What's your dns provider, /g?
>>51244498
>>51244749
>botnet
Pretty sure everyone just uses their ISP's
Does googel dns diplay ads?
I changed my home routers dns to google dns and my complained about ads.
>>51244782
it's pretty lame cause in case of using VPN you can be exposed by DNS leak.
OpenNIC
There is no bikini/lingerie board but there should be.
No reason not to use your own.
8.8.8.8
8.8.4.4
>>51244498
Dnscrypt in the netherlands
>>51244873
Enjoy everything you do being logged.
>>51244498
opennic
>>51244498
I don't get that screen and I'm using OpenDNS, what's going on.
>>51244883
Those uptimes are ridiculous. At least they're open and honest about their shittiness.
I query the NS myself.
>>51244498
https://community.opendns.com/domaintagging/search/?q=4chan.org
eight chin is also tagged. change the url on the end of the string to your favorite site to see the domain. for why it's was tagged, click through to see which reasons were considered valid by mods or whatever shills they pay to tag sites, etc, etc.
>>51244498
Google cause I'm not the network admin
I have my own dns server.
>>51245011
Who cares, domain blocking is opt-in.
>>51244751
>>51244873
>>51244877
I shy away from Google Public DNS and use DNSJumper for obscure choices.
>>51244833
This. Everything else is a botnet.
>>51244498
>inb4 hurr durr I don't like xkcd >>>/reddit/
>>51244873
>>51245572
>using 8.8.8.8
>literally heil hitler heil hitler or heil heil hitler hitler
>being a nazi
bad goy
unbound on 127.0.0.1
>>51244829
Regular DNS is unencrypted anyways, your provider can easily sniff it unless you're using DNSCrypt.
>>51245958
Where do you download your initial list?
>>51246068
https://wiki.archlinux.org/index.php/Unbound
>>51246019
You still have to trust your DNS provider.
>>51244498
Myself.
>>51246093
Nice, I tried to figure out root db for named for months. The unbound instructions fixed it for me.
What's a good way to tell if you're using the ISP's DNS instead of your own? It seems that putting only 127.0.0.1 in my resolv.conf points to the ISP DNS for some reason.
>>51245680
its h-h-h-hitler you fucking ableist
>>51246204
Something else is controlling resolve.conf. I have localhost defined in systemd-networkd. I also have that configuration ignore any DNS servers DHCP offers.
Berlin's Khaos Komputer Klub.
>>51244833
They have servers close to me so I chose it, thankfully it looks like they value your privacy as well.
>>51246343
Oh, you were right.
>named still doesn't work right
T-thanks!
>>51246363
Or run your own, and trust nobody. You can enforce DNSSEC too.
>>51246420
If only a self-hosted DNS would ever resolve any name...
>>51246539
What are you on about? See >>51246093
openDNS is literally a botnet, just thought i'd tell ya
https://code.google.com/p/namebench/
>>51246610
Doesn't end up working in the end.
>>51246675
It works just fine. There's a reason it ships with OpenBSD.
>>51244498
>>51246675
You probably forgot to download the root hints and point your .conf to them.
>>51244751
>>51245364
Is there a legit reason why not to use google's dns?
8.8.8.8
8.8.4.4
that or my ISPs
on my *nix box, it's some OpenNIC one and dnscrypt
>>51246715
Tracking and privacy concerns
>>51246715
Autism mostly.
>>51246732
I mean, how exactly does that help them when I already use gmail and android?
>>51244782
Pretty sure we don't.
>>51244903
OP is underaged, and being restricted from "naughty" websites.
>>51244498
google because it's easy to remember
>>51246750
shit wrong board
8.8.8.8
>>51246688
openbsd ships with named instead.
>>51246942
Unbound 1.5.4
http://www.openbsd.org/faq/faq1.html#Included
https://simplednscrypt.org/
> 2020 - 5, not using DNSCRYPT
>>51244498
Unbound on a local server resolving to the IANA root.
>>51247504
>2010+5
>not running your own local, recursive, caching DNS resolver.
>>51247536
This, I really don;t know why more people don't do it. It's easy as fuck to set up.
>>51247584
teach me
>>51247592
Sure, what kind of system do you have? What do you want your server to be capable of? Here's a good starting point: https://calomel.org/unbound_dns.html
>>51246715
Google is well known for logging just about everything everyone does. Even though I don't do anything illegal online, I still don't like google having a record of everything I do.
Google DNS.
I prefer reliability over tinfoil-cred
Is there any use of DNScrypt after configuring Unbound?
>>51247652
You can use Unbound to cache DNSCrypt's answers.
>>51247637
GNU/Debian. Already installed Unbound and DNSCRYPT-proxy, if that's for any use.
>>51247584
Because people are morons and half the time they have their server open to the wild and a prime candidate to participate in DNS amplification attacks.
>>51244498
Hardened unbound + dnscrypt
>>51247652
Yes, dnscrypt complements unbound by encrypting the last mile (you -> dns). Unbound doesn't encrypt dns queries.
>>51247686
Here's my unbound.conf, for reference.
http://hastebin.com/runonupowe.sm
>>51247723
That's why I restrict mine to local access only.
OpenNIC, but I'm considering unbound. Also, does changing your DNS prevent ISP logging?
>>51247782
It shouldn't really matter though, should it? In principle you'll do all queries to unbound instead of a root after the first time you make a request.
>>51247857
They're still going to see the IP addresses of sites you visit, unless you use a VPN.
>>51247857
no, your ISP still gets your request to connect to a foreign IP.
>>51247875
This desu senpai
>>51247875
>>51247882
Then what's the reason to change it from my ISPs? Couldn't they just connect to the IP and see what site it redirects to?
>>51244498
Is there any benefit to running your own DNS instead of your ISP's?
I mean, don't they see the IPs anyway?
What's the point?
>>51246715
Google will literally log every single domain name you ever visit. Combine that with their Analytics shit on 95% of every website, they will know everything about you.
>>51247962
You stack it with a VPN.
>>51244498
My provider's as that has the lowest ping. You should check with DNS benchmark or what it's called.
>>51245572
For some reason I can never open xkcd images from clover. Just the xkcd ones! Wtf tbqh senpaitachi
Opennic as first
Google as secondary
>>51247987
It still doesn't matter desu.
If you use a VPN that (theoretically) masks your identity, there's no reason to care.
>>51247987
>>51247637
>>51247630
>>51247584
>>51247783
After installing unbound, no command found on Arch's man starts the service.
>unbound.service" or "unbound-control"...
dnscrypt.eu
I've been using dnscrypt for ages now, feels naked without it.
>>51246420
any guides or places to start with this? I only know networking fundamentals
Any tips or advice would be greatly appreciated
>>51244903
gee, I wonder if things could ever be blocked at the DNS level?
I wonder if OP would do this to make a joke about 4chan's various categories
>>51246420
You'd still be trusting the root servers.
when opennic says a server is up for 85% of the time, how long is generally down for in that other 15%? Seconds, minutes, days?
>>51248501
Of fucking course. There's no way to *not* trust the root servers.
>>51248514
thanks
>>51247959
in my country, The Pirate Bay and other sites are "banned". This is done by forcing by law the ISPs DNSs to lie to the clients.
So one easy way to circumvent that is to go through a DNS which is not from the ISP.
For example I can use OpenNic with a server in my country and still access anything.
>>51248571
what's the point of that?
If you're using file sharing, chances are you know how to configure DNS...
>>51248656
>If you're using file sharing, chances are you know how to configure DNS...
That's simply not true. File sharing is done by a lot of retards.
>>51248656
our government and the previous ones have been pretty consistent at proving that they are absolutely clueless about what they are writing laws about when it comes to technical subjects.
>>51248103
sudo service unbound start
:^)
>>51248081
>what is dns leak
>>51248722
Not sure why they would bother wasting resources to write a law that has a clearly visible loophole in it... Maybe they were c'u'c'k'e'd by the US into doing it kind of like what happened to Sweden
Either pay for your own DNS service, build your own DNS server or just use your ISP DNS Server.
