[kwlug-disc] CCC talk about DNS(ystem)
CrankyOldBugger
crankyoldbugger at gmail.com
Wed Apr 8 20:55:04 EDT 2020
You want me to go knock on their door and ask them?
On Wed, 8 Apr 2020 at 20:45, Jason Eckert <jason.eckert at gmail.com> wrote:
> I don't think there will ever be a "very secure" DNS service, and DoH and
> DoT are advancing poorly from many different angles.
> Some days I think we should all just go back to /etc/hosts like the
> Mennonites north of Waterloo.
>
> On Wed, Apr 8, 2020 at 8:01 PM Doug Moen <doug at moens.org> wrote:
>
>> CIRA does not have the technical resources of CloudFlare for dealing with
>> DOS attacks. The privacy guarantees that they offer, such as they are, are
>> based on not having to trust global internet giants like Google and
>> CloudFlare. You just need to trust CIRA, which is a small Canadian
>> nonprofit. It is clear that they are running their own DNS servers in
>> Ottawa, and the service is intended for Canadians. They maintain IP
>> addresses in a log for 24 hours so that they can analyze traffic and deal
>> with abuse. Since it is a Canada only service, I assume that if they detect
>> a DOS attack they would have no problem with blacklisting blocks of
>> non-Canadian IP addresses.
>>
>> In this context, offering the service over TOR makes no sense. How would
>> they protect themselves from DOS without knowing the origin IP address?
>>
>> If you trust CloudFlare more than CIRA, then obviously use CloudFlare.
>>
>> By the way, what do you use for trusted DNS in your home setup? How do
>> you get trusted and private DNS service if you trust nobody outside of your
>> immediate social group?
>>
>> Doug Moen.
>>
>> On Wed, Apr 8, 2020, at 8:33 PM, Mikalai Birukou via kwlug-disc wrote:
>>
>> I found this very educational about DNS questions:
>>
>>
>> https://media.ccc.de/v/36c3-128-encrypted-dns-d-oh-the-good-bad-and-ugly-of-dns-over-https-doh
>> -
>>
>> Thanks Mikalai I was thinking DOH might work over TOR easier but tor’s
>> usability is kind of dreadful if you’re not just using the browser. Hosting
>> an onion service appears impossible.
>>
>> As for Tor, I found it very easy to setup a proxy. Is it SOCKS proxy? I
>> did an install on ubuntu not from official repo, but following
>> https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md
>> found from https://community.torproject.org/onion-services/ .
>>
>> You write in config service that you want to proxy, i.e. be accessible as
>> hidden service, and in a little while tor service will generate and
>> register .onion address, which you can find in a respectively named file.
>> It isn't gloriously polished process, but it works smoothly.
>>
>> With cira, though, I want them to publish their DoT to ensure technically
>> that there is no tracking of my ip. Promises are cute :) . By the way,
>> CloudFlare's DNS is published at
>> dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion (from
>> https://blog.cloudflare.com/welcome-hidden-resolver/ ).
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>>
>> _______________________________________________
>> kwlug-disc mailing list
>> kwlug-disc at kwlug.org
>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200408/4a569d47/attachment.htm>
More information about the kwlug-disc
mailing list