What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
niftybunny
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew chuck.mcandrew@leblibrary.com wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, 4 Aug 2017 16:18:23 +0200 niftybunny abuse@to-surf-and-protect.net wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
A common gotcha, only the first three will be used, the rest are apparently ignored. `man resolv.conf`:
Up to MAXNS (currently 3, see <resolv.h>) name servers may be listed, one per keyword.
On Fri, Aug 4, 2017 at 3:18 PM, niftybunny abuse@to-surf-and-protect.net wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
I'd add also 77.88.8.8 (https://dns.yandex.ru) and 80.80.80.80 (http://freenom.world) to the list.
What do you think about the following configuration?
Tor -> DNS cache -> 1. Your own recursive DNS resolver 2. (if it fails) Your ISP's DNS resolver 3. (if it fails) Open DNS servers (maybe random of them?)
niftybunny
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew chuck.mcandrew@leblibrary.com wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 4. Aug 2017, at 18:43, Nagaev Boris bnagaev@gmail.com wrote:
On Fri, Aug 4, 2017 at 3:18 PM, niftybunny <abuse@to-surf-and-protect.net mailto:abuse@to-surf-and-protect.net> wrote:
I use:
nameserver 204.152.184.76 nameserver 194.150.168.168 nameserver 213.73.91.35 nameserver 8.8.8.8
works fine. Google as gateway of last resort :)
I'd add also 77.88.8.8 (https://dns.yandex.ru https://dns.yandex.ru/) and 80.80.80.80 (http://freenom.world http://freenom.world/) to the list.
What do you think about the following configuration?
Tor -> DNS cache ->
- Your own recursive DNS resolver
- (if it fails) Your ISP's DNS resolver
- (if it fails) Open DNS servers (maybe random of them?)
Try it out and please tell us in a few weeks how it is going. Btw, there are a lot of big ISPs that use Google DNS per default … I am looking at you DigitalOcean, OVH and reseller etc … As a german subject I trust the CCC and their DNS servers. They are a pain in the ass to our government ….
niftybunny
“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”
― Terry Pratchett, Snuff
niftybunny
Where ignorance is bliss, 'Tis folly to be wise.
Thomas Gray
On 4. Aug 2017, at 16:11, Chuck McAndrew chuck.mcandrew@leblibrary.com wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
-- The Right-To-Know Law provides that most e-mail communications, to or from Lebanon Public Libraries employees regarding the business of the library, are government records available to the public upon request. Therefore, this e-mail communication may be subject to public disclosure. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Best regards, Boris Nagaev _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org mailto:tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;)
https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity...
https://nymity.ch/tor-dns/tor-dns.pdf
Matt
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
niftybunny
“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”
― Terry Pratchett, Snuff
On 4. Aug 2017, at 16:23, Matt Traudt sirmatt@ksu.edu wrote:
On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;)
https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity...
https://nymity.ch/tor-dns/tor-dns.pdf
Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Check this list and choose the ones with the lowest ping from your node: https://www.lifewire.com/free-and-public-dns-servers-2626062
Make sure to avoid DNS servers marketed as "secure" (for example, do NOT use "Comodo Secure DNS") since they perform arbitrary censorship/redirection. Also, do not use Google as it already sees
30% of all Tor exit traffic.
On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks.
On Fri, Aug 4, 2017 at 7:29 AM, niftybunny abuse@to-surf-and-protect.net wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
niftybunny
“Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.”
― Terry Pratchett, Snuff
On 4. Aug 2017, at 16:23, Matt Traudt sirmatt@ksu.edu wrote:
On 8/4/17 10:11, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using OpenNic Project servers which don't do logging, but recently found out about the Open Root Server Network (ORSN) and have been considering using them as well. Does anyone have any thoughts, positive or negative, about either of these? Are there better public DNS servers to use? Thanks Chuck
If I remember the following paper correctly, the best case scenario would be for each exit to run its own DNS resolver. You should read it and make sure I remember correctly ;)
https://freedom-to-tinker.com/2016/09/29/the-effect-of-dns-on-tors-anonymity...
https://nymity.ch/tor-dns/tor-dns.pdf
Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 5 Aug 2017, at 00:29, niftybunny abuse@to-surf-and-protect.net wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
Apparently this warning happens when you have one DNS server in response to malformed requests (like ".foo.bar").
I would not be too concerned about it if it's followed by: "[notice] eventdns: Nameserver IP:53 is back up"
We'll try to work out whats happening and downgrade the warning in these cases: https://trac.torproject.org/projects/tor/ticket/23113
For client privacy and performance, it's best to have a local cache or caching resolver first in the list.
For reliability, it's best to have another two entries in the list on unrelated infrastructure (for example, one at the ISP, and one elsewhere).
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
I use pure IPv6 on a bind caching nameserver:
2001:4860:4860::8844; 2001:1608:10:25::1c04:b12f; 2600::1;
Considering the throughput of my exit node and the amount of dns cached, I not leaking as much as you might expect.
On Fri, Aug 4, 2017 at 2:38 PM, teor teor2345@gmail.com wrote:
On 5 Aug 2017, at 00:29, niftybunny abuse@to-surf-and-protect.net wrote:
I got lots of "[WARN] eventdns: All nameservers have failed" with my own DNS server. With the 4 DNS servers I posted here a few minutes ago, I never saw this warning again.
Apparently this warning happens when you have one DNS server in response to malformed requests (like ".foo.bar").
I would not be too concerned about it if it's followed by: "[notice] eventdns: Nameserver IP:53 is back up"
We'll try to work out whats happening and downgrade the warning in these cases: https://trac.torproject.org/projects/tor/ticket/23113
For client privacy and performance, it's best to have a local cache or caching resolver first in the list.
For reliability, it's best to have another two entries in the list on unrelated infrastructure (for example, one at the ISP, and one elsewhere).
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 08/04/2017 04:11 PM, Chuck McAndrew wrote:
What are the best DNS servers to use for Privacy? I have been using
Look into [1]
Therefore I decided to use the DNS of my AS. Because AS does already see my IP, there'S no need to involve a third party in getting IP info too.
And I used dnsmasq to use DNSSEC, my configuration notes are in [2]
[1] https://nymity.ch/tor-dns/ [2] https://zwiebeltoralf.de/torserver.html - -- Toralf PGP C4EACDDE 0076E94E
On my LAN I'm using Unbound, forwarding all requests to "root servers".
I've read it's not really cool for a high traffic server, to preserve those root servers...? But for home, I think it's perfect.
For an exit, why not using too a dns cache as Igor said, may be less agressive for the root servers ? :
On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks.
Is it a good idea to use those roots servers ? I'm not 100% sure about requests because of MITM attack, but better than GoogleDNS ?
On 6 Aug 2017, at 02:57, Petrusko petrusko@riseup.net wrote:
On my LAN I'm using Unbound, forwarding all requests to "root servers".
I've read it's not really cool for a high traffic server, to preserve those root servers...? But for home, I think it's perfect.
For an exit, why not using too a dns cache as Igor said, may be less agressive for the root servers ? :
On your node, run dnsmasq with a large (10000) cache as a fast and secure alternative to running a full DNS server. That can prevent some DNS-based timing attacks.
Is it a good idea to use those roots servers ? I'm not 100% sure about requests because of MITM attack, but better than GoogleDNS ?
Using a caching, recursive resolver should be fine. (Then the root servers only answer queries for top-level domains.)
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
So Unbound looks like nice for this features ;) Easy to set up in a Linux/Windows box as server, it can be used on localhost when connecting to unknown wifi... low memory/cpu usage.
It's used everyday for home/work since on long time ago... surf, etc...
teor :
Using a caching, recursive resolver should be fine. (Then the root servers only answer queries for top-level domains.)
tor-relays@lists.torproject.org
-
Chuck McAndrew -
eric gisse -
Igor Mitrofanov -
Matt Traudt -
Nagaev Boris -
niftybunny -
Petrusko -
Roman Mamedov -
teor -
Toralf Förster