The Living Thing / Notebooks :

DNS

On asking strangers for directions

I have reason to think about DNS, because it determines where my devices go for directions.

This has many implications.

How to switch bad vanilla DNS servers to better ones

First up, it’s a small step by you can just ditch your ISP’s DNS resolver for a better one. I am told this might be bad for your Netflix streaming, but since my ISP already can’t really handle streaming, this is not a huge problem for me. If you have special needs (intranet servers etc) you will need more sophistication. See the bottom for a list of providers.

DNS flush

If you are using these for VPN on Ubuntu, you need extra steps. But maybe your DNS cache is already poisoned with false records? You need to expunge them.

Your OS can benefit from a DNS flush; but also your browsers can keep stinky poisoned records around. clearing browser DNS caches is also possible.

Ubuntu

stackoverflow

sudo systemd-resolve --flush-cache
sudo systemd-resolve --statistics

macOs

DNS flush command keeps changing, eh?:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Windows

unihost

ipconfig /flushdns

Blocking some DNS

You can do this yourself with dnsmaq plus much love and attention and OCD, but I’m not quite anal retentive enough to handle this myself. More comfortable might be to run a single board computer such as a rasppi as a net filter via pi-hole.

Encrypting DNS

Linuxbabe on DNS-over-TLS for Ubuntu using some app called stubby. Dan Pfiffer on DNS-over-TLS for macOS. (alt version.) These both look pretty simple. There was also dnscrypt, which was abdandoned so I guess you can ignore it.

DNSSEC

The encrypted and verified DNS option. Obviously we should all be using this, but it still looks painful at least on macOS. The server app of choice seems to be unbound.

Alternate DNS servers

Fancy

There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisors sites (and optionally “family unfriendly” ones) and DNS-over-TLS.

Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What the risk and benefit profiles of these organisations I will leave you to decide for yourself.

Cisco’s opendns will do ad blocking, but not TLS-comaptible.

Vanilla, Australian

DNS Servers to use in Australia:

There are a LOT of DNS severs in Australia, and most do not block any websites. If all you want to do is unblock stuff then you can use any of these* AAPT DNS servers: 192.189.54.33 / 203.8.183.1 / 192.189.54.17 (* it appears only on iiNet/TPG group ISPs). In fact, you can even use this TPG server, strangely enough: 27.33.86.244, or of course any ISP not covered by the court order that has public DNS resolvers (many are network-locked) such as Broadband Solutions 119.17.48.189, or MyRepublic 103.217.165.53 / 45.248.197.53 (Au), 103.237.40.66 / 103.237.40.82 (NZ). There are also pubic resolvers operated by organisations as well, like this one from UNILINC: 192.70.216.4, or this one from Northwest Aviation Services: 203.59.141.180. […] Now that’s just a short list really, and confined to Australia[…] But before you enter them consider that most of those providers will log your data use, any run by an ISP are required to by law, and none of the others say they don’t log use. […]

You can also use DNS servers provided by VPNs. The PIA servers are 209.222.18.222 / 209.222.18.218. There are two Openic servers in Australia as well: 45.63.25.55 (NSW), 111.67.16.202 (Vic). Other options not recommended are GoogleDNS and CISCO. Google do say how long they keep logs for, so we’ll assume forever, and you’re giving all your metadata to the world’s largest advertising company! CISCO also keeps logs indefinitely, do not use.

The best option is to use one of these severs above as your back-up server, and set up dnscrypt, and use the d0wn Australia server (or really any server that doesn’t log, it’s up to you).

NB dnscrypt is dead so ignore that bit.

TODO: update this list for modern metadata retention laws etc.

Vanilla, global

CCC’s recommended DNS servers globally:

Google DNS:

The Google Public DNS IP addresses (IPv4) are as follows:

The Google Public DNS IPv6 addresses are as follows: