libre (uncensored) DNS Providers ?

26 respostas [Última entrada]
martinh
Desconectado
Joined: 02/21/2014

Hi Everyone !

You may be aware that your ISP may block websites and also stores info
on you.
Here in the UK your ISP has to store all emails, visited websites and a host
of other stuff by law for at least 1 year !

I'm avoiding this by using a different DNS Provider/Resolver.
Currently that is: https://dns.watch/

Question though is: Does anyone know of similar ones that are Libre ?
(As in using libre software).

Thanks !!

Jodiendo
Desconectado
Joined: 01/09/2013

MartinH SAID:

Question though is: Does anyone know of similar ones that are Libre ?
(As in using libre software).

vISIT THE FOLLOWING WEB SITE SO YOU COULD LEARN MORE ABOUT DNS.

https://www.opennic.org/

jxself
Desconectado
Joined: 09/13/2010

You are your own best DNS provider. It's not even hard: sudo apt install bind9. BIND can query the root name servers for you and you're independent.

martinh
Desconectado
Joined: 02/21/2014

Thanks for the replies !

I wasn't aware about BIND at all. Sounds very interesting, I'll have to read
about it - thanks.

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

>'ll have to read about it

https://wiki.debian.org/Bind9

gd_scania
Desconectado
Joined: 09/13/2017

https://parabola.nu/packages/bind, the Bind server is also available in Parabola, which I can just run Parabola for my upcoming NAS. :)

gslima
Desconectado
Joined: 11/23/2017

agree. But some people only want to have a life. /etc/host.aliases would do the job if your system is impenetrable, for banking, as typing on the browser some sites have extended verification, so they can't have proper access with direct ip number.

Jodiendo
Desconectado
Joined: 01/09/2013

jxself

Partially i DISAGREE WITH YOU ON THIS ONE.
wHY?
TO BE A dns provider requires a machine dedicated for that service, that takes time, skill and security settings to avoid spamming and overload.
Why you, should want to host a server for that purpose,?
when some one is just doing it already.
a user looking for A SOLUTION TO REMEDY their RESOLUTION AND CLARITY FOR THEIR internet.

iCAN IS A CONTROLLING FREAK ORGANIZATION.
wHEN ALL YOU WANT IS DBS NEUTRALITY,nO COST to you and STOPPING dns hijacking.

Opennic dns servers for England are:

1- 104.238.186.189
2-46.101.8.96
3-52.56.195.141
4-93.170.96.235

start pinging away each ip to find out your near service provider.

jxself
Desconectado
Joined: 09/13/2010

"TO BE A dns provider requires a machine dedicated for that service
Why you, should want to host a server for that purpose,?"

Maybe if you're running something as a public service but for someone's own personal DNS resolution this is totally not needed. The method I proposed would work perfectly fine for that use case.

Jodiendo
Desconectado
Joined: 01/09/2013

Yes, Opennic is all about public service and reliability not constraint and fiscal ionization.

Opennic web site is all about volunteers. if you browse their web site www.opennic.org you will find tons and methods of information. specially different OSI,s example; Linux, apple , windows etc.
They will teach you, how simply it is done and the differences of either you are just a user or DNS operator.

gslima
Desconectado
Joined: 11/23/2017

have you heard the man? Maybe he's serious on his job and want extra security. You can query DNS directly with dig or other tool, directly the root servers of most common accessed sites and put it on alias file. So it wouldn't be necessary to install bind except for seeing the addresses initially (diging localhost) and then uninstalling it. You can even config dns to localhost or another invalid dns configured on connection, that's what I meant, if that's the case.
I don't know internals of iCAN, but perhaps you're right. But I remind you that neutrality is for adults only, ok? perhaps you need to learn some netiquette, because Caps seams like shouting things...
You worry about dns hijacking, but some people worry about wrong advice on opensource forums, like providing wrong DNS numbers on forums (which I haven't checked if that's the case). Some people also worry a lot on DNS poisoning, specially on a Windows system. Windows system queries the dns server and retains info for a longgggg time, so if someone hacks the dns or tricks user to use a different dns, that can't be immediately fixed, and damage is a big one, these could lead to even large zombie networks, if it is an organized attack.
But perhaps you're right about controlling freak part, perhaps they should be more flexible and avoid power abuse, if that's the case (I don't know how does it act, but once I red a good description from them).

