Difference between revisions of "DNS"

Latest revision as of 19:11, 24 August 2019

This dongle is a stub. You can help the InstallGentoo Wiki by adding more freedoms.

Domain Name Systems convert domain names (e.g. wiki.installgentoo.com) into ip addresses (e.g. 176.9.127.115). By default, you're probably using your ISP's DNS.

Alternative DNS servers

If you're unhappy with your ISP's DNS services, consider the following:

OpenNIC: The OpenNIC Project relies on volunteers to provide censorship free DNS servers.; Click here to find the nearest OpenNIC servers.

Google DNS: 8.8.8.8; 8.8.4.4

Warning: Google's DNS will, amongst other things, assign your IP to every site you visit and log it permanently! For more information click here.

Problems with DNS

DNS can be used for censorship.

Arab Spring protestor advising Google's DNS to circumvent government censorship.

The DNS owner can redirect any domain name to any IP address. This can happen due to siteblocking legislation (e.g. U.K.) or totalitarian governments (e.g. Arab Spring).

DNS is the simplest way to block a website from a tech illiterate user, and also the easiest site blocking method to circumvent.

DNS can be used for Man in the Middle attacks.

If an attacker controls your DNS (e.g. poisoned WiFi), they can redirect your requests to malicious servers. HTTPS with valid certificates, DNSCrypt and servers that support the DNSSEC spec can protect against this, but tech illiterate users generally click through the security warnings.

Securing DNS

Main Article: Anonymising Yourself | DNS

Running a DNS

While running a publicly available DNS is a bad idea (as with NTP servers, users will attempt to connect to you for years after you lose interest in hosting), you can easily run a DNS via dnsmasq, Unbound and so on.

Redirect Everything to a Single Server

Redirecting all domain requests to a single server is easy with dnsmasq. Assuming your server is located at 192.168.1.1, your /etc/dnsmasq.conf file can be modified to:

listen-address=192.168.1.1
address=/#/192.168.1.1

This is useful if you're running a PirateBoxesque server, where you only want users to see a single website. Any HTTPS website the user attempts to connect to will not work (that's HTTPS/CAs/Certs doing their job), but all HTTP servers will be redirected.

