# DNS

### On asking strangers for directions

DNS it determines where my devices go asking for directions on their way about the internet. My DNS setup thus has many impacts upon my

• For one, I would like a DNS services that does not record where I browse, so that I am less easily tracked and profiled by corporate interests or nascent police states. One way to fix this is with a VPN, but if I don’t want that overhead, I can also encrypt my DNS queries with the right DNS server.
• For another, I would like a DNS service that is deliberately broken and will simply not work for malevolent sites such as malware distributors and advertisers, because this is becoming difficult with some browsers. Some people maintain their own blocklists, but I am happy to entrust a third party DNS provider with this power if they seem trustworthy.
• For a third, I would like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from vimeo, I cannot without DNS hacks because otherwise I am redirected to a site which tells me that vimeo is pornographic (!). In China I understand this is how they enforce the great firewall. One way around this is DNSSEC, which is a verified DNS standard which is somewhat painful to set up.

## How to switch bad default DNS servers to better ones

First up, it’s a small step but you can just ditch your ISP’s DNS resolver for a better one. I am told this might be bad for your Netflix streaming, but since my ISP already can’t really handle streaming, this is not a huge problem for me. If you have special needs (intranet servers etc) you will need more sophistication. See the bottom for a list of providers.

## Blocking some DNS records

You can do this yourself with dnsmaq plus much love and attention and OCD, but I’m not quite anal retentive enough to handle this myself. More comfortable might be to run a single board computer such as a rasppi as a net filter via pi-hole.

## Encrypting DNS

This de facto means a standard called DNS-over-TLS.

There was also dnscrypt, which was abandoned so I guess you can ignore it.

The encrypted and verified DNS option is DNSSEC. Obviously we should all be using this, but it still looks painful, at least on macOS. The server app of choice seems to be unbound. However, this doesn’t seem convenient for any platform I’m using, so DNS-over-TLS is a good stopgap I guess, which means using stubby and/or knot-resolver, or dnsproxy.

## DNS config and flush

So I’m going to reconfigure my DNS to be more secure. To do this I will update DNS servers to be some DNS-over-TSL servers, via the stubby app and flush out the old poisoned records.

Your OS can benefit from a DNS flush; but also your browsers can keep stinky poisoned records around. clearing browser DNS caches is also possible.

### Ubuntu

First, configure your DNS settings. (You really need to do this is you want to use VPN on linux.)

If you want to encrypt, see Linuxbabe on DNS-over-TLS for Ubuntu using some app called stubby. Then you will be running your own DNS thingy on 127.0.0.1:53 which will in turn use the DNS-over-TLS servers you configured. In practice installing it is painless and quick and I’m now using it. I presume it is doing something to improve my security. Shortcoming: the GUI config seems to require me to configure it anew for every different Wifi network. Need a universal workaround.

Having done that, flush out the bad old records. stackoverflow

sudo systemd-resolve --flush-cache
sudo systemd-resolve --statistics

### macOS

Changing the default DNS is plain obvious (system settings).

For encrypted DNS, see Dan Pfiffer on DNS-over-TLS for macOS (watch out, there is a typo in his config file and the identity keys don’t match the ones I got.). (alt version.)

DNS flush command keeps changing, eh? I think this is the latest:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

### Windows

unihost

ipconfig /flushdns

🤷‍♂️

### iOS

🤷‍♂️

[dnscloak]https://apps.apple.com/us/app/dnscloak-dnscrypt-client/id1452162351)?

### Bonus time

Pro-tip if you use stubby (instructions below) and you want faster DNS, don’t rotate

round_robin_upstreams: 0

but settle on a fast professional DNS service, e.g. Adguard:

# Adguard servers
tls_auth_name: "dns.adguard.comcloudflare-dns.com"

or cloudflare:

#CloudFlare servers
tls_auth_name: "cloudflare-dns.com"
tls_auth_name: "cloudflare-dns.com"

There is a (more) fully securre version of DNS-over-TLS where you verify the server’s keys, presumably over a trusted network. To find the encryptey verify key whatsit for e.g. 1.1.1.1 I am told you do this:

echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | \
openssl x509 -pubkey -noout | \
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary | \
openssl enc -base64

Surely this is in itself vulnerable to spoofing, because I need to trust some set of intermediate certificates? Anyway, this should at least detect server identity changes hereafter? probably?

If we do that, we get the following config.

# Adguard servers
- digest: "sha256"
value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
# The Cloudflare servers
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=

You probably also want to avoid little accidents by configuring IPv6 also?

# Adguard servers
- digest: "sha256"
value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=

## Alternate DNS servers

### Fancy

There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisers (and optionally “family unfriendly” content) by simply not resolving them and DNS-over-TLS.

176.103.130.130
176.103.130.131

or

2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff

Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What the risk and benefit profiles of these organisations I will leave you to decide for yourself.

Cisco’s opendns will do ad blocking, but not TLS-comaptible.

### Vanilla, Australian

There are a LOT of DNS severs in Australia, and most do not block any websites. If all you want to do is unblock stuff then you can use any of these* AAPT DNS servers: 192.189.54.33 / 203.8.183.1 / 192.189.54.17 (* it appears only on iiNet/TPG group ISPs). In fact, you can even use this TPG server, strangely enough: 27.33.86.244, or of course any ISP not covered by the court order that has public DNS resolvers (many are network-locked) such as Broadband Solutions 119.17.48.189, or MyRepublic 103.217.165.53 / 45.248.197.53 (Au), 103.237.40.66 / 103.237.40.82 (NZ). There are also pubic resolvers operated by organisations as well, like this one from UNILINC: 192.70.216.4, or this one from Northwest Aviation Services: 203.59.141.180. […] Now that’s just a short list really, and confined to Australia[…] But before you enter them consider that most of those providers will log your data use, any run by an ISP are required to by law, and none of the others say they don’t log use. […]

You can also use DNS servers provided by VPNs. The PIA servers are 209.222.18.222 / 209.222.18.218. There are two Openic servers in Australia as well: 45.63.25.55 (NSW), 111.67.16.202 (Vic). Other options not recommended are GoogleDNS and CISCO. Google do say how long they keep logs for, so we’ll assume forever, and you’re giving all your metadata to the world’s largest advertising company! CISCO also keeps logs indefinitely, do not use.

The best option is to use one of these severs above as your back-up server, and set up dnscrypt, and use the d0wn Australia server (or really any server that doesn’t log, it’s up to you).

NB dnscrypt is dead so ignore that bit.

TODO: update this list for modern metadata retention laws etc.

### Vanilla, global

CCC’s recommended DNS servers globally:

• 85.214.20.141 (FoeBud)
• 204.152.184.76 (f.6to4-servers.net, ISC, USA)
• 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
• 194.150.168.168 (dns.as250.net; Berlin/Frankfurt)
• 213.73.91.35 (dnscache.berlin.ccc.de)