Discussion in 'other software & services' started by Hadron, Aug 27, 2016.
I use my ISP's DNS.
I use my own caching server service. Acrylic, It's easy to set up. Used Maradns' Deadwood core before that until he stopped updating it as much as before. There is an August 2018 version I will have to try.
Point is, you still need to get the IP addresses for the corresponding url's in your request from an authoritative ICANN root server. and it requires them to send the info to you somehow.
you gotta trust somebody in the routing chain of request to get your reply. I use acrylic to use cloudflare'sdns server, I welcome any info that their statement on security are lies. Sometimes you CAN set a thief to catch a thief...
I have exactly the same feeling I'm a little bothered by sharing that data with 3rd party but at the same time not willing to set up something similar myself.
Exactly. I understand why some folks dislike certain providers, but I wonder who they do feel they can trust?
"server" is wrong - its a resolver with cache like windows dns service.
if you speak about "server" you need to hold a copy of ALL entries like google dns or cf dns - thats not possible because you are a not part of this trusted group. so at least you only resolve addresses and keep its entries you had used.
This is not how DNS works. CF and Google don't hold a copy of all DNS entries. Nobody holds all entries. This system is distributed. They only cache queried domains for some time to speed things up, but after some time they query authoritative DNS servers like all other recursive DNS providers.
You have setup your own caching DNS stub server, but some people setup their own recursive (which can usually also cache) DNS server.
Mozilla announces Firefox will block trackers by default
August 30, 2018
I tend to think of Mrkvonic like a clown. When he's not trying to make you laugh with stupidity he's busy promoting something (hes websites/articles). Sometimes I wish Wilders would have a "post of the year" because that clearly was.
Also the earth is flat.
Yes, this is what I've done. More details here.
I think this DoH idea sounds cool, but you do rise an interesting point.
I second lolnothank you. There are many problems with this idea.
Like if your browser is hijacked, then your dns queries are also compromised at the same time.
Or if you use a different browser, you get different dns results (your isp versus cloud provider).
And then there's latency. And privacy implications. And more.
Can you please actually learn how things work before posting false assertions and confusing future readers, thanks!
Be specific. Where does it say in the internet model (however many stacks) that an application should act as a dns server?
I know how things work, and this is why I find 99% of all technology fads and buzzwords and ideas to be nothing but gimmicks.
Firefox acts as DNS client with cache.
When it comes to privacy: do you really trust your ISP at home? Or maybe somebody is sometimes in shopping mall with laptop or train using publicly open WiFi? Does this user should trust ISP at train?
Well said. Nevertheless I hope that this feature - once it arrives in FF stable - will not be opt-out but rather opt-in.
firefox has its own dns cache since a decade!
not sure, what you talk about, but if you meant Doh this is available since v60 but has no dialog to fill out, that is coming up with v63.
there exist no problem as long you can change the resolver with easy in your router or operating system. until DoH firefox is filling his cache this way, with DoH you have an alternative.
source for this assumption?
there exist only a master which is heavy protected, and this master distributes its informations to cf/g or any. those are real dns server because they dont need to cache any.
It is not assumption. It is knowledge. There is no one master server that holds all entries. There are tens of thousands authoritative DNS servers (or more). Google/Cloudflare/Your ISP connect only to these authoritative DNS servers that are required to resolve desired domain to IP.
i think you did not read any of my links, in special not wikipedia which explains the opposite of your assumption.
I read Wikipedia article (parts of it) and I generally agree with that. I just think you don't understand it correctly. There is no DNS server in whole DNS that stores all entries. Each authoritative DNS server has only small part of data. Actually I am preparing to configure and maintain one authoritative DNS server for my own domain.
To answer the questions on trust - yes, I trust my isp.
Do I trust isp on the train - as long as there are no invalid certificates, yes.
Do I trust my browser (which is a commercial entity) to forward queries to yer another commercial entity? Perhaps, but I don't want to.
DNS is DNS. Web is Web. Those two are unrelated. For that matter, you can encapsulate anything and send it over http/https. That's not the point.
Talking about open wifi complicates the question IMHO. It's best to enable a VPN when using open wifi, and then everything is encrypted not just DNS requests.
As for who to trust I think you have to define expectations. People regularly have this conversation when discussing VPNs, ie what do they share, do they keep logs, etc, etc. It seems to me we mostly have to rely on the published privacy policies of providers. It makes sense to try to minimize exposure, but for those who want to be anonymous on the internet, well, good luck with that
Since when is Firefox a commercial entity?
Since when is your ISP NOT a commercial entity?
Lol. ISPs that don't implement DNS censorship are few and far between. Any remaining won't be for long.
When I think of DNS, I like to prioritize it like this:
1. I trust root DNS servers (but only because I have to!)
2. I trust my own encrypted DNS server(s) that run on some VPS(es) somwhere around the world.
3. I trust (for now) Quad9 and Cloudflare.
4. I will never, ever, trust Google DNS, OpenDNS or especially my own ISP DNS!
Of course, if one had up-to-date, realtime domain-to-IP mapped records for whole internet, one would not need the DNS at all and this whole trust issue would be solved.
Like a giant hosts file that people used in the old days before DNS, and now use mostly for adblocking.
But there is no such place or app to my knowledge (except my own, experimental app but it's nowhere near ready and still unsolved issues...)
Separate names with a comma.