The Fight Over Encrypted DNS: Explained https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over
Most people can't even Google stuff. How are they supposed to know what a DNS even is? Anyway, I'm happy to use CloudFlare as the default on Firefox, even if I would prefer to use Cloud9 Quad9 as the default as that's a non-profit. However, they are both much better than my ISP getting it.
There is more than 2 ways to encrypt your DNS. All have pros and cons. You can see a handy comparison chart here https://dnscrypt.info/faq The issue of software taking over and not respecting the OS is going to be a non-issue. What we currently have is a stopgap until the OS vendors have rolled encryption and authentication into the OS DNS service. Microsoft have thankfully taken the lead and are going to put it where it should be. In-app solutions will just lead us into a mess of security problems if every dev is doing it their way. They also bypass your HOSTS file, which is not good. I have been a happy user of DNSCrypt for a while and when DoH became the new messiah they simply added support for that. People can have DoH in the OS where it is supposed to be already. You get a huge list of resolvers to pick from and it automatically uses the fastest responding (including Quad9 and cloudflare) I have DoH even if I use Opera 12 or IE, because it is just there. Ultimately it is not a choice the ISPs have in it. They can sing and dance to their hearts content. Notice that the small ISPs that don't sell user data, or are under the threshold required by Gov to collect your data, are very happy with the idea of encrypted DNS. If you don't like what google and Mozilla are doing at the moment, I can understand, but you can have your cake and eat it if you use DNSCrypt instead. Ignore what they put in browsers and use a system that gives you a lot more control, and importantly you can use blocklists again.
I prefer DNSCrypt, but Simple DNSCrypt is basically abandonware which is really unfortunate. Edit: YogaDNS looks really interesting!
While I certainly don't want apps, particularly browsers making that call by default, nor do I want the OS to do so - my boundary router can do that, thank you very much. The issue for me is certainly one of defaults and ease of control, and whether the user gets to do so. But without the overhead of corporate style lockdown.
https://www.quad9.net/doh-quad9-dns-servers/ Cox Communications is jumping into the ring, DoH and DoT... http://lists.encrypted-dns.org/scripts/wa-ENCDNS.exe?A2=ENCRYPTED-DNS;e879d721.1910&FT=&P=277415&H=&S=b 174.68.248.77 https://dohdot.coxlab.net/dns-query
I know. But I was thinking of having it as a default option in Firefox. Currently, I'm using Quad9 with YogaDNS.
I don't know why you say abandonware. I would use this page as a better gauge of that https://github.com/bitbeans/SimpleDnsCrypt/releases The issue in that old bug report is not a bug in Simple DNSCrypt, but because of people trying to load the service while there is no network connection. If you change the service to run delayed it usually solves it. This is an issue with DNSCrypt proxy service, not the GUI software. Note: Simple DNSCrypt is a GUI for the proxy. It comes with the same binaries as you will find in the main repo. If the GUI software has not been updated there is nothing stopping you simply fetching the latest copy of DNSCrypt and updating it yourself. Disable the service copy to new one over and re-enable the service. I do this often as the GUI package is not updated as often as the core. You miss the point then. Once the OS deals with it just as it currently does on automatic, it will use your router just as it does now because that will be the responding DNS up the chain. If it lacks encryption and authentication it will just go without. You also have the option to flash DNSCrypt to most programmable routers, so you can have your cake and eat it.
The app is called "Simple DNSCrypt" which implies it should be, well, simple, to use. Changing a service manually is madness if you want to reach the masses. I have no clue why the creator doesn't care about fixing it. Also, a keyword here is "usually". Judging by the GitHub, it's no guarantee. I haven't bothered with the program for over a year now, simply because I don't want to manually have to start a service.
If you have an ASUS router you can install the custom Asuswrt-merlin firmware which supports DNS over TLS: https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy Furthermore, the team behind NextDNS has announced they will release a beta of a native DNS over HTTPS solution for the same firmware: https://www.snbforums.com/threads/asuswrt-merlin-and-nextdns-issue.58282/page-5#post-536114
I just started using YogaDNS and I'm curious how you've set it up? For Cloudflare I entered Cloudflare DOH in the servers list, entered 1.1.1.1 in the IP address field, selected DNS over HTTPS and entered https://cloudflare-dns.com/dns-query. I also defined the default rule to process via Ethernet. Does that look right? Thanks!
