We are still actively working on the spam issue.

Difference between revisions of "DNS"

From InstallGentoo Wiki
Jump to: navigation, search
m
(turn into stub)
 
(24 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{cleanup|Horrible formatting.}}
+
{{Stub}}
  
DNS (Domain Name System)
+
'''Domain Name Systems''' convert domain names (e.g. wiki.installgentoo.com) into ip addresses (e.g. 176.9.127.115). By default, you're probably using your ISP's DNS.
  
An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 93.184.216.119 (IPv4) and 2606:2800:220:6d:26bf:1447:1097:aa7 (IPv6). Unlike a phone book, the DNS can be quickly updated, allowing a service's location on the network to change without affecting the end users, who continue to use the same host name. Users take advantage of this when they use meaningful Uniform Resource Locators (URLs), and e-mail addresses without having to know how the computer actually locates the services.
+
== Alternative DNS servers ==
 +
If you're unhappy with your ISP's DNS services, consider the following:
  
Default ISP provided ones are usually shit, prone to being overloaded. In addition, it makes it easier to for your ISP to put a face to a IP address as your requests are traveling through them.
+
; OpenNIC
 +
: The [https://www.opennicproject.org/ OpenNIC Project] relies on volunteers to provide censorship free DNS servers.
 +
: Click [https://www.opennicproject.org/nearest-servers/ here] to find the nearest OpenNIC servers.
  
/tech/ recomend DNS
+
; Google DNS
 +
: 8.8.8.8
 +
: 8.8.4.4
  
Local (Libre only)
+
{{warning|[[Google]]'s DNS will, amongst other things, assign your IP to every site you visit and log it permanently! For more information click [https://developers.google.com/speed/public-dns/privacy here].}}
Dnsmasq,Djbdns,gdnsd,Knot,MaraDNS,BIND, NSD,Pdnsd,Posadis,PowerDNS,Unbound,Domain Name Relay Daemon (dnrd),YADIFA
 
  
Remote
+
== Problems with DNS ==
 +
* DNS can be used for censorship.
 +
[[File:dnsboobs.jpg|thumb|200px|right|Arab Spring protestor advising [[Google]]'s DNS to circumvent government censorship.]]
 +
: The DNS owner can redirect any domain name to any IP address. This can happen due to siteblocking legislation (e.g. [[Wikipedia:Web_blocking_in_the_United_Kingdom |U.K.]]) or totalitarian governments (e.g. [[Wikipedia:Arab_Spring |Arab Spring]]).
 +
: DNS is the simplest way to block a website from a tech illiterate user, and also the easiest site blocking method to circumvent.
  
https://www.opennicproject.org/
+
* DNS can be used for Man in the Middle attacks.
 +
: If an attacker controls your DNS (e.g. poisoned WiFi), they can redirect your requests to malicious servers. HTTPS with valid certificates, DNSCrypt and servers that support the DNSSEC spec can protect against this, but tech illiterate users generally click through the security warnings.
  
http://www.orsn.org/en/tech/pubdns/
+
== Securing DNS ==
 +
*[[DNSCrypt]]
 +
*[[Unbound]]
 +
Main Article: [[Anonymizing_Yourself#DNS | Anonymising Yourself | DNS]]
  
ns0.freeinfosociety.org
+
== Running a DNS ==
FR
+
While running a publicly available DNS is a bad idea (as with [[NTP]] servers, users will attempt to connect to you for years after you lose interest in hosting), you can easily run a DNS via [http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq], [[Unbound]] and so on.
188.165.175.115
 
2001:41d0:2:5a70::1
 
99.51%
 
OK
 
  
ns01.ch.orsn.it-schwerin.de
+
== Redirect Everything to a Single Server ==
CH
+
Redirecting all domain requests to a single server is easy with dnsmasq. Assuming your server is located at 192.168.1.1, your /etc/dnsmasq.conf file can be modified to:
178.209.50.232
+
listen-address=192.168.1.1
2a02:418:6a04:178:209:50:232:cafe
+
address=/#/192.168.1.1
98.92%
+
This is useful if you're running a [https://piratebox.cc/ PirateBox]esque server, where you only want users to see a single website.
OK
+
Any HTTPS website the user attempts to connect to will not work (that's HTTPS/CAs/Certs doing their job), but all HTTP servers will be redirected.
  
orsn.dnscache.cyborg-connect.de
+
[[Category:Terms]]
DE
+
[[Category:Networking]]
84.200.55.4
+
[[Category:DNS]]
2001:1608:10:167:366::5c87
 
97.79%
 
OK
 
 
 
orsn-ns4.godau.eu
 
DE
 
103.25.56.16
 
2401:1400:1:1201:216:3cff:fe38:5f6b
 
94.15%
 
OK
 
 
 
orsn-ns2.godau.eu
 
DE
 
87.118.126.225
 
2001:1b60:3:267:3436:21:0:1
 
99.09%
 
OK
 
 
 
orsn-ns01.first-colo.de
 
DE
 
212.224.71.71
 
2a01:7e0::212:224:71:71
 
99.69%
 
OK
 
 
 
orsn-ns02.first-colo.nl
 
NL
 
79.133.62.62
 
--
 
99.25%
 
OK
 
 
 
orsn-ns.godau.eu
 
DE
 
109.230.224.42
 
2a02:d40:3:1:ac11:71ff:feee:41b3
 
98.71%
 
OK
 
 
 
orsn-ns3.godau.eu
 
AT
 
158.255.212.115
 
2a03:f80:ed15:158:255:212:115:1
 
83.10%
 
OK
 
 
 
ns1.freeinfosociety.org
 
FR
 
37.187.23.23
 
2001:41d0:a:1717::1
 
99.30%
 
OK
 
 
 
ns2.freeinfosociety.org
 
FR
 
37.187.99.178
 
2001:41d0:a:23b2::1
 
 
 
