Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 04-01-2018, 9:23 PM
yellowsulphur's Avatar
yellowsulphur yellowsulphur is offline
Senior Member
 
Join Date: May 2007
Location: Cloud City
Posts: 1,440
iTrader: 0 / 0%
Default Cloudflare DNS

Today Cloudflare launched a public DNS service that offers:
  • DNS-over-HTTPS and DNS-over-TLS
  • A global response time of 14ms
  • DNS queries purged every 24 hours
  • Free as in beer
  • ~ 43% faster than Google's public DNS

1.1.1.1
1.0.0.1

https://1.1.1.1

Thought this might be of interest everyone, but especially those trying to move away from everything Google.
Reply With Quote
  #2  
Old 04-01-2018, 9:44 PM
AJAX22 AJAX22 is offline
I need a LIFE!!
 
Join Date: May 2006
Posts: 14,818
iTrader: 114 / 100%
Default

Cloudflare is actually pretty damn good.

there are ways to use their services in ways never intended by them to speed content delivery quite a bit.
__________________
Youtube Channel Proto-Ordnance

Subscribe to Proto Ordnance
Reply With Quote
  #3  
Old 04-02-2018, 3:38 AM
the86d's Avatar
the86d the86d is offline
Calguns Addict
 
Join Date: Jul 2011
Location: Pinko-occupied Commiefornia
Posts: 7,022
iTrader: 3 / 100%
Default

Quote:
Originally Posted by yellowsulphur View Post
Today Cloudflare launched a public DNS service that offers:
  • DNS-over-HTTPS and DNS-over-TLS
  • A global response time of 14ms
  • DNS queries purged every 24 hours
  • Free as in beer
  • ~ 43% faster than Google's public DNS

1.1.1.1
1.0.0.1

https://1.1.1.1

Thought this might be of interest everyone, but especially those trying to move away from everything Google.
If you never login to Gmail on Chrome, only Private Firefox tabs, and fake names tied to said Gmail accounts there is less reason for concern, if you are trying to be the monkey wrench.

I would be more worried about Apple, with everybody using their real name on Applecare, iMessage, and using Safari, with genuine names and credit cards required.
__________________
"That's what governments are for - get in a man's way." - Captain Malcolm 'Mal' Reynolds
Reply With Quote
  #4  
Old 04-02-2018, 8:13 AM
zrockstar's Avatar
zrockstar zrockstar is offline
Member
 
Join Date: Jan 2011
Location: East of Sac
Posts: 244
iTrader: 10 / 100%
Default

You can also use OpenDNS (Cisco) for free for personal use: https://www.opendns.com/home-internet-security/
Reply With Quote
  #5  
Old 04-02-2018, 9:14 AM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

What a ridiculous waste of energy. Run your own caching resolver like the internet was designed to operate. Signing up and using a consolidated resource is buying into someone else's idea of how free your information should be.
Reply With Quote
  #6  
Old 04-02-2018, 9:28 AM
lazyworm's Avatar
lazyworm lazyworm is offline
Senior Member
 
Join Date: Jan 2006
Location: Dublin, CA
Posts: 1,545
iTrader: 65 / 100%
Default

just test it well before using it. Some network gear cannot properly route to 1.x.x.x
Reply With Quote
  #7  
Old 04-02-2018, 1:50 PM
Dubious_Beans's Avatar
Dubious_Beans Dubious_Beans is offline
Keeper of the can opener
CGN Contributor
 
Join Date: Jul 2010
Location: Galactic Sector ZZ9 Plural Z Alpha
Posts: 3,596
iTrader: 3 / 100%
Default

Quote:
Originally Posted by Robotron2k84 View Post
What a ridiculous waste of energy. Run your own caching resolver like the internet was designed to operate. Signing up and using a consolidated resource is buying into someone else's idea of how free your information should be.
For those of us who skipped class that day, can you tell us a little more about that and how it's done?
Reply With Quote
  #8  
Old 04-02-2018, 2:17 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

Tell me more about your network topology and I can be of more help.