I'm using Quad9 and not CloudFlare, and this is how I did it: Option 1: Download this configuration File->Autostart File->Import configuration->Choose the file you downloaded>Done! Option 2: File->Autostart Configuration->DNS Servers->Add->DNSCrypt->sdns:// then enter Code: sdns://AQEAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0 Enter a friendly name Click OK Click OK Configuration->Rules->Add: Name: Quad9 Hostnames: * Action: Process DNS Server: Quad9 Pictures of what everything should look like when you're done: Spoiler: DNSCrypt Pictures https://i.imgur.com/9LZaSC7.png https://i.imgur.com/8QfUbcz.png https://i.imgur.com/K4Erk3Y.png https://i.imgur.com/8SfaXdm.png YogaDNS should say something like Code: [01.02 00:40:04] tracing.spotify.net - process : server=Quad9 (DNSCrypt), rule=Quad9 When it's working properly. Decided to try getting DoH to work with YogaDNS too. Here's the pictures of what you should write: Spoiler: DoH Pictures https://i.imgur.com/nW01Qch.png https://i.imgur.com/Ok9kvJp.png
Thanks for the details. I setup DoH for Quad9 and it works fine. I noticed that Quad9 has slower ping times for me, so I went back to CloudFlare DoH, but I don't know if the difference is significant over all - they both work well.
The CEO of Quad9 has stated that for most people, the difference in speed is negligible if you live in the USA or Europe. Besides, Quad9 is a nonprofit while CloudFlare seemingly mines your data.
I've chosen to use DNSCrypt mostly "because". Don't really have a reason for it. The CEO of Quad9 seems to suggest that DNSCrypt is superior, unless you want to hide the fact that you're using an encrypted DNS. The official DNSCrypt website claims that they are all equally secure.
Cloudflare's privacy policy states that they delete all data after 24 hours. Some data do not even hit persistent storage (SSDs, HDDs etc). Actually Quad9 gathers data, aggregates it, anonymizes it (that is why they state they do not collect PII) and sends to trusted threat intelligence partners.
For my Cloudflare has slightly quicker DNS responses, but due to being privacy-oriented they disabled geographic location oriented optimization features such as EDNS Client Subnet. Cloudflare responses sometimes point me to servers that responds to my location a lot slower than Quad9 or ISPs DNS.
@Beyonder Yes "usually" just like usual applies anywhere in computing. How can we know how long it takes for someone elses connection to be available before the service runs ? This is why I suggest changing the service to delayed start which will fix the problem for anyone that does not have some other issue (hence "usually"). No manual starting of the service is needed. You just seem to prefer to do that instead, which there is no need to. Griping about software that actually has a bug is fine, but as I said, this is nothing to do with the GUI or the author, or for them to fix. If you want to point the finger of blame then it is at the author of the core service. As for thinking Simple DNSCrypt to be the widest used option. That is a non-issue as there is no other option. You either use it via CLI as it was intended, or use the only free GUI in development, and any other GUI will still have the same issues. Compared to CLI yes Simple DNSCrypt is simple. It is so simple my 70 year old Mum can use it with me on the other end of the phone. It has a very obvious switch which changes your connection very obviously to green if the service is running. What is not simple about that ? Try dealing with that compared to the Windows service panel, and a 70 year old on the phone. As this problem happens to so few people, I would also suggest you are making a mountain from a mole-hill.
@A_mouse I'm not saying this is the end of the world. What I'm saying is that something should be done about the issue, seeing as Simple DNSCrypt is otherwise a great program. Instead of acknowledging it, or reaching out to the creator of DNSCrypt-proxy itself for some kind of collaboration, the creator of SDNSCrypt (and the creator of DNSCrypt-proxy) seemingly just ignore it. I wouldn't say this is affecting just a few people. Very few people actually use DNSCrypt tools in the first place, as you need knowledge to even seek it out, and this issue seems to affect absolutely everyone, some time. There are 34 participants in the issue I posted. I'd say that's significant. Some people, like this guy seems to have gone above and beyond in trying to make it work properly by setting it to a delayed start, etc. But it doesn't seem to work all the time, according to this person. I'm also not sure if this is actually caused by the proxy itself, and not Simple DNSCrypt, as it worked properly before. Interestingly enough, I found an attempt to fix it by bitbeans. Evidently, the fix did not take. So while this might be easier than running the CLI, it's still got a long way to go if it wants to compete with the simplicity of enabling DoH in Firefox. Also, I'd argue YogaDNS is an option. It doesn't have this issue at all and you can easily import a configuration (Like the one I posted) and be up and running in seconds.
Yeah, everyone's gonna want to have their fav DNS as in there. (I'd like to see a check box to enable bootstrapping.) Anyhow, is there a problem with selecting Custom in the Network Settings and entering the URL?
Thanks. I have been trying out YogaDNS A little something I have noticed in Brave (and most likely every other Chromium browser). I have Adguard DoH with Yoga DNS and on dnsleak sites it works fine. But if I enable the Chrome flag for secure DNS lookup the dns starts to leak. For those with chromium browsers try to make sure the flag for secure DNS lookup isn't enabled.
Yes, I'm using YogaDNS at the moment and setting it up was really easy. It's nice having the option to open the window and observe the DNS queries in real-time.