[kwlug-disc] CCC talk about DNS(ystem)
Jason Eckert
jason.eckert at gmail.com
Wed Apr 8 20:45:09 EDT 2020
I don't think there will ever be a "very secure" DNS service, and DoH and
DoT are advancing poorly from many different angles.
Some days I think we should all just go back to /etc/hosts like the
Mennonites north of Waterloo.
On Wed, Apr 8, 2020 at 8:01 PM Doug Moen <doug at moens.org> wrote:
> CIRA does not have the technical resources of CloudFlare for dealing with
> DOS attacks. The privacy guarantees that they offer, such as they are, are
> based on not having to trust global internet giants like Google and
> CloudFlare. You just need to trust CIRA, which is a small Canadian
> nonprofit. It is clear that they are running their own DNS servers in
> Ottawa, and the service is intended for Canadians. They maintain IP
> addresses in a log for 24 hours so that they can analyze traffic and deal
> with abuse. Since it is a Canada only service, I assume that if they detect
> a DOS attack they would have no problem with blacklisting blocks of
> non-Canadian IP addresses.
>
> In this context, offering the service over TOR makes no sense. How would
> they protect themselves from DOS without knowing the origin IP address?
>
> If you trust CloudFlare more than CIRA, then obviously use CloudFlare.
>
> By the way, what do you use for trusted DNS in your home setup? How do you
> get trusted and private DNS service if you trust nobody outside of your
> immediate social group?
>
> Doug Moen.
>
> On Wed, Apr 8, 2020, at 8:33 PM, Mikalai Birukou via kwlug-disc wrote:
>
> I found this very educational about DNS questions:
>
>
> https://media.ccc.de/v/36c3-128-encrypted-dns-d-oh-the-good-bad-and-ugly-of-dns-over-https-doh
> -
>
> Thanks Mikalai I was thinking DOH might work over TOR easier but tor’s
> usability is kind of dreadful if you’re not just using the browser. Hosting
> an onion service appears impossible.
>
> As for Tor, I found it very easy to setup a proxy. Is it SOCKS proxy? I
> did an install on ubuntu not from official repo, but following
> https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md
> found from https://community.torproject.org/onion-services/ .
>
> You write in config service that you want to proxy, i.e. be accessible as
> hidden service, and in a little while tor service will generate and
> register .onion address, which you can find in a respectively named file.
> It isn't gloriously polished process, but it works smoothly.
>
> With cira, though, I want them to publish their DoT to ensure technically
> that there is no tracking of my ip. Promises are cute :) . By the way,
> CloudFlare's DNS is published at
> dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion (from
> https://blog.cloudflare.com/welcome-hidden-resolver/ ).
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200408/cec57043/attachment.htm>
More information about the kwlug-disc
mailing list