Swiss Privacy Foundation DNS http://www.privacyfoundation.ch/de/service/server.html#dns-server
 
    77.109.138.45
 
    77.109.139.29
 
 
 
Censurfridns Denmark http://blog.censurfridns.dk/
 
    91.239.100.100
 
    89.233.43.71
 
 
 
freedns http://freedns.zone/de/
 
    37.235.1.174
 
    37.235.1.177
 
 
 
Digitalcourage e.V. https://digitalcourage.de/support/zensurfreier-dns-server
 
85.214.20.141
 
 
 
Chaos Computer Club https://www.ccc.de/de/censorship/dns-howto
 
213.73.91.35
 
 
 
Alternative's to ICANN.
 
http://www.orsn.org/en/tech/
 
 
 
Implementing ORSN locally.
 
For BIND, this would mean just replacing roots.hint
 
http://www.orsn.org/roothint/root-hint.txt
 
 
 
DNS encryption
 
 
 
DNScrypt
 
 
 
Comparsion of DNScrypt and regular DNS
 
 
 
With a regular DNS query, the DNS server is aware of your request (duh, how else would they serve it?). Any observer between you and the DNS server can see the request because it is unencrypted.
 
 
 
With a DNS query through dnscrypt, the DNS server is aware of your request (duh, how else would they serve it?). Observers between you and the server cannot see the request, only that some encrypted traffic is being transmitted.
 
 
 
One Anon's setup
 
I use dnscrypt-proxy with the following server
 
 
 
https://dnscrypt.pl/
 
 
 
Then pass that to unbound.
 
 
 
https://unbound.net/
 
 
 
"I'd recommend the Polish DNScrypt server over the OpenDNS dnscurve/dnscrypt servers. For several reasons that should be obvious,
 
 
 
Latency is not a big issue from North America to Poland, at least from my experience. Consider that it passes on to Unbound which can cache, that alleviates much of the issue."
 
 
 
/tech/ suggested DNS to avoid.
 
 
 
The case against OpenDNS
 
 
 
">"When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes. For example, OpenDNS runs a Domain Name System (DNS) service. DNS translates a domain name (e.g., http://www.example.com) into the corresponding numerical address (e.g., 192.0.34.166) that allows your system to access the domain over the network."
 
 
 
 
 
 
 
 
 
Google DNS
 
This should obvious. ^:)
 
 
 
Sources:  
 
https://archive.is/rXAUn >> My ISP's DNS is shit. What are some DNS servers that respect muh freedom/privacy. Currently using Google's because I don't know any other ones. >> http://8ch.net/tech/res/383193.html
 
https://archive.is/zHqRd >> DNS servers >> http://8ch.net/tech/res/377832.html
 
https://archive.is/eRCyA >> https://anonymous-proxy-servers.net/wiki/index.php/Censorship-free_DNS_servers
 
https://archive.is/xrv1f >> https://en.wikipedia.org/wiki/Domain_Name_System
 
https://archive.is/Y4R2H >> https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
 

Latest revision as of 18:11, 24 August 2019

Domain Name Systems convert domain names (e.g. wiki.installgentoo.com) into ip addresses (e.g. 176.9.127.115). By default, you're probably using your ISP's DNS.

Alternative DNS servers

If you're unhappy with your ISP's DNS services, consider the following:

OpenNIC
The OpenNIC Project relies on volunteers to provide censorship free DNS servers.
Click here to find the nearest OpenNIC servers.
Google DNS
8.8.8.8
8.8.4.4
Warning: Google's DNS will, amongst other things, assign your IP to every site you visit and log it permanently! For more information click here.

Problems with DNS

  • DNS can be used for censorship.
Arab Spring protestor advising Google's DNS to circumvent government censorship.
The DNS owner can redirect any domain name to any IP address. This can happen due to siteblocking legislation (e.g. U.K.) or totalitarian governments (e.g. Arab Spring).
DNS is the simplest way to block a website from a tech illiterate user, and also the easiest site blocking method to circumvent.
  • DNS can be used for Man in the Middle attacks.
If an attacker controls your DNS (e.g. poisoned WiFi), they can redirect your requests to malicious servers. HTTPS with valid certificates, DNSCrypt and servers that support the DNSSEC spec can protect against this, but tech illiterate users generally click through the security warnings.

Securing DNS

Main Article: Anonymising Yourself | DNS

Running a DNS

While running a publicly available DNS is a bad idea (as with NTP servers, users will attempt to connect to you for years after you lose interest in hosting), you can easily run a DNS via dnsmasq, Unbound and so on.

Redirect Everything to a Single Server

Redirecting all domain requests to a single server is easy with dnsmasq. Assuming your server is located at 192.168.1.1, your /etc/dnsmasq.conf file can be modified to:

listen-address=192.168.1.1
address=/#/192.168.1.1

This is useful if you're running a PirateBoxesque server, where you only want users to see a single website. Any HTTPS website the user attempts to connect to will not work (that's HTTPS/CAs/Certs doing their job), but all HTTP servers will be redirected.