Stop promoting Cloudflare and DoH services!

[T145]

Why to stop using Cloudflare: https://framagit.org/dCF/deCloudflare/-/blob/master/readme/en.md

As for DoH: https://github.com/T145/white-bear

Please prefer and use Quad9 and DoT/DNSCryptV2.

[trinib]

@T145 this article promote issues about what can take place in most DNS companies. Do you think google, quad9 etc do not see your data in some technical way because they said so ? and cloudflare does not cause of this article ?

also that article explains server side issues cause of countries which can happen on other DNS companies with fewer servers around the world.. and the other things it points out like servers downtime, blocks ban reviews, hCaptcha, poor internet connectivity from accessing the websites behind it etc, you will find one or all of these issues in some other DNS companies just no one wrote about it.

These problems might affect some users I do not see to stop promoting when it works fast and stable for millions of users.

This repo is not about the best DNS security providers but a good security setup. I will add to the guide other DoH providers. Because at some point down the line what ever DNS service I choose as in main setup other can find issues, so i just keep adding options ..

I will remove stuff when its deprecated or it has really gone bad when i see pages of negativity on the web

thanks for this btw T145/white-bear

[trinib]

@T145 honestly for a while i wanted to change title and logo so i would not look like im promoting one thing

[T145]

You're right that it suffers from what's inherent to all DNS providers, however it's precisely why this project is meant to be "a good security setup" that Cloudflare services shouldn't be used. Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through. This functionally makes it a massive "Man-in-the-middle" attack, and is therefore an inherent security and privacy risk. If you kept reading you'd see information about "Cloudbleeds" and how Cloudflare's HTTPS can never inherently be end-to-end. The reason I'd not promote a service like Google is that they're only secure, and do not promote privacy. Quad9 is the largest I've known of that promotes both security and privacy.

[trinib]

Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through

Well I think that the self hosting proxy like DNScrypt and cloudflared tunnel should solve this issue and also for Cloudbleeds "Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory"(i'm not to sure but i think a own proxy should keep you out of this problem.. But i get it, these kind of things is bad for business

I will try and fix up repo to suite and have a wiki explaining the popular dns providers advantages and disadvantages, and users reviews. This can take a while .. any help would be appreciated.. links, post, forums etc @jo20201 if you have time can you help build wiki about the informations dns (google/quad9/opendns) providers from what ever you can find and put it together.

[trinib]

just share what you find or put everything in a text file and will sort out when making wiki

[trinib]

securitytrails.com/blog/dns-servers-privacy-security

keep them coming

[T145]

Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through

Well I think that the self hosting proxy like DNScrypt and cloudflared tunnel should solve this issue and also for Cloudbleeds "Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory"(i'm not to sure but i think a own proxy should keep you out of this problem.. But i get it, these kind of things is bad for business

I will try and fix up repo to suite and have a wiki explaining the popular dns providers advantages and disadvantages, and users reviews. This can take a while .. any help would be appreciated.. links, post, forums etc @jo20201 if you have time can you help build wiki about the informations dns (google/quad9/opendns) providers from what ever you can find and put it together.

"Tor users and VPN users are also a victim of Cloudflare. Both solutions are being used by many people who cannot afford uncensored internet due to their country/corporation/network policy or who wants to add an extra layer to protect their privacy. Cloudflare is shamelessly attacking those people, forcing them to turn off their proxy solution."

And no, the Cloudflared Tunnel does not solve that issue for the same reason Cloudflare Warp doesn't solve it: BECAUSE IT RUNS THROUGH CLOUDFLARE!

[T145]

To put it simply, if you keep using Cloudflare then the project description needs to be revised from: "The ultimate self-hosted network security guide ─ Protection🔒 | Privacy🔎 | Performance🚀 for your network 24/7🕛 Accessible anywhere🌏" to: "The ultimate self-hosted network guide ─ Performance🚀 for your network when Cloudflare is up🕛 Accessible anywhere Cloudflare says it is🌏"

[trinib]

@

my setting for use Quad9

for dnscrypt-proxy

# Server must support DNS security extensions (DNSSEC)
server_names=['Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1']

[static]

   [static.'Quad9-main1']
   stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'

   [static.'Quad9-main2']
   stamp = 'sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'

   [static.'Quad9-ecs1']
   stamp = 'sdns://AQMAAAAAAAAADTkuOS45LjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA'

   [static.'Quad9-ecs2']
   stamp = 'sdns://AQMAAAAAAAAAEzE0OS4xMTIuMTEyLjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA'

   [static.'Quad9-doh1']
   stamp = 'sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5'

   [static.'Quad9-doh2']
   stamp ='sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk'