Free DNS Servers like OpenDNS and Google Public DNS are literal botnets.
Is it correctly defined as local DNS? Pages load without any perceived difference.
[source];; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4chan.org. IN A
;; ANSWER SECTION:
4chan.org. 137 IN A 104.16.64.203
4chan.org. 137 IN A 104.16.66.203
4chan.org. 137 IN A 104.16.67.203
4chan.org. 137 IN A 104.16.68.203
4chan.org. 137 IN A 104.16.65.203
;; Query time: 100 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun Nov 08 17:32:50 BRST 2015
;; MSG SIZE rcvd: 118
[/source]
>>51248812
>Free DNS Servers like OpenDNS and Google Public DNS are literal
I'm not doubting it but are there any good sources you know of that speak about DNS related privacy issues (whether general or specific to certain providers)?
>>51248994
You're using your isp's DNS.
What's the benefit of using a non isp dns server and what's the best one to get started ?
>>51249161
How can you know?
>>51249179
my isp's DNS server goes down all the time, so there's that. combined with a tunneling service, your ISP can no longer tell what site you're visiting, so there's that too. Also, it's less delay in name resolution which can improve the performance of loading pages.
>>51244498
unbound with the open root server network (orsn.org)
>>51249230
>;; SERVER: 192.168.0.1#53(192.168.0.1)
>>51246359
Chaos communication convention soon
>>51249263
What a correct output should inform?
>[NOTICE] Proxying from 127.0.0.1:53 to 95.85.9.86:54
server:
port: 53
interface: 127.0.0.1
access-control: 0.0.0.0/0 refuse # negando redes externas
access-control: 192.168.0.1/24 allow # ranger hostpot
verbosity: 1
num-threads: 2
outgoing-range: 8192
num-queries-per-thread: 4096
so-rcvbuf: 4m
so-sndbuf: 4m
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
rrset-cache-size: 50m
msg-cache-size: 100m
do-ip4: yes
do-ip6: no
module-config: "iterator"
logfile: ""
local-data: "localhost A 127.0.0.1"
local-data-ptr: "127.0.0.1 localhost"
do-not-query-localhost: no
remote-control:
control-enable: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
forward-addr: 127.0.0.1@41
>>51249244
Thanks for the info, I will use google for more !So which one do you recommend ?
>>51245559
>85.15% uptime
wtf
>>51245572
So the joke is that the DNS erver provides them with so much user data it dwarfs what the other services can get them combined?
Or is it just another le wacky absurd statement but it's funny because it's nerdy stuff joke?nerd references comi?
>>51249247
That's a good idea. Do I just grab their root hints?
>>51249576
yeah I was curious about that as well
>>51247962
faster resolution, ability to blackhole unwanted domains (serves as a one size fits all solution to adblocking)
>>51246343
>systemd-networkd
BotNet
>>51247865
Of course it matters. Why wouldn't it? Not using dnscrypt leaves you open to MiTM. Furthermore, I really like the dnscrypt servers in Europe.
No logs, DNSSEC, dnscrypt-compatible, free, and low latency. Very nice.
>>51249230
>SERVER: 192.168.0.1#53(192.168.0.1)
This. If you are not running a DNS server at your gateway then it is pulling data from somewhere else, likely from your ISP.
>>51247959
>Couldn't they just connect to the IP and see what site it redirects to?
If the IP is dynamic, it's not that simple. Regardless, they would have to query the IP using a proper DNS server and even then, it's still safer as it wouldn't leave you prone to a MiTM attack by your ISP (a disgruntled employee) or someone with direct access to your network (so this is particularly nice for public wifi browsing).
>>51246715
Good goy, it's the defaul NWO resolver.
Why even bother changing it?
You can scare friends and family:
Look 8 and 8 and 8 and 8 is Hitler Hitler Two Times!
Good goy, trust Alphabet.
