IPv6 Secure DNS

[8BallBomBom]

What would you like to be added: IPv6 support for Secure DNS.

Why is this needed: As theres a lot more people starting to use IPv6 it would make sense to also include support.

[dhaavi]

Hey @8BallBomBom, thanks for raising this issue.

I'm not sure what is going on in your case, as we fully support IPv6 in all aspects and also don't have any open issues in regards to that. Setting an IPv6 server is as easy as setting a resolver similar to this: dns://2606:4700:4700::1111. We use the URL format, so you might need to [bracket] the IP.

Here is our guide on setting your own DNS resolver: https://github.com/safing/portmaster/wiki/DNS-Server-Settings Just replace the IPv4 address with an IPv6 address.

That said, I would actually advise against using IPv6 in general, as the vast address space has actually turned out to be a threat to privacy. I myself get assigned a static IPv6 network from my provider, am I am not going to browse the net with a static IP.

[8BallBomBom]

No worries, probably should have been a bit more specific. When choosing the default DNS providers in portmaster it only gives IPv4 addresses. I did as you said and added in some IPv6 addresses manually before creating the ticket.

As for the privacy concerns, not really something that can be easily resolved in the future of address exhaustion? or i'm not entirely sure at least.

[dhaavi]

Ah, I see. I will check with the Team about and get back to you.

I don't think this will be ever properly resolved by IPv6. IPv4 address exhaustion forced us to add complexity, which also resulted in more privacy. No one (of the ISPs) will want to add even more complexity to IPv6, especially for something that won't give them more $$$. This why we are building the SPN to solve this problem, among others.

Internal note: tracked by CC#1809.

[dhaavi]

Update: We talked about this with the team and came to the conclusion that we will not provide IPv6 addresses in the preconfigured options because of the aforementioned privacy issues. Instead, we will add the IPv6 versions of resolvers to our docs page about DNS Server, which will be revamped soon. From there people can the copy paste the configuration into the Portmaster, if they really want use IPv6.

[8BallBomBom]

Seems a bit weird, not quite getting how there would be privacy concerns but for example.

Say your internet provider gives you IPv6 only but then uses something like NAT64 to transition over to IPv4 then you are essentially going over that extra layer for all DNS requests even if the places you want to visit support IPv6.

Going directly to IPv6 addresses for DNS requests would alleviate the extra layer for sites/services using IPv6. Then again you'd also want to prioritize the IPv6 DNS servers based on if you don't have an IPv4 address. Simply put more work but with time there will be more providers heading in them directions ^ IPv6 only with NAT64 or alternative.

All depends really, theres many different ways internet providers have been handling traversal. But there is another question like if you only had IPv6 and your provider was using something like NAT64 and then forwarding everything back to your IPv6 address. Couldn't that create privacy concerns due to feeding all DNS requests over the NAT rather than going IPv6 to IPv6?

Last but not least i'm sure as you said, if using the SPN them issues wouldn't exist really. But interesting stuff nevertheless 👍🏻

[dhaavi]

Seems a bit weird, not quite getting how there would be privacy concerns but for example.

Say your internet provider gives you IPv6 only but then uses something like NAT64 to transition over to IPv4 then you are essentially going over that extra layer for all DNS requests even if the places you want to visit support IPv6.

I am not aware of any provider that does not provide direct IPv4 access to the Internet. But even if the provider uses NAT64 internally, using IPv4 is still superior from a privacy perspective, as the DNS server you are using will only see your (often periodically changing) IPv4 address instead of a static IPv6 address. This makes you less trackable.

Going directly to IPv6 addresses for DNS requests would alleviate the extra layer for sites/services using IPv6.

From what I understand, these extra layers are handled transparently by the ISP, any additional processing is done on network hardware anyway and should not have any negative impact.

Couldn't that create privacy concerns due to feeding all DNS requests over the NAT rather than going IPv6 to IPv6?

No, every traversal is a potential privacy increase, as information is lost in the process.

Last but not least i'm sure as you said, if using the SPN them issues wouldn't exist really.

Correct. Because even with IPv4 you can be tracked. IPv6 doesn't introduce it, it only makes it a little worse.

[8BallBomBom]

You alleviated any concerns i had 👍🏻 Now to wait for some issues to be fixed and future releases. Thanks for the helpful responses.