   [static.'Quad9-doh-ecs1']
   stamp ='sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk'

   [static.'Quad9-doh-ecs2']
   stamp ='sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ'

for Cloudflared

CLOUDFLARED_OPTS=--address homeserver    --port 5053  --upstream https://dns11.quad9.net/dns-query --upstream https://dns.quad9.net/dns-query  --upstream https://dns>

for unbund

 # CloudflareQuad9
   forward-addr: 9.9.9.9@853#dns.quad9.net
   forward-addr: 149.112.112.112@853#dns.quad9.net
   forward-addr: 9.9.9.11@853#dns11.quad9.net
   forward-addr: 149.112.112.11@853#dns11.quad9.net
   forward-addr: 2620:fe::11@853#dns11.quad9.net
   forward-addr: 2620:fe::fe:11@853#dns11.quad9.net

for knot-resolver

-- Forward DNS to Quad9 using TLS (DoT)

policy.add(policy.all(
  policy.TLS_FORWARD({
    {'9.9.9.11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'149.112.112.11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'9.9.9.9', hostname='dns.quad9.net'; ca_file=tls_bundle},
    {'149.112.112.112', hostname='dns.quad9.net'; ca_file=tls_bundle},
    {'2620:fe::11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'2620:fe::fe:11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
  })
))

-- Forward queries to Quad9
policy.add(policy.all(policy.FORWARD({'9.9.9.11', '149.112.112.11', '9.9.9.9', '149.112.112.112'})))

test out this https://github.com/CNMan/dnscrypt-proxy-config/blob/master/quad9-resolvers.md

[trinib]

I want to add quad9 and also opendns ..

[trinib]

@

my setting for use Quad9 for dnscrypt-proxy

# Server must support DNS security extensions (DNSSEC)
server_names=['Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1']

[static]

   [static.'Quad9-main1']
   stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'

   [static.'Quad9-main2']
   stamp = 'sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'

   [static.'Quad9-ecs1']
   stamp = 'sdns://AQMAAAAAAAAADTkuOS45LjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA'

   [static.'Quad9-ecs2']
   stamp = 'sdns://AQMAAAAAAAAAEzE0OS4xMTIuMTEyLjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA'

   [static.'Quad9-doh1']
   stamp = 'sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5'

   [static.'Quad9-doh2']
   stamp ='sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk'

   [static.'Quad9-doh-ecs1']
   stamp ='sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk'

   [static.'Quad9-doh-ecs2']
   stamp ='sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ'

for Cloudflared

CLOUDFLARED_OPTS=--address homeserver    --port 5053  --upstream https://dns11.quad9.net/dns-query --upstream https://dns.quad9.net/dns-query  --upstream https://dns>

for unbund

 # CloudflareQuad9
   forward-addr: 9.9.9.9@853#dns.quad9.net
   forward-addr: 149.112.112.112@853#dns.quad9.net
   forward-addr: 9.9.9.11@853#dns11.quad9.net
   forward-addr: 149.112.112.11@853#dns11.quad9.net
   forward-addr: 2620:fe::11@853#dns11.quad9.net
   forward-addr: 2620:fe::fe:11@853#dns11.quad9.net

for knot-resolver

-- Forward DNS to Quad9 using TLS (DoT)

policy.add(policy.all(
  policy.TLS_FORWARD({
    {'9.9.9.11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'149.112.112.11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'9.9.9.9', hostname='dns.quad9.net'; ca_file=tls_bundle},
    {'149.112.112.112', hostname='dns.quad9.net'; ca_file=tls_bundle},
    {'2620:fe::11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
    {'2620:fe::fe:11', hostname='dns11.quad9.net'; ca_file=tls_bundle},
  })
))

-- Forward queries to Quad9
policy.add(policy.all(policy.FORWARD({'9.9.9.11', '149.112.112.11', '9.9.9.9', '149.112.112.112'})))

test out this https://github.com/CNMan/dnscrypt-proxy-config/blob/master/quad9-resolvers.md

never mind looks like you have everything i expected ill just test out and start working on wiki

[trinib]

@jo20201 i do not think you set up dnscrypt correctly, I used for server names

server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']

with dnscrypt servers (dnscrypt_servers = true)

server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']

[trinib]

@jo20201 i used this at first

 [sources.quad9-resolvers]
    urls = ["https://quad9.net/dnscrypt/quad9-resolvers.md", "https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md"]
    minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
    cache_file = "quad9-resolvers.md"
    refresh_delay = 72
    prefix = "quad9-"

then i realized all and more quad9 servers are already in public resolver list https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md 😅 no need for that method from CNMan quad9-resolvers.md

also where did you found these servers ? Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1

