Closed Mikaela closed 2 years ago
filips123
commented
4 years ago There should really be support for DNS over HTTPS and DNS over TLS. @Mikaela Then, OpenNIC could be added back to PrivacyTools.IO, right?
First, website with all servers should support filtering based on DoH and DoT support.
Also, there should be more official servers with support for DoH and DoT. And software used for DNS resolvers should also be updated to support DoH and DoT by default.
Mikaela
commented
4 years ago @Mikaela Then, OpenNIC could be added back to PrivacyTools.IO, right?
Personally I don't think OpenNIC can be relisted on PTIO as if I understand correctly, it's impossible to get a widely accepted Certificate Authority to sign OpenNIC domains and thus using it would either require installing a new one or using http connections that again would be observable by anyone between you and the server or anyone between your VPN and the server or a Tor exit node or anyone after it and before the server.
filips123
commented
4 years ago @Mikaela Isn't it possible to create a self-signed certificate and just accept is as valid when a site is opened?
Mikaela
commented
4 years ago Isn't it possible to create a self-signed certificate and just accept is as valid when a site is opened?
In theory yes, but how does the user know what are the correct certificate details and ensure that they will only accept the right certificate instead of learning to blindly accept all invalid certificate warnings (and become vulnerable to MITM attacks)?
I don't know how is DANE support for OpenNIC, but I heard that DNSSEC support is also lacking and as far as I am aware, web browsers don't support DANE that well either.
jonaharagon
commented
4 years ago I don't know how is DANE support for OpenNIC
DANE works in all DNS systems, it has nothing to do with ICANN vs OpenNIC. Web browser support however—as you mentioned—is the big blocker to adoption.
pravi
commented
4 years ago I think it would be good to create a section for Private DNS with instructions for setting it up. Currently most articles for setting up private DNS mentions cloudflare, google or cloud9. It'd be good if a list of DoT supported servers and their domain names are presented as a view from the existing server list. Finding this information from existing server list is not very easy or straight forward.
pravi
commented
4 years ago I have created an article here https://fsci.in/blog/setup-private-dns-with-open-nic-servers/ but it'd be good to have it directly on opennic project website. Feel free to take the screenshots or steps from there if you decide to publish it.
pravi
commented
4 years ago Even though 4 servers in the list advertise DoT support only two of them actually work with Android Private DNS (ns1.iriseden.fr, ns2.iriseden.fr works, other two does not).
Mikaela
commented
2 years ago Looks like this has been implemented, while not mentioned here.
When I open OpenNIC.org I am offered the closest server addresses, they don't mention whether they support DNS over TLS or DNS over HTTPS or not.
I think DNS over TLS is important for Android users as starting from 9 a DoT server can be specified without installing third party apps. It's also supported by systemd-resolved.
DNS over HTTPS again is supported by Firefox as Trusted Recursive DNS and Intra (Android 4.0+ app). In case of Firefox, it's currently required for eSNI support which is why I would prefer to not disable it for OpenNIC.
From https://github.com/opennic/opennic-web/issues/34 I see that servers.opennic.org is not related to this repository, but I would request DoT and DoH markers there like there currently is DNSCrypt. (CC: @Shdwdrgn).
In https://github.com/privacytoolsIO/privacytools.io/issues/785 it's mentioned that only ns7.eng.gb.dns.opennic.glue is official server supporting DoT and BlahDNS supports OpenNIC TLDs. I hope the two will become more supported within OpenNIC in the future as adoption of them increases.