You might be using a google name server
- Inicie sesión o regístrese para enviar comentarios
grep 8.8.8.8 /etc/resolv.conf
If this command gives you output of: nameserver 8.8.8.8 that means everything you do online is sent to google. Apparently this is the default setting in Trisquel! Probably was inherited from Ubuntu.
I filed a bug here https://trisquel.info/en/issues/9782
Related reading if this sounds Greek to you https://en.wikipedia.org/wiki/DNS
Well, shit on me then!
Can I switch to another nameserver?
And how?
I really don't know anything about nameservers.
Yes you can, you need to edit that tail file mentioned in the bug and restart. (The restart could probably be avoided with 1337 skillz...) Your ISP probably offers name servers, and those would be a good choice from a privacy view point since your ISP already sees all your traffic.
(I use my ISP's, they're faster too than google's for me I believe. Answer to pings twice as fast.)
Of course, if your ISP practices censorship you might get around that using some other DNS.
I don't really know too much about this subject either, perhaps somebody will enlighten us both.
It's easy to host your own, install unbound, run "echo nameserver 127.0.0.1 >
/etc/resolv.conf && chattr +i /etc/resolv.conf" (set the nameserver. Edit
/etc/default/unbound to not forward to your ISP servers
(RESOLVCONF_FORWARDERS).
If forwarding is disabled, DNS servers of the domains you visit are
queried for the addresses (and their parent domains to find the name
servers). It won't work if your ISP blocks DNS or UDP, i.e. probably
only if 8.8.8.8 doesn't work too.
If you have a caching nameserver like unbound, your ISP should see less
queries for the same domains (many can be cached for several hours).
There is a protocol for encryption of DNS queries, I don't recommend it
since I don't know any servers using it that don't change the results in
bad ways.
(resolvconf can handle editing /etc/resolv.conf, I haven't tried using
it, chattr works everywhere, many tools edit this file directly.)
Thank you for your comment. When I now run
grep 8.8.8.8 /etc/resolv.conf
nothing appears. Before that "nameserver 8.8.8.8" appeared. After installing unbound, your suggested command brings this result:
echo nameserver 127.0.0.1 > /etc/resolv.conf && chattr +i /etc/resolv.conf bash: /etc/resolv.conf: Permission denied
The content of /etc/resolv.conf is only "nameserver 127.0.0.1". RESOLVCONF_FORWARDERS from /etc/default/unbound was successfully changed to false.
Setting up unbound (1.4.16-1) ...
* Starting recursive DNS server unbound
[1380596139] unbound[28696:0] error: bind: address already in use
[1380596139] unbound[28696:0] fatal error: could not open ports
...fail!
Are you sure it's default? My install does not have it (just in case I actually looked at the entire file). I haven't change anything here as far as I know.
I've been using OpenNIC for a while, but it doesn't resolve the government websites in my country, so I use OpenDNS as a secondary DNS server.
Do you use DNS Crypt? https://www.opendns.com/technology/dnscrypt/
I had the dnscrypt-proxy from https://launchpad.net/~xuzhen666/+archive/dnscrypt installed but noticed that there isn't a package for 12.04 anymore. hmm
I haven't had the time to do this yet.. though I do want to, as soon as I can :P
Turns out I do indeed get the output "nameserver 8.8.8.8" so it looks like my Trisquel is set to use google nameservers.
I'd appreciate any instructions for changing this.
(Also, I had assumed that nameservers only matter for server machines. So this isn't the case? Can I host my own as per Michel Maslowski's instructions above, or would I need to be running a server?)
Nameservers are for DNS resolution as far as I know. In order for your computer to resolve trisquel.info to its actual IP, you need one. Most of the time, ISPs provide one for you. If you're gonna run your own, I'm afraid you'd have to have your computer running all the time. In any case, you'd still need a higher TLD one to do some resolutions (your nameserver would only have the records for the web sites you visit often).
> If you're gonna run your own, I'm afraid you'd have to have your computer running all the time.
But why?
I need my domains only converted into ip adresses when my pc is running;
when my pc is off, I don't need a nameserver.
I could be wrong, I've never run one of my own. Don't nameservers keep the resolutions mostly cached or in memory? If it is possible to save them to a file then perhaps it wouldn't be much of a problem. Resolution might be a little slower.
"8.8.8.8" might be obtained by DHCP or another protocol from your router
or ISP.
There are two kinds of nameservers: authoritative and caching/recursive.