gslima
Desconectado
Joined: 11/23/2017

The only flaw of this method is that sometimes servers change ip addresses if they change provider, as there is no portability on ip. But usually that's quite noticeable, as you won't have access and have to make the process again. Butttt, there's a possibility if your group change ip without your knowledge and someone bribes the provider to maintain the site, to be accessing the wrong site.

gslima
Desconectado
Joined: 11/23/2017

everything is a matter of trust.

martinh
Desconectado
Joined: 02/21/2014

True !

But if I use jxself's method, I doubt very much that the root servers
will ever change their ip address !

I also agree with the fact that I don't want to be subject to other people
deciding what is right or wrong for me to visit on the web, as Jodiendo pointed out.

Finally, why should I use a paid service if there are free ones (which I can donate to) ?

strypey
Desconectado
Joined: 05/14/2015

MartinH wrote:
"But if I use jxself's method, I doubt very much that the root servers will ever change their ip address !"

If they do, it will be trumpeted to the heavens with a major public announcement, as every single DNS provider (commercial or gratis, public or private), will have to change the IP address that their DNS servers uses to query the root servers.

"I also agree with the fact that I don't want to be subject to other people deciding what is right or wrong for me to visit on the web, as Jodiendo pointed out."

None of the solutions listed here will solve that problem (AFAIK), because DNS is a centralized system with a single-point-of-failure, both technically (the root servers) and, more importantly, organizationally (ICANN). Many people have proposed replacing DNS with a decentralized system for mapping human-readable domain names to IP addresses. But even in a technically decentralized naming system run by a single authority like ICANN, would-be censors can pressure that authority to block or confiscate names.

There's another system called GNS (GNU Name System), which is part of the GNUNet project. I don't know much about how either of these work yet, so I don't know if it resolves the organisational single-point-of-failure.
https://gnunet.org/gns

It's certainly a fascinating problem.

GrevenGull
Desconectado
Joined: 12/18/2017

Am I misunderstanding something?

Being your own DNS provider would only solve 1 of the 2 problems of OP?

His ISP would still be able to do surveillance, no?

jxself
Desconectado
Joined: 09/13/2010

"His ISP would still be able to do surveillance, no?"

How's that any different from using any other DNS provider? (Answer: It's not.) Even if the connection with the DNS servers were encrypted your ISP, fundamentally, still has to send your traffic around. So they'll still know who you're communicating with even if they don't know what you're saying.

"Oh, there's an encrypted connection to this DNS server over here. I wonder what they're looking up."
"Oh, right after that they accessed example.com. So it must have been that."

Avoiding surveillance is a much bigger task. It can still be done by being self-hosted. But it's a different question. So the other part of the question might be to send those DNS queries (along with websites that are accessed) over TOR or something like that.

gslima
Desconectado
Joined: 11/23/2017

In my country there's also this system of records (Brazil), also these can be routed by the service provider if you have legal issues. Also physical connection can be hijacked from third party, and routed by a regular microtik router. For extra safety, I would recomend fiber optics. The only way to avoid legal issues is to have someone of trust on the dns maintenance. Also in Brazil, they try to extra charge you if you change DNS. They also can try to install rtkit packages on your trisquel system. I would recommend level 3 for DNS, or OpenDNS for protected internet, for iphone the app DNS override. There's a DNS for each circunstance. The only proper DNS that you can use blindly is smartydns, there's a free trial, but it's paid services. I off course worry on ethical of these kind of paid services, but these guys only want to have a life.

Jodiendo
Desconectado
Joined: 01/09/2013

gslima

There is no available FREE openNic dNS service for your country, the closest is in Ecuador. You might want to star pinging their DNS and try them out.