>>51249677
Is it better?;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30483
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4chan.org. IN A
;; ANSWER SECTION:
4chan.org. 44 IN A 104.16.65.203
4chan.org. 44 IN A 104.16.66.203
4chan.org. 44 IN A 104.16.67.203
4chan.org. 44 IN A 104.16.68.203
4chan.org. 44 IN A 104.16.64.203
;; AUTHORITY SECTION:
4chan.org. 43875 IN NS rita.ns.cloudflare.com.
4chan.org. 43875 IN NS rick.ns.cloudflare.com.
;; ADDITIONAL SECTION:
rick.ns.cloudflare.com. 47566 IN A 173.245.59.139
rick.ns.cloudflare.com. 74722 IN AAAA 2400:cb00:2049:1::adf5:3b8b
rita.ns.cloudflare.com. 171584 IN A 173.245.58.140
rita.ns.cloudflare.com. 106816 IN AAAA 2400:cb00:2049:1::adf5:3a8c
;; Query time: 263 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 08 18:18 BRST 2015
;; MSG SIZE rcvd: 261
https://dnsleaktest.com/
Test here.
Hardened unbound + 2 instances of dnscrypt running in parallel, for fallback purposes.server:
interface: 127.0.0.1
interface: ::1
verbosity: 1
num-threads: 4
port: 53
outgoing-range: 950
so-rcvbuf: 4m
so-sndbuf: 4m
so-reuseport: yes
msg-cache-size: 50m
msg-cache-slabs: 4
num-queries-per-thread: 512
rrset-cache-size: 100m
rrset-cache-slabs: 4
infra-cache-slabs: 4
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
do-not-query-localhost: no
logfile: "/etc/unbound/unbound.log"
prefetch: yes
auto-trust-anchor-file: "/etc/unbound/root.key"
python:
remote-control:
forward-zone:
name: "."
forward-addr: 127.0.0.1@40DNSCRYPT_LOCALIP=127.0.0.1
DNSCRYPT_LOCALPORT=40
DNSCRYPT_USER=dnscrypt
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.resolver1.dnscrypt.eu
DNSCRYPT_PROVIDER_KEY=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
DNSCRYPT_RESOLVERIP=176.56.237.171
DNSCRYPT_PROVIDER_NAME=2.dnscrypt-cert.fr.dnscrypt.org
DNSCRYPT_PROVIDER_KEY=E801:B84E:A606:BFB0:BAC0:CE43:445B:B15E:BA64:B02F:A3C4:AA31:AE10:636A:0790:324D
DNSCRYPT_RESOLVERIP=212.47.228.136
DNSCRYPT_RESOLVERPORT=443
>>51249805
Ever since I hardened Unbound, the test has refused to complete. Back then it only said 1, and listed the dnscrypt server of my choosing.
>>51244879
>implying other dns provider don't
>>51246343
networkd is a piece of shit. I have to check my resolve.conf all the time because it keeps fucking it up even though I configured to leave it untouched.
>>51249829
>>implying other dns provider don't
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
Some don't.
inb4 'you can't prove it'
>>51249847
sudo chattr +i /etc/resolv.conf
-i to undo it.
>>51245572
le smart funny stick figure comic
>>51249864
>chattr +i
Nice one! Didn't think of that.
>>51244498
I use OpenDNS, but I should move to either dnscrypt NL or set up my raspi as local dns.
>>51244833
This
>>51248571
Stoemen belgischen juge die geen hol verstand heeft van alles wa na de 19 de eeuw uitgevonden is.
>>51250167
I'm not from Belgium. I'm from France. But sad to hear other EU fellows are in the same retarded train.
>>51246755
Well, your computer uses DNS to resolve the IP address of literally every single website you visit. So now they have that too, and if you use Google services it's trivial for them to correlate it with your account.
If you don't care then it's not really a big deal, but it is a valid privacy concern for others.
>>51249864
There is no guarantee those don't log. At the end of the day you have to trust someone with your data when it comes to DNS.
>>51249676
How would you get mitm'd between yourself and yourself?
>>51249726
Yeah, looks good. But make sure that services are actually using e.g. resolv.conf (put a dummy address as the only nameserver and ensure everything fails to resolve).
>>51249829
I don't log myself. Don't see your point though.
>>51251078
Are you stupid? Serious question.
Results aren't cached forever.
>>51251408
>Results aren't cached forever.
>having a 2bit cache size
>having automatic refresh
>>51251525
>implying results don't expire
OR
>go to site for the first time, or first time since cache expiration
Stop shitposting.
How bad is opennic when using a local caching DNS server? Can the local DNS make up for the entirety of the 15% downtime?
>>51251980
>How bad is opennic when using a local caching DNS server? Can the local DNS make up for the entirety of the 15% downtime?
As bad as you want it to be, just add a second nameserver to resolv.conf and it will fall back to it whenever the former isn't available.
Alternatively, run two instances of dnscrypt, as highlighted here: https://github.com/jedisct1/dnscrypt-proxy/issues/228
DNScrypt requires a public third-party even with a running local resolver, and you don't know if the software does shit about its claims.
BOTNET
I fixed dnscrypt's guide on install gentoo https://wiki.installgentoo.com/index.php/DNSCrypt
To use with unbound, simply add this to unbound.conf:do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@40
>>51252730
>DNScrypt requires a public third-party even with a running local resolver, and you don't know if the software does shit about its claims.
>BOTNET
But you do, it's open source.
>>51251525
>I was just pretending
>>51244498
8.8.8.8
>>51252967
>>8.8.8.8
>goes out of his way to change his nameserver
>picks google's
Kill yourself, you dumb fuck CIA-nigger.
>>51252730
You always need a 3rd party resolver even if you're running one locally.
>>51253093
>Unbound is p2p
... What? Unbound is NOT a dns forwarder.
>doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity.
>Unbound is NOT a dns forwarder.
So, exacly why should anyone use any of this shit?
>>51253570
>So, exacly why should anyone use any of this shit?
It doesn't PREVENT that, but it does MITIGATE it. If you want to prevent it, use dnscrypt.
>why should anyone use any of this shit?
It's a DNS cache and can enforce DNSSEC. So, on top of making everything more secure when it comes to sites that are using DNSSEC, it makes everything low latency, if the results have already been cached.
>>51253064
False
>>51253570
It is a local, caching, recursive DNS resolver. Do your research before you start sounding stupid.
>>51253930
[citation needed]
>>51254020
It is a full recursive resolver, not a stub resolver. Why the fuck would you need to rely on another resolver? All you need are the root hints.
Google DNS is best DNS. Fast, well funded, and with a clear privacy policy: https://developers.google.com/speed/public-dns/privacy?hl=en
>>51254283
Which are themselves resolvers, though, when you use dnscrypt along with e.g. unbound, you're using whatever resolver you select for dnscrypt when you're trying to reach your root.
>>51254834
You use DNSSEC and the root authoritative nameservers, not DNSCRYPT and another resolver.
>>51255480
DNSSEC verifies that you're receiving a name that hasn't been tempered with. Dnscrypt connects via an encrypted tunnel to the root.
>>51255547
And?
i run a server 2012 machine for local dns/wins and dns caching, and it just forwards requests to googles.
>>51256164
>windows server
>NSA DNS
tip top kek
>>51256164
>googles
googles.
googles
googles.
googles
googles.
googles
googles.
googles
googles.
>implying more then one
do you use Unbound on your machine or on a server in your network? (do you pair it up with a DNS server or is it standalone)
>>51256765
It IS a DNS server.
>>51245011
https://community.opendns.com/user/613783
>>51256573
what goes your brain when you make a fucking retarded post like that? how do you even solve the captcha by yourself?
>>51256615
google's, sorry i didnt put in the fucking apostrophe
>>51256773
ahh alright thanks man , so you would set this up and make all your devices use that as the DNS
>Using anything other than ISP DNS for muh privacy
ISP already has logs, so why give logs to a 2nd organization? Why give logs to 2 organization instead of just 1?
>>51256782
>>51256838
But what if the other DNS doesn't have logs and you can stop logging on your ISP?
google, I already use their services for my fetishes and shitposting so why not?
https://dnscrypt.pl
Openic and myself
