[kwlug-disc] CCC talk about DNS(ystem)

Doug Moen doug at moens.org
Wed Apr 8 20:48:23 EDT 2020 

What are the privacy and security implications of running your own DNS server (BIND), as opposed to relying on your ISP's DNS servers?

On Thu, Apr 9, 2020, at 12:45 AM, Jason Eckert wrote:
> I don't think there will ever be a "very secure" DNS service, and DoH and DoT are advancing poorly from many different angles.
> Some days I think we should all just go back to /etc/hosts like the Mennonites north of Waterloo.
> 
> On Wed, Apr 8, 2020 at 8:01 PM Doug Moen <doug at moens.org> wrote:
>> __
>> CIRA does not have the technical resources of CloudFlare for dealing with DOS attacks. The privacy guarantees that they offer, such as they are, are based on not having to trust global internet giants like Google and CloudFlare. You just need to trust CIRA, which is a small Canadian nonprofit. It is clear that they are running their own DNS servers in Ottawa, and the service is intended for Canadians. They maintain IP addresses in a log for 24 hours so that they can analyze traffic and deal with abuse. Since it is a Canada only service, I assume that if they detect a DOS attack they would have no problem with blacklisting blocks of non-Canadian IP addresses.
>> 
>> In this context, offering the service over TOR makes no sense. How would they protect themselves from DOS without knowing the origin IP address?
>> 
>> If you trust CloudFlare more than CIRA, then obviously use CloudFlare.
>> 
>> By the way, what do you use for trusted DNS in your home setup? How do you get trusted and private DNS service if you trust nobody outside of your immediate social group?
>> 
>> Doug Moen.
>> 
>> On Wed, Apr 8, 2020, at 8:33 PM, Mikalai Birukou via kwlug-disc wrote:
>>> I found this very educational about DNS questions:

>>> https://media.ccc.de/v/36c3-128-encrypted-dns-d-oh-the-good-bad-and-ugly-of-dns-over-https-doh-

>>>> Thanks Mikalai I was thinking DOH might work over TOR easier but tor’s usability is kind of dreadful if you’re not just using the browser. Hosting an onion service appears impossible. 
>>> As for Tor, I found it very easy to setup a proxy. Is it SOCKS proxy? I did an install on ubuntu not from official repo, but following https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md found from https://community.torproject.org/onion-services/ .

>>> You write in config service that you want to proxy, i.e. be accessible as hidden service, and in a little while tor service will generate and register .onion address, which you can find in a respectively named file. It isn't gloriously polished process, but it works smoothly.

>>> With cira, though, I want them to publish their DoT to ensure technically that there is no tracking of my ip. Promises are cute :) . By the way, CloudFlare's DNS is published at dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion (from https://blog.cloudflare.com/welcome-hidden-resolver/ ).

>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>> 
>> 
>> _______________________________________________
>>  kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200409/8adf22af/attachment.htm>

More information about the kwlug-disc mailing list