I see from dnscrypt wiki , add static servers that "hasn't been defined anywhere" so I think we should use the quad9 servers from public resolvers list .. here is all of them

## quad9-dnscrypt-ip4-filter-pri

Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112

sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ

## quad9-dnscrypt-ip4-nofilter-ecs-pri

Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12

sdns://AQYAAAAAAAAADTkuOS45LjEyOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEyOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA

## quad9-dnscrypt-ip4-nofilter-pri

Quad9 (anycast) no-dnssec/no-log/no-filter 149.112.112.10

sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA

## quad9-doh-ip4-port443-filter-ecs-pri

Quad9 (anycast) dnssec/no-log/filter/ecs 9.9.9.11 - 149.112.112.11

sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ

## quad9-doh-ip4-port443-filter-pri

Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112

sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5

## quad9-doh-ip4-port443-nofilter-ecs-pri

Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12

sdns://AgYAAAAAAAAACDkuOS45LjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEyLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEyLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ

## quad9-doh-ip4-port443-nofilter-pri

Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 - 149.112.112.10

sdns://AgYAAAAAAAAACDkuOS45LjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEwLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEwLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ

## quad9-doh-ip4-port5053-filter-ecs-pri

Quad9 (anycast) dnssec/no-log/filter/ecs 9.9.9.11 - 149.112.112.11

sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk

## quad9-doh-ip4-port5053-filter-pri

Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112

sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnMucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ

## quad9-doh-ip4-port5053-nofilter-ecs-pri

Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12

sdns://AgYAAAAAAAAACDkuOS45LjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEyLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEyLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk

## quad9-doh-ip4-port5053-nofilter-pri

Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 - 149.112.112.10

sdns://AgYAAAAAAAAACDkuOS45LjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEwLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEwLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk

## quad9-doh-ip6-port443-filter-ecs-pri

Quad9 (anycast) dnssec/no-log/filter/ecs 2620:fe::11 - 2620:fe::fe:11

sdns://AgMAAAAAAAAADVsyNjIwOmZlOjoxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTEucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAAEFsyNjIwOmZlOjpmZToxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTEucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5

## quad9-doh-ip6-port443-filter-pri

Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe - 2620:fe::9 - 2620:fe::fe:9

sdns://AgMAAAAAAAAADVsyNjIwOmZlOjpmZV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoRZG5zLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAADFsyNjIwOmZlOjo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAAD1syNjIwOmZlOjpmZTo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ

## quad9-doh-ip6-port443-nofilter-ecs-pri

Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 2620:fe::12 - 2620:fe::fe:12

sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTIucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTIucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5

## quad9-doh-ip6-port443-nofilter-pri

Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10 - 2620:fe::fe:10

sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTAucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTAucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5

## quad9-doh-ip6-port5053-filter-ecs-pri

Quad9 (anycast) dnssec/no-log/filter/ecs 2620:fe::11 - 2620:fe::fe:11

sdns://AgMAAAAAAAAADVsyNjIwOmZlOjoxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTEucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAAEFsyNjIwOmZlOjpmZToxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTEucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ

## quad9-doh-ip6-port5053-filter-pri

Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe - 2620:fe::9 - 2620:fe::fe:9

sdns://AgMAAAAAAAAADVsyNjIwOmZlOjpmZV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADFsyNjIwOmZlOjo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnMucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAAD1syNjIwOmZlOjpmZTo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihNkbnM5LnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk

## quad9-doh-ip6-port5053-nofilter-ecs-pri

Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 2620:fe::12 - 2620:fe::fe:12

sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTIucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTIucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ

## quad9-doh-ip6-port5053-nofilter-pri

Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10 - 2620:fe::fe:10

sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTAucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTAucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ

[trinib]

@jo20201 where you got servers Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1 from ?

[trinib]

@jo20201 where you got servers Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1 from ?

these just name and the stamp is the same for main server

[static.'Quad9-main1'] stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'

dnscrypt-ip4-filter-pri Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0

right i see where you got this reference from https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration-Sources. just wanted to find it.

I think i should not use this feature in basic setup to confuse some people lives lol but have it as a advanced feature redirecting to a discussion.

[trinib]

i will use standard servers server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri'] without dnscrypt servers and with it = server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri'] for example steup

[trinib]

i will use standard servers server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri'] without dnscrypt servers and with it = server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri'] for example steup

as I mention, i did that for me to short names

yes i might not have noticed this feature for i like to keep repo simple .. but you will make it in discussion later on.. I have to adjust alot of stuff in repo now and make it as less complex and overwhelming as possible

[trinib]

@jo20201 @T145 I adjusted repo

I want to change name .. Any suggestions ?

[T145]

Overwired

It's short and sweet.

