<!DOCTYPE html><html><head><title></title><style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div>What are the privacy and security implications of running your own DNS server (BIND), as opposed to relying on your ISP's DNS servers?<br></div><div><br></div><div>On Thu, Apr 9, 2020, at 12:45 AM, Jason Eckert wrote:<br></div><blockquote type="cite" id="qt"><div dir="ltr"><div>I don't think there will ever be a "very secure" DNS service, and DoH and DoT are advancing poorly from many different angles.<br></div><div>Some days I think we should all just go back to /etc/hosts like the Mennonites north of Waterloo.<br></div></div><div><br></div><div class="qt-gmail_quote"><div dir="ltr" class="qt-gmail_attr">On Wed, Apr 8, 2020 at 8:01 PM Doug Moen <<a href="mailto:doug@moens.org">doug@moens.org</a>> wrote:<br></div><blockquote class="qt-gmail_quote" style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0.8ex;border-left-color:rgb(204, 204, 204);border-left-style:solid;border-left-width:1px;padding-left:1ex;"><div><u></u><br></div><div><div>CIRA does not have the technical resources of CloudFlare for dealing with DOS attacks. The privacy guarantees that they offer, such as they are, are based on not having to trust global internet giants like Google and CloudFlare. You just need to trust CIRA, which is a small Canadian nonprofit. It is clear that they are running their own DNS servers in Ottawa, and the service is intended for Canadians. They maintain IP addresses in a log for 24 hours so that they can analyze traffic and deal with abuse. Since it is a Canada only service, I assume that if they detect a DOS attack they would have no problem with blacklisting blocks of non-Canadian IP addresses.<br></div><div><br></div><div>In this context, offering the service over TOR makes no sense. How would they protect themselves from DOS without knowing the origin IP address?<br></div><div><br></div><div>If you trust CloudFlare more than CIRA, then obviously use CloudFlare.<br></div><div><br></div><div>By the way, what do you use for trusted DNS in your home setup? How do you get trusted and private DNS service if you trust nobody outside of your immediate social group?<br></div><div><br></div><div>Doug Moen.<br></div><div><br></div><div>On Wed, Apr 8, 2020, at 8:33 PM, Mikalai Birukou via kwlug-disc wrote:<br></div><blockquote type="cite" id="qt-gmail-m_2524396368728929256qt"><p>I found this very educational about DNS questions:<br></p><p><a href="https://media.ccc.de/v/36c3-128-encrypted-dns-d-oh-the-good-bad-and-ugly-of-dns-over-https-doh" target="_blank">https://media.ccc.de/v/36c3-128-encrypted-dns-d-oh-the-good-bad-and-ugly-of-dns-over-https-doh</a>-<br></p><blockquote type="cite"><div><div dir="auto">Thanks Mikalai I was thinking DOH might work
over TOR easier but tor’s usability is kind of dreadful if
you’re not just using the browser. Hosting an onion service
appears impossible. <br></div></div></blockquote><p>As for Tor, I found it very easy to setup a proxy. Is it SOCKS
proxy? I did an install on ubuntu not from official repo, but
following <a href="https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md" target="_blank">https://github.com/alecmuffett/eotk/blob/master/docs.d/HOW-TO-INSTALL.md</a> found from <a href="https://community.torproject.org/onion-services/" target="_blank">https://community.torproject.org/onion-services/</a> .<br></p><p>You write in config service that you want to proxy, i.e. be
accessible as hidden service, and in a little while tor service
will generate and register .onion address, which you can find in a
respectively named file. It isn't gloriously polished process, but
it works smoothly.<br></p><p>With cira, though, I want them to publish their DoT to ensure
technically that there is no tracking of my ip. Promises are cute
:) . By the way, CloudFlare's DNS is published at <a href="https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/" target="_blank">dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion</a> (from <a href="https://blog.cloudflare.com/welcome-hidden-resolver/" target="_blank">https://blog.cloudflare.com/welcome-hidden-resolver/</a> ).<br></p><div>_______________________________________________<br></div><div>kwlug-disc mailing list<br></div><div><a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br></div><div><a href="https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank">https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br></div><div><br></div></blockquote><div><br></div></div><div>_______________________________________________<br></div><div> kwlug-disc mailing list<br></div><div> <a href="mailto:kwlug-disc@kwlug.org" target="_blank">kwlug-disc@kwlug.org</a><br></div><div> <a href="https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" rel="noreferrer" target="_blank">https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br></div></blockquote></div><div>_______________________________________________<br></div><div>kwlug-disc mailing list<br></div><div>kwlug-disc@kwlug.org<br></div><div>https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org<br></div><div><br></div></blockquote><div><br></div></body></html>