
    USA still the best. But barely.
    How's that different than HTTPS Everywhere & Simple DNSCrypt?
     
  19. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    Simple DNSCrypt, for the Windows platform, uses the local proxy for system DNS. DNSCrypt-Proxy and DoH-proxy for Linux work in the same way, but I can't say 100% for sure since I stopped using Linux way back with Ubuntu v6 and some version of Knoppix and now I'm burning in Hell where I've arranged with The Big Guy for you to work in my division when you get here. :D

    Firefox's DoH is internal to itself, ignoring system DNS in trr mode 3, using system DNS as fallback in mode 2. So if your system is set up to use Quad9 or Google or whatever, in mode 2, Firefox will use that if Cloudflare fails. IMHO, mode 2 is obsolete. Mode 3 with Mozilla's uri and bootstrap 1.1.1.1 rocks. All other network facing apps will continue to use the system DNS as they don't care what Firefox is doing for DNS lookups.

    HTTPS Everywhere is an extension which "consists of a large number of rules for switching sites from HTTP to HTTPS" by "using clever technology to rewrite requests." Source: eff.org The clever tech is Perl.
     
  20. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Sounds like you have a wireless or otherwise weak connection.

    Firefox has quite a strict timeout for responses before it gives up.
    In about:config change:
    Increase it to 10000 or 20000.
    This should resolve your issue.
     
  21. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    471
    Location:
    USA
    @ elapsed - Thanks for the tip.

    I show 1500 and Stenberg's site cites a default 3000. I did not catch that when I was setting up FF 64 last month. I just verified 1500 as its default by building a fresh profile. It's 3000 in 60esr which is what I was working with (but only mozilla.cloudfare-dns). Hmmmmm...

    I'm going to give Quad9 another try with higher settings. I prefer them though I'd be giving up Cloudflare's experimental ESNI; not giving up much at this point in time.

    BTW: Cox Cable 100 Mbps, DOCSIS 3.0, Gigabit LAN, quality CAT6.

    UPDATE: 3000 helped; 10000 did the trick.
     
    Last edited: Jan 31, 2019
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Okay, thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.