Authoritative nameservers tell everyone about a given domain and need to
work mostly all the time (there are usually two), no need to have one
unless you own a domain. Caching nameservers tell a local
network/computer about any domain, they don't need to work when no query
is done, i.e. if you have a single computer only, run the cache on it.
You already run servers like an X server or cron.
The privacy argument that I wrote before is not true in the typical use
of DNS: a query is followed by an HTTP or TLS connection which sends the
host name in cleartext. I don't know how useful DNS encryption is in
practice.
So, if I were to run a nameserver on my laptop would the cache have to be generated each time the computer boots? How long would that take?
Unbound doesn't keep the cache on disk, some other nameservers do (I
think djbdns's dnscache does). There is no static cache generation, on
each query the results are added to the cache. They contain time to
live which limits how long they will be kept.
I expected most names to have a TTL of several hours or a day, several
queries have shown that it's not correct for some big sites that I visit
(some have TTLs below a minute). It probably needs measuring.
Is 8.8.8.8 the IP of Google's DNS?
>Is 8.8.8.8 the IP of Google's DNS?
Yes. (one of them) https://en.wikipedia.org/wiki/Google_DNS
Here's a list of free and censorship-free DNS-servers: https://anonymous-proxy-servers.net/wiki/index.php/Censorship-free_DNS_servers
Well, this is what I like and dislike about Trisquel. I like that its free software and we can look at things and change them, but I dislike the fact that some very basic security/privacy rules are not taken in consideration by the developers.
There is no need at all to use googe dns!
So, I would guess one way to be sure you don't get spied on by this would be to run Tor Browser Bundle. Find information here https://www.torproject.org/
But still, I will be changing it anyway I can. The method suggested by Lembas is probably the safest one.
Considering that my resolv.conf file does not have that entry I don't think it comes with Trisquel. Maybe some ISPs use Google's nameservers instead of running their own.
Considering that most people are complaining about the same situation happening to them, I think it's more reasonable to admit that it comes as a default in Trisquel. Maybe somehow it got overwritten by your ISP configurations.
Now, I am not saying that Trisquel is aligning with Google and NSA to spy on me. I am just saying that it was an unfortunate decision to include that.
"Well, this is what I like and dislike about Trisquel. I like that its free software and we can look at things and change them, but I dislike the fact that some very basic security/privacy rules are not taken in consideration by the developers.
There is no need at all to use googe dns!"
- I agree totally. But I haven't found any distrubutions with strictly "free software" and a strict privacy manifesto. Have you?
Well, Tails comes to mind, they use mostly free software (although I admit they might have drivers in the kernel, I am not positive about this), and have privacy as the main strenght.
The reason why I don't use Tails, is actually the reason that makes it so good as a private OS:
-No way to access internet without Tor (in a safe way at least, even if non private);
-Outdated apps like openoffice and such. It's based on old debian so that is to be expected.
I chose to use a non compromised system (I try to make Trisquel into a non compromised system as much as I can) and privacy tools like Tor and OTR.
Here you have some DNS resolvers: http://www.opennicproject.org/
I just boot up from my Live CD and did not connect to the Internet. This is the state of resolv.conf that comes in the install.
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
nameserver 213.186.33.99
search trisquel.info
domain trisquel.info
So, yes it comes with Trisquel. The other IP belongs to OVH which is a hosting company in France.
It's odd though because I would think the file would be rewritten when one is connected to the Internet.
By the way, connecting to a VPN or to Tor does not change the file. Those that do have the line for the Google nameserver might want to check dnsleaktest.com and see it if shows up.
That's why I suggested to use Tor Browser Bundle. The browser is made in a such a way that tries to prevent dns leaks. So far, it seems to work for me.
However, I think this is just another thing to be changed in the next Trisquel release... or better yet, just provide a security update that makes it so that we will use the ISP default DNS! ;)
Again, I say, Trisquel needs more work in terms of security/privacy.
I would just like to note to Tor users that you should use a proxy like
Polipo so DNS queries are routed through Tor with the rest of your traffic.
Andrew.
Good point. However, I would suggest people use Tor Browser Bundle, it's designed to prevent DNS leaks by default.
Thank you, I've changed it.
Out of curiosity, and based on what I saw on my own computer:
a) resolv.conf was pointing to google.
b) I had set my DNS servers to OpenNIC on my router.
c) when I checked on dnsleaktest.com my computer was using the OpenNIC DNS.
So:
What does resolv.conf do and in what situation would it send information to google?
Thanks and sorry if this is a silly question.
> What does resolv.conf do and in what situation would it send
> information to google?
It lists nameservers that programs will use to translate host names to
IP addresses or do other DNS queries (often URLs of domains that you
visit). Programs will send these queries to some of these nameservers.
If 8.8.8.8 or 8.8.4.4 is listed, these queries are sent to Google
servers.
(Run "man resolv.conf" in a terminal to read more.)
I think that the future versions of GNU+Linux Trisquel could have a modified resolv.conf file which would set the nameserver value to one from the OpenNIC project.
Better yet (but perhaps expensive), one could contribute to the OpenNIC project by setting up a DNS which complains to such project, and also have future versions of GNU+Linux Trisquel to have a modified resolv.conf file which would set the nameserver value to such DNS.
This won't work if the configuration of the modem or router in use overwrites such values, or if such values aren't used at all. However, This suggestion, as far as I can see, is useful if we assume that the user won't be able to access the configuration of the modem or router being used, and as such, there should be a way to tell the operating system to try to use the values configured in his operating system (I'm not saying that such way doesn't exist, I just haven't checked it out yet).
In my case, due to the fact that my personal computer has access to the router configuration, it was easy for me to modify it to use the nearest DNS from the OpenNIC project. Good thing is, dnsleaktest.com tells me that I am indeed using such DNS, and identifies my IP address as being from the country where I live. This happens when I don't use Tor and Privoxy.
When using Tor and Privoxy, dnsleaktest.com identifies my IP address as being from some other location, and tells me that I am using other DNSs.
Best regards, ADFENO.
Have a nice day.
Thank you Michal.
Michal M, I tried to follow your instructions at #3
( https://trisquel.info/en/forum/you-might-be-using-google-name-server#comment-40233 )
but i get the error:
"chattr: Operation not supported while reading flags on /etc/resolv.conf"
Should I be running my own name server if I'm not tech savvy enough to understand this? (I don't)
How would I go about changing my name server to one of these http://www.opennicproject.org/nearest-servers/ ?
Thanks.
I can't see a DNS tab in Network settings. I guess in this case the Ubuntu guide might not apply in Trisquel.
First, click on edit connections. Then find the one you're using (if Ethernet it likely is under Wired Connection 1, if wireless look for the SSID of your router). Select and click edit. Go to IPv4 and change the method setting from Automatic (DHCP) to Automatic (DHCP) addresses only. This is assuming you want your router to dynamically hand out internal IP addresses. Under DNS servers add the IP addresses for the servers you will be using. Disconnect and connect again.
Thanks, I will try this!
How could one know the ISP DNS? Usually the support is very poor in my ISP, if I ask them about DNS, they probably won't know what I am talking about =S
When your modem gets hooked up it should fetch this information from your ISP. DHCP would result in your machine getting it handed out to you by either the router or the modem.
When I try this method, there is no save option when I put in the IP addresses.
The two items you put in DNS are internal OpenNic Nameservers, not the IPs of resolvers. Replace the stuff you have in "DNS Servers" field with the two IP numbers given to you on their homepage: http://www.opennicproject.org/
I figured this out last night a few minutes after I poste this. Thanks anyways.
This also fixed the DNS poisoning that my ISP was doing, so I am more than happy.
I use Trisquel mini.
This is a serios issue. Trisquel must to give us a solution to replace Google DNS with IP from our ISP provider.
We need a server which is not in the USA hosted, because all servers hosted in USA are under PATRIOT Act. And they use this law in order to access what server they want.
So if your DNS (from ISP) has servers in USA that service is not good ! Beware!
Well I knew about Google DNS server for a long timem I basically change my DNS inside my Cisco Router, then inside my Trisquel Pc.
Im using Comodo Servers, very fast and clean.4
I've just researched this and it is true, that configuration leaked from the build server's own configuration, which it's used during the build process for the iso image.
The resolv.conf file is emptied in the clean-up process for the image, but apparently recent versions of the avahi-daemon make a copy of that file when installed, and those settings are used as a fallback from that point on. Those servers should in any case be queried only if the nameserver set by dhclient (the one the router suggests) fails to resolve the request.
I'm adding those files (/etc/resolvconf/resolv.conf.d/*) to the clean-up process so newly produced images will not have that fallback. I'll be spinning new images both for Trisquel and for the FSF membership card during the weekend.
Thank you quidam!
Good to know, thank you!
Does anyone know or can confirm that if I download the image again today, this bug will already be fixed?
Yes I can confirm. Use:
http://devel.trisquel.info/makeiso/iso/
Thanks, downloading now :)
- Inicie sesión o regístrese para enviar comentarios