In general, there are two forms of DNS server, full resolvers and stub resolvers. Full resolvers are authoritative or infrastructure-level DNS servers that handle traffic at scale. Authoritative servers have the SOA and A records that everyone else needs to make a request to Calguns into a reachable IP address.

Stub resolvers are used to cache and offload request traffic at the local network level. They sit on your router or on your PC and perform requests to authoritative servers, get the results and keep them until their TTL expires and they have to be fetched again.

Google and CF's DNS servers, as well as most ISP customer-facing DNS are stub resolvers since they generally don't host authoritative data and are used as caches.

The novelty of encrypted DNS is so far just a gimmick. The only part of the transaction that is encrypted is from your DNS client code in the resolver library that all programs use, to the local resolver (in this case CF). The remainder of the traffic is not encrypted as it's completely public data and DNS protocols don't yet have a STARTTLS-like mechanism, although it is being worked on. The only benefit to client SSL is for the link to the DNS cache from the client. If a TLA wishes to snoop on your DNS traffic, there isn't much you can do at this point outside of a VPN anyway.

So, if you run a DNS caching resolver locally there is no need to traverse the internet for DNS data multiple times in the first place. RTT takes longer for a caching resolver locally, but subsequent requests are generally under 5ms. This speeds up your perception of browsing because you don't need to traverse the internet each time a DNS name needs to be resolved. Most OSs have a caching component to name services regardless, but they are flushed frequently when networks change or interfaces change operational status.

At the present there are numerous DNS caching resolvers you can use, Knot, Stubby, and legacy BIND if you want the OG server.

You can run them on your local PC, your router, a dedicated PC / Server or in a VM. Every request you make is to the origin servers and authoritative data back. No middle men or agendas to serve.

Last edited by Robotron2k84; 04-02-2018 at 2:24 PM..
Reply With Quote
  #9  
Old 04-02-2018, 2:19 PM
jdfthetech's Avatar
jdfthetech jdfthetech is offline
Member
 
Join Date: Dec 2017
Location: Los Angeles
Posts: 190
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Dubious_Beans View Post
For those of us who skipped class that day, can you tell us a little more about that and how it's done?
it's actually pretty pointless considering you'll still be downloading the DNS records constantly while also having less chance of catching poisoning issues. There is a reason there are DNS admins , don't try and admin it yourself, you don't have the time to do this effectively unless it's already your job.
__________________
while (bullets > 0 && target == 1){fire == 1;}
Reply With Quote
  #10  
Old 04-02-2018, 2:28 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

Quote:
Originally Posted by jdfthetech View Post
it's actually pretty pointless considering you'll still be downloading the DNS records constantly while also having less chance of catching poisoning issues. There is a reason there are DNS admins , don't try and admin it yourself, you don't have the time to do this effectively unless it's already your job.
Cache poisoning doesn't happen if you are always fetching authoritative data, unless your entire route table has been compromised, at which point all of your traffic is being intercepted. Most of these attacks happen at the router anyway where it's settings are forcibly altered to point to a poisoned server. If you run your own cache, or not, poisoning is still possible based on how secure the next client up the chain is. If this is a concern, and DNSSEC is available, it can be configured to validate addresses on a caching resolver. Harder to do without one.

DNS admins work on Authoritative servers. Caches are autonomous in 99% of cases.

Last edited by Robotron2k84; 04-02-2018 at 2:31 PM..
Reply With Quote
  #11  
Old 04-02-2018, 4:41 PM
jdfthetech's Avatar
jdfthetech jdfthetech is offline
Member
 
Join Date: Dec 2017
Location: Los Angeles
Posts: 190
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Robotron2k84 View Post
Cache poisoning doesn't happen if you are always fetching authoritative data, unless your entire route table has been compromised, at which point all of your traffic is being intercepted. Most of these attacks happen at the router anyway where it's settings are forcibly altered to point to a poisoned server. If you run your own cache, or not, poisoning is still possible based on how secure the next client up the chain is. If this is a concern, and DNSSEC is available, it can be configured to validate addresses on a caching resolver. Harder to do without one.

DNS admins work on Authoritative servers. Caches are autonomous in 99% of cases.
My point is you won't catch it until much later than a dedicated NOC.

Also, advising people to setup their own routing tables etc when it's way outside the scope of most folks technical know how is kind of silly.

It's one thing to change a dns host in your resolv or hosts file, it's entirely a different thing to setup a dns server at home. There are numerous security issues with doing so as well (as I'm sure you are very aware). It seems your telling people to dig deep into their router hardware or set up servers when the vast majority of people on this forum just want something simple that helps them be a bit more secure.

If someone has the knowledge to configure their routing tables, or admin a DNS server a free DNS server offered by cloudfare is going to generally be outside their interest level.
__________________
while (bullets > 0 && target == 1){fire == 1;}

Last edited by jdfthetech; 04-02-2018 at 4:42 PM.. Reason: stupid stuff
Reply With Quote
  #12  
Old 04-02-2018, 5:49 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

I'm not suggesting that people change their routing tables. That's disingenuous and a failure of comprehension. Nor am I suggesting setting up a DNS server proper, only a recursive resolver. I'm not entirely sure you understand the difference between the two.

Cache poisoning happens because an exposed (and that's important) resolver cache is overwhelmed by bogus queries in a short-enough period of time that it blocks out legitimate traffic. During that window bogus authoritative responses can be inserted to where ns.somedomain.com can be forged to an illegal host for the duration of that entry's TTL. The potential for a cache to be poisoned in such a way is astronomically higher when it is a large public service, like Google or CF. They have monitoring to detect such events specifically because their risk profile is about a million times larger, without exaggerating. In addition UDP SPR now prevents that type of attack in most circumstances.

In a home-user setting, the cache is not public and setting it so would take extra effort. But, in any event the traffic required to exploit such a setup would have to be generated by the inside hosts and risk detection where a low-intensity attack against the router to change its DNS settings would be more logical. So, in no way are you more susceptible to such an attack, actually statistically less so.

As for installation and configuration, it's really not difficult and my own caching resolver on my home network's configuration hasn't been touched except for routine upgrades in literally years. I pay almost no attention to it because it's not exposed and it's not a source of exploits. If you trust dnsmasq or some other embedded daemon, such that is included with most router software, it's completely illogical to somehow fear software so similar that adds exactly one extra feature for the case we are discussing.

There are many sites on the net that will give you a stock configuration file for a caching resolver, it's really not rocket science or as difficult as you are making it sound.

The only other change that needs to be made other than installing the server is setting your DNS configuration to the IP of the installed software's host. It requires so little intervention you'd probably be best writing yourself a note to stick on the bottom of your keyboard that you even have the server installed.

Last edited by Robotron2k84; 04-02-2018 at 6:05 PM..
Reply With Quote
  #13  
Old 04-02-2018, 6:28 PM
jdfthetech's Avatar
jdfthetech jdfthetech is offline
Member
 
Join Date: Dec 2017
Location: Los Angeles
Posts: 190
iTrader: 0 / 0%
Default

Quote:
Originally Posted by Robotron2k84 View Post
I'm not suggesting that people change their routing tables. That's disingenuous and a failure of comprehension. Nor am I suggesting setting up a DNS server proper, only a recursive resolver. I'm not entirely sure you understand the difference between the two.

Cache poisoning happens because an exposed (and that's important) resolver cache is overwhelmed by bogus queries in a short-enough period of time that it blocks out legitimate traffic. During that window bogus authoritative responses can be inserted to where ns.somedomain.com can be forged to an illegal host for the duration of that entry's TTL. The potential for a cache to be poisoned in such a way is astronomically higher when it is a large public service, like Google or CF. They have monitoring to detect such events specifically because their risk profile is about a million times larger, without exaggerating. In addition UDP SPR now prevents that type of attack in most circumstances.

In a home-user setting, the cache is not public and setting it so would take extra effort. But, in any event the traffic required to exploit such a setup would have to be generated by the inside hosts and risk detection where a low-intensity attack against the router to change its DNS settings would be more logical. So, in no way are you more susceptible to such an attack, actually statistically less so.

As for installation and configuration, it's really not difficult and my own caching resolver on my home network's configuration hasn't been touched except for routine upgrades in literally years. I pay almost no attention to it because it's not exposed and it's not a source