[trinib]

overwired.. like override network.. interesting 🤔

[malikshi]

CLOUDFLARED_OPTS=--port 5053 --upstream https://94.140.14.14/dns-query --upstream https://94.140.15.15/dns-query --upstream https://dns.adguard.com/dns-query

should we using non-filtering since we do filter through the app itself?

[T145]

Don't use 9.9.9.11.

EDNS Client-Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. This means that there is privacy “leakage” for recursive resolvers that send EDNS Client-Subnet data, where components of the end user’s IP address are transmitted to the remote site.

I'd use 9.9.9.10 and set up DoT. It's what I've set up in several corporate environments.

[trinib]

@jo20201 is used

CLOUDFLARED_OPTS=--port 5053 --upstream https://9.9.9.9/dns-query --upstream https://149.112.112.112/dns-query --upstream https://dns.quad9.net/dns-query  

[trinib]

@jo20201 @T145 one thing i am not sure about with cloudflared tunnel when using --upstream https://9.9.9.9/dns-query according to https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/. But in https://adguard-dns.io/kb/general/dns-providers/#quad9-dns provides DNS-over-HTTPS - https://dns.quad9.net/dns-query or cloudflared https://dns.cloudflare.com/dns-query

Is https://9.9.9.9/dns-query and https://dns.quad9.net/dns-query in cloudflared tunnel resolves two ways to DoH servers or is it just the same or does both have a unique DoH resoving method ?

[trinib]

one thing about https://dns.quad9.net/dns-query it uses both ipv4 and ipv6 ..

[trinib]

Setup: Cloudflared and Quad9

nice i see how to add ipv6 .. i will fix later

[trinib]

Setup: Cloudflared and Quad9

nice i see how to add ipv6 .. i will fix later

for cloudflared i use this as unlimited --max-upstream-conns 0

hmm i forgot about this . i remember reading about it , i think default is 3

[trinib]

this reminds me.. when I started repo. I did not set some things for resolving on local host like ipv6..

also I did not realize you can add bootstrap in Cloudflared tunnel to resolve on local host.. nice one @jo20201

[trinib]

@jo20201 i think i now remember why i never really cared for resolving on local host .. i choose in adguard listen interface pi's ip and not all interfaces . so correct me if im wrong, all interface will listen on 127.0.0.1 on linux system in result of resolving on local host

At the time i taught it would be more simple to resolve the host itself by just using it through its DNS servers externally (add system ip addess in dns servers) .. is that ethical?

[T145]

Regarding the Cloudflared Tunnel mentioned earlier, I just wouldn't use it all. The homepage seems to necessitate Cloudflare service usage, which again defeats the purpose of this whole exercise. As for EDNS, if you value privacy as advertised I'd disable it.

[trinib]

Regarding the Cloudflared Tunnel mentioned earlier, I just wouldn't use it all. The homepage seems to necessitate Cloudflare service usage, which again defeats the purpose of this whole exercise. As for EDNS, if you value privacy as advertised I'd disable it.

For real, they show usage in docs on there website https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/. 🤷‍♂️ cloudflare info is so scattered lol

[trinib]

@T145 @jo20201 how does

OverGuard-SecureNetwork

sound ?

[T145]

Keep it simple. You guys keep having a literal word salad as your title. People remember something short and sweet. "Overwired" is unique and simple.

[T145]

@T145 what about CZ-NIC-NET as upstream

I'm not familiar w/ the project details, so I can't give a definitive answer. If you're referring to what I think you are, then I'd discourage it.

[trinib]

@jo20201 i was going to add interface: ::1 in unbound and knot but listen interface is just to communicate with network , and also read "Its the loopback address in ipv6, equal to 127.0.0.1 in ipv4."

So upstream dns queries from ipv6 servers is all that is needed if want ipv6 protection..

[trinib]

@jo20201 in knot config you have

-- Forward queries to CloudFlare
policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'})))

Forward cache-miss queries to specified IP addresses (without encryption), DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers.

according to docs it looks you do not need this if using tls forwading. Its a variant method from regular Forward queries method

A variant which uses encrypted DNS-over-TLS transport is called policy.TLS_FORWARD(), please see section Forwarding over TLS protocol (DNS-over-TLS). Queries affected by policy.TLS_FORWARD() will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail.

[trinib]

2 things I want.

1.compare dns stats side by side with pics or video with Wireshark or what ever else software best for dns leaks

2. a diagram how these network security works.. I use Adobe illustration, maybe Some1 can draw it by hand and I'll create the art work with AI

[T145]

It's best to not ever use browser DNS tests b/c your web browser can start its own DNS journey. Use dig, drill, nslookup, etc. and you should see no DNS leakage.