Open ghost opened 8 years ago
Wow, thank you for that very detailed description! Wonderful.
Yea that thing with the DNS seems to be an everlasting line of worry. We started out with DNS servers from the Swiss Privacy Foundation. Suddenly, they shut em down without any warning or notice. It almost killed our network, because we had not used any [Google] fallback servers that are always online.
("Die DNS-Server der Swiss Privacy Foundation (77.109.138.45 und 77.109.139.29) wurden Mitte Juni 2015 abgestellt.").
http://www.privacyfoundation.ch/de/service/server.html
I don't want to base my DNS infrastructure on a kindergarden like the Swiss Prifucky Foundation anymore.
After using the not so open OpenDNS, cjd recommended me the Level 3 (4.2.2.*) servers. However, they redirect to a search site when a name is not resolved. This is also crap.
So, there is OpenNIC which I haven't known yet. Thank you for the hint! Well but... Most servers in tier 2 were recently added. Some are down already. Seems like a messy unstable kindergarden too. I'll only use Tier 1, should I decide to go for OpenNIC servers.
Regarding DNSSec: I've heard djb ranting about it, so this is lower on my list. And there are the other DNS crypto things that I first have to take a closer look into. At the moment, I have other important things to do.
But anyway, thanks again for the comprehensive overview! I'll keep it in my mind.
We started out with DNS servers from the Swiss Privacy Foundation. Suddenly, they shut em down without any warning or notice
Okay, at least they suggested alternative servers in the site you linked to: https://xiala.net/services/dns.html Based on their facts they also may be quite stable and reliable.
After using the not so open OpenDNS, cjd recommended me the Level 3 (4.2.2.*) servers. However, they redirect to a search site when a name is not resolved. This is also crap.
Indeed. :smile:
So, there is OpenNIC which I haven't known yet. Thank you for the hint! Well but... Most servers in tier 2 were recently added. Some are down already. Seems like a messy unstable kindergarden too. I'll only use Tier 1, should I decide to go for OpenNIC servers.
Well... you'll have to test them and watch them over a longer period of time. Possibly some servers may be likable. As they are operated by volunteers every single server can be different. You might also have a look at the DNSCrypt clients. They also have a list of DNS servers.
The thing about DNSSEC is okay, I would also priorisize DNSCrypt as you may deploy it more easily on your own servers and on the Enigmabox. I don't know of other "DNS crypto things" you may do except the ones I mentioned.
Another DNSCrypt server in Island: https://dnscrypt.is/
If you're still in need of additional privacy-friendly candidates (no logging, no censorship) also take a look at:
DNSSEC is supported by all of them AFAIK (I'm sure about the first 2 at least).
xiala.net announces on their home page, they'll pull the plug end of Nov. 2018.
FYI, in FireFox gives the following warning when attempting to visit xiala.net
Firefox detected a potential security threat and did not continue to xiala.net. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
@alexhiggins732 looks like they've misconfigured their certificate. Try www.xiala.net
instead (that's covered by the cert, and nothing else – so calling just https://xiala.net/
results in a cert error SSL_ERROR_BAD_CERT_DOMAIN
). The www.
prefixed, I get no error in Waterfox (while without I do).
Apart from that: See the comment just before yours.
Because of this commit I saw you also operate DNS servers. However you can still improve this: Do not use Google Public DNS or US-DNS servers like
4.2.2.1
. (also not as a fallback like you seem to do currently) I think you know that they are not very keen on privacy and additionmally they may be located quite far away from Swizerland so the latency may be high, too.So you already added your own DNS servers. This is good, but you should improve it:
BTW one last suggestion: You may also make the DNS server config avalible to the user via the webinterface. It would be nice if the user could at least select a server out of a pre-defined list.
Note: You can reply me in German if you want, but I wrote this in English so everyone can understand this.
* Attention: The name OpenDNS is misleading. It's neither open nor not-logging DNS queries or so and did bad things in the past. Nowaday it is also owned by Cisco FYI. The only advantage of their service is that it is quite reliable and offers DNSCrypt, so as the last (really the last!) fallback it may be adequate.