Ecuador
1- 185.121.177.177
2- 169.239.202.202
3- 198.251.90.143

Pinging 185.121.177.177 with 32 bytes of data:
Reply from 185.121.177.177: bytes=32 time=166ms TTL=55
Reply from 185.121.177.177: bytes=32 time=165ms TTL=55
Reply from 185.121.177.177: bytes=32 time=165ms TTL=55
Reply from 185.121.177.177: bytes=32 time=166ms TTL=55

Ping statistics for 185.121.177.177:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 165ms, Maximum = 166ms, Average = 165ms

Pinging 169.239.202.202 with 32 bytes of data:
Reply from 169.239.202.202: bytes=32 time=177ms TTL=55
Reply from 169.239.202.202: bytes=32 time=176ms TTL=55
Reply from 169.239.202.202: bytes=32 time=177ms TTL=55
Reply from 169.239.202.202: bytes=32 time=177ms TTL=55

Ping statistics for 169.239.202.202:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 176ms, Maximum = 177ms, Average = 176ms

Pinging 198.251.90.143 with 32 bytes of data:
Reply from 198.251.90.143: bytes=32 time=184ms TTL=53
Reply from 198.251.90.143: bytes=32 time=185ms TTL=53
Reply from 198.251.90.143: bytes=32 time=186ms TTL=53
Reply from 198.251.90.143: bytes=32 time=184ms TTL=53

Ping statistics for 198.251.90.143:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 184ms, Maximum = 186ms, Average = 184ms

That is just pinging from my location to Ecuador. you should try it. You are close to them.

gd_scania
Desconectado
Joined: 09/13/2017

For Hong Kong is my nearest FREE DNS service from Japan thanks?

Jodiendo
Desconectado
Joined: 01/09/2013

Gentleman
I'm in the Philippines, I use the Singapore opennic server for resolution. My isp locally is about 130 milliseconds, depends on the time of the day, but using the DNS for Singapore Opennic server my ping averages about 54 millisecond it is superbly stable and encrypted, only the operators have that way for security purposes.

52.230.17.182 (ns6.sg): 99.92% uptime

Jodiendo
Desconectado
Joined: 01/09/2013

martinh

If you need more help or questions about your DNS issues. Ill do my best to assist you.
Lets star with a simple question?
Is your IP is dynamic or static?
It is a factor of importance of knowing this. not your specific IP address particularly , but for you to understand the difference of pro's and con's, having a dynamic or static. I'm not interested on your IP address , just for you to be able to identify the two classes of IP''s. all this information will help you to make a wise decision to improve your DNS service.

Once you know and understand the differences it will help you how to properly handle your final decision.

For example: Currently I'm paying to my ISP for a fix IP locally, but my DNS provider is in another country, why? because locally my dns is overcrowded and resolution sucks, but in Singapore is very stable and does not cost me nothing.

martinh
Desconectado
Joined: 02/21/2014

Thanks jodiendo !

My ip address is dynamic, I've never felt the need to have a static one.
Currently still using dns.watch , but opennic sounds interesting, although
I'm not sure how reliable it is (uptime).

akito
Desconectado
Joined: 05/10/2017

is OpenDNS not trustworthy, some opennic public servers that I use vanishes sometimes but then I just switch to another
oh I forgot that OpenDNS blocks offensive sites so it may be safe if there are kids using the net
I have problems with dns.watch they appear to block debian.org site

martinh
Desconectado
Joined: 02/21/2014

I'm not sure about OpenDNS, used to be independent, now belongs to Cisco, and yes, it
does block sites, you will have to use one of their paid services to be uncensored.
But like you say, if you have kids it might be better.

Hmmmm, debian.org works fine for me here.

akito
Desconectado
Joined: 05/10/2017

So, I heard about the cloudflare's DNS 1.1.1.1 and 1.0.0.1 can anyone recommend this? They say they do log but anonymizes it... I am currently using custom openninc servers which says that they do not log. I have solved my problem in some website not being able to access, it was the DNSSEC.

Substance2004
Desconectado
Joined: 11/05/2013

Mabye there is a solution with DNSCrypt ?
https://dnscrypt.info/

I saw an intresting french video on it yesterday and it's got MIT Licence.

You are no longer in relation with your own internet company for DNS request that can record your metadata, but with a DNS C server you can choose from a list given by the software. The requests are encrypted.

But you've got to have confidence with this DNS C server. This will be the one who will receive your DNS requests.

But jxself solution sounds really intresting !

Anyone heard about it ?