Open rusty-snake opened 3 years ago
The guys at dnscrypt (https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v3) are running something based on public/private key for their lists. Probably they keep the list on github and the private key is embedded in the program. I'll look into it.
The guys at dnscrypt (https://github.com/DNSCrypt/dnscrypt-resolvers/tree/master/v3) are running something based on public/private key for their lists. Probably they keep the list on github and the private key is embedded in the program. I'll look into it.
They use minisign and reference a cache file / minisign key in their configuration file tying things together. Quite nice actually.
The way we do it today: we start the proxy and test servers from the list at random in the geographical zone where the proxy is located (Asia-Pacific, Americas, Europe). We find two servers working, and pick the fastest one. If the first one responds in under 80 ms and it has a keepalive timer 110 seconds or higher, we don't bother with the second one.
So far we have:
The numbers are still going up. We can survive if for any reason half the servers are down. At any time some of them are broken, usually expired SSL certificates - it takes them a few days to come back.
I guess the model is the one from Tor network. They have thousands of exit nodes (most exit nodes are resolving dns locally). I don't know how they download the initial list. I assume the list is never stored on the client computer. They also have very good geolocation for the client - the packet is tor-geoipdb in Debian.
So let's keep this open for now, hopefully the number of servers goes up and we just update the list from time to time.
From: https://github.com/netblue30/fdns/issues/55#issuecomment-748319346
AA prevents writing to /etc/fdns: https://github.com/netblue30/fdns/blob/dcc0c0771e1a69d75c08a33c9ac985b11249ad29/etc/apparmor/usr.bin.fdns#L28