@@ Line 1: / Line 1: @@
-{{cleanup|Horrible formatting.}}
+{{Stub}}
-DNS (Domain Name System)
+'''Domain Name Systems''' convert domain names (e.g. wiki.installgentoo.com) into ip addresses (e.g. 176.9.127.115). By default, you're probably using your ISP's DNS.
-An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 93.184.216.119 (IPv4) and 2606:2800:220:6d:26bf:1447:1097:aa7 (IPv6). Unlike a phone book, the DNS can be quickly updated, allowing a service's location on the network to change without affecting the end users, who continue to use the same host name. Users take advantage of this when they use meaningful Uniform Resource Locators (URLs), and e-mail addresses without having to know how the computer actually locates the services.
+== Alternative DNS servers ==
+If you're unhappy with your ISP's DNS services, consider the following:
-Default ISP provided ones are usually shit, prone to being overloaded. In addition, it makes it easier to for your ISP to put a face to a IP address as your requests are traveling through them.
+; OpenNIC
+: The [https://www.opennicproject.org/ OpenNIC Project] relies on volunteers to provide censorship free DNS servers.
+: Click [https://www.opennicproject.org/nearest-servers/ here] to find the nearest OpenNIC servers.
-/tech/ recomend DNS
+; Google DNS
+: 8.8.8.8
+: 8.8.4.4
-Local (Libre only)
+{{warning|[[Google]]'s DNS will, amongst other things, assign your IP to every site you visit and log it permanently! For more information click [https://developers.google.com/speed/public-dns/privacy here].}}
-Dnsmasq,Djbdns,gdnsd,Knot,MaraDNS,BIND, NSD,Pdnsd,Posadis,PowerDNS,Unbound,Domain Name Relay Daemon (dnrd),YADIFA
-Remote
+== Problems with DNS ==
+* DNS can be used for censorship.
+[[File:dnsboobs.jpg|thumb|200px|right|Arab Spring protestor advising [[Google]]'s DNS to circumvent government censorship.]]
+: The DNS owner can redirect any domain name to any IP address. This can happen due to siteblocking legislation (e.g. [[Wikipedia:Web_blocking_in_the_United_Kingdom |U.K.]]) or totalitarian governments (e.g. [[Wikipedia:Arab_Spring |Arab Spring]]).
+: DNS is the simplest way to block a website from a tech illiterate user, and also the easiest site blocking method to circumvent.
-https://www.opennicproject.org/
+* DNS can be used for Man in the Middle attacks.
+: If an attacker controls your DNS (e.g. poisoned WiFi), they can redirect your requests to malicious servers. HTTPS with valid certificates, DNSCrypt and servers that support the DNSSEC spec can protect against this, but tech illiterate users generally click through the security warnings.
-http://www.orsn.org/en/tech/pubdns/
+== Securing DNS ==
+*[[DNSCrypt]]
+*[[Unbound]]
+Main Article: [[Anonymizing_Yourself#DNS | Anonymising Yourself | DNS]]
-ns0.freeinfosociety.org
+== Running a DNS ==
-	 FR
+While running a publicly available DNS is a bad idea (as with [[NTP]] servers, users will attempt to connect to you for years after you lose interest in hosting), you can easily run a DNS via [http://www.thekelleys.org.uk/dnsmasq/doc.html dnsmasq], [[Unbound]] and so on.
-.165.175.115
-:41d0:2:5a70::1
-.51%
-	OK
-ns01.ch.orsn.it-schwerin.de
+== Redirect Everything to a Single Server ==
-	 CH
+Redirecting all domain requests to a single server is easy with dnsmasq. Assuming your server is located at 192.168.1.1, your /etc/dnsmasq.conf file can be modified to:
-.209.50.232
+ listen-address=192.168.1.1
-a02:418:6a04:178:209:50:232:cafe
+ address=/#/192.168.1.1
-.92%
+This is useful if you're running a [https://piratebox.cc/ PirateBox]esque server, where you only want users to see a single website.
-	OK
+Any HTTPS website the user attempts to connect to will not work (that's HTTPS/CAs/Certs doing their job), but all HTTP servers will be redirected.
-orsn.dnscache.cyborg-connect.de
+[[Category:Terms]]
-	 DE
+[[Category:Networking]]
-.200.55.4
+[[Category:DNS]]
-:1608:10:167:366::5c87
-.79%
-	OK
-orsn-ns4.godau.eu
-	 DE
-.25.56.16
-:1400:1:1201:216:3cff:fe38:5f6b
-.15%
-	OK
-orsn-ns2.godau.eu
-	 DE
-.118.126.225
-:1b60:3:267:3436:21:0:1
-.09%
-	OK
-orsn-ns01.first-colo.de
-	 DE
-.224.71.71
-a01:7e0::212:224:71:71
-.69%
-	OK
-orsn-ns02.first-colo.nl
-	 NL
-.133.62.62
-	--
-.25%
-	OK
-orsn-ns.godau.eu
-	 DE
-.230.224.42
-a02:d40:3:1:ac11:71ff:feee:41b3
-.71%
-	OK
-orsn-ns3.godau.eu
-	 AT
-.255.212.115
-a03:f80:ed15:158:255:212:115:1
-.10%
-	OK
-ns1.freeinfosociety.org
-	 FR
-.187.23.23
-:41d0:a:1717::1
-.30%
-	OK
-ns2.freeinfosociety.org
-	 FR
-.187.99.178
-:41d0:a:23b2::1
-Swiss Privacy Foundation DNS http://www.privacyfoundation.ch/de/service/server.html#dns-server
-.109.138.45
-.109.139.29
-Censurfridns Denmark http://blog.censurfridns.dk/
-.239.100.100
-.233.43.71
-freedns http://freedns.zone/de/
-.235.1.174
-.235.1.177
-Digitalcourage e.V. https://digitalcourage.de/support/zensurfreier-dns-server
-.214.20.141
-Chaos Computer Club https://www.ccc.de/de/censorship/dns-howto
-.73.91.35
-Alternative's to ICANN.
-http://www.orsn.org/en/tech/
-Implementing ORSN locally.
-For BIND, this would mean just replacing roots.hint
-http://www.orsn.org/roothint/root-hint.txt
-DNS encryption
-DNScrypt
-Comparsion of DNScrypt and regular DNS
-With a regular DNS query, the DNS server is aware of your request (duh, how else would they serve it?). Any observer between you and the DNS server can see the request because it is unencrypted.
-With a DNS query through dnscrypt, the DNS server is aware of your request (duh, how else would they serve it?). Observers between you and the server cannot see the request, only that some encrypted traffic is being transmitted.
-One Anon's setup
-I use dnscrypt-proxy with the following server
-https://dnscrypt.pl/
-Then pass that to unbound.
-https://unbound.net/
-"I'd recommend the Polish DNScrypt server over the OpenDNS dnscurve/dnscrypt servers. For several reasons that should be obvious,
-Latency is not a big issue from North America to Poland, at least from my experience. Consider that it passes on to Unbound which can cache, that alleviates much of the issue."
-/tech/ suggested DNS to avoid.
-The case against OpenDNS
-">"When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes. For example, OpenDNS runs a Domain Name System (DNS) service. DNS translates a domain name (e.g., http://www.example.com) into the corresponding numerical address (e.g., 192.0.34.166) that allows your system to access the domain over the network."
-Google DNS
-This should obvious. ^:)
-Sources:
-https://archive.is/rXAUn >> My ISP's DNS is shit. What are some DNS servers that respect muh freedom/privacy. Currently using Google's because I don't know any other ones. >> http://8ch.net/tech/res/383193.html
-https://archive.is/zHqRd >> DNS servers >> http://8ch.net/tech/res/377832.html
-https://archive.is/eRCyA >> https://anonymous-proxy-servers.net/wiki/index.php/Censorship-free_DNS_servers
-https://archive.is/xrv1f >> https://en.wikipedia.org/wiki/Domain_Name_System
-https://archive.is/Y4R2H >> https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

Difference between revisions of "DNS"

Latest revision as of 19:11, 24 August 2019

Contents

Alternative DNS servers

Problems with DNS

Securing DNS

Running a DNS

Redirect Everything to a Single Server

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools