ignoramous
commented
2 years ago DNSCrypt impl in RethinkDNS needs more effort, yes:
-
181
-
139
-
157
-
387
- celzero/firestack/issues/4
Sigh.
Open Horizonbli opened 2 years ago
ignoramous
commented
2 years ago DNSCrypt impl in RethinkDNS needs more effort, yes:
Sigh.
Horizonbli
commented
2 years ago It would be great if dnscrypt future implementation could work this way:
Horizonbli
commented
2 years ago Hey there again,
Regarding the remote dnscrypt servers and relays sources (I suppose doh, as well) would it be possible to have rethinkdns app only fetch servers that DO support dnssec?
I recentently tried some servers that mention enforcing it, but testing them on hxxps://dnssec.vs.uni-due.de/ , reveals they don't. Not sure if something went wrong on their side, and for how long, but a couple I tested don't enforce it. It would take some time to test it all, manually...
Thanks!
ignoramous
commented
1 year ago ...likely a lot of UI work... though, it would for sure make for a nice user-experience. We'll keep your suggestions in mind.
Regarding the remote dnscrypt servers and relays sources (I suppose doh, as well) would it be possible to have rethinkdns app only fetch servers that DO support dnssec?
Interesting suggestion. We could include automated tests that evaluate the servers and show which ones support what features (DNSSEC for example), or rely on the metadata available from dnscrypt.info (tricky because any changes dnscrypt.info makes would break the app UI).
Clicking on selected server(s) reveals only relays that are hosted in countries different from the DNS server(s) and do not belong to the same people operating the DNS server(s)
Geo-IP is one way to find out the resolver/relay locations, but the problem is Geo-IP does not hold when the servers use anycast IPs (like AdGuard and Quad9). Again, trusting dnscrypt.info is tricky for an app (which has a much slower update cadence wrt a website).
Horizonbli
commented
1 year ago I hope these changes make it to RethinkDNS app. It would only make it greater.
Thanks
There are a few suggestions that I'd like to make.
Regarding DNScrypt, it would be more than welcome if we could have RethinkDNS retrieve a remote list of known public servers and relays, rather than having to manually add them, which is a very time consuming task if one wants quite a few more options. Giving an option only to use servers that keep no logs, provide DNSSEC support, and whether or not we'd like to use those that provide filtering. I'm aware that known public lists include both DNScrypt and DoH servers, so RethinkDNS app has to separate the DNSCrypt and DoH entries to their right place.
Now, unlike the DoH setting, which we can select a given server and it just waits for a connection to be available, the same doesn't happen with DNSCrypt, it just mentions that it cannot connect to the server and falls back to RethinkDNS basic DoH server. Can't we have it work the same way DoH setting works (I suppose it stays in standby mode until it detects a connection?)? By the way, when DoH is set it should show "Enabled" rather than "Connected"? (The same for DNSCrypt.) After all, if there is no connectivity, then it doesn't make much sense to have it display "Connected". Please, note that it is just a humble opinion, and nothing more than that.
In both settings, we should be able to edit entries (those added by us, at least). RethinkDNS should remove duplicate entries as well. Currently, it doesn't.
Unlike what happens with DNSCrypt custom entries, custom DoH entries don't allow us to add a brief description about them. If custom DNSCrypt entries allows us, why not the same with DoH... just a minor detail, that's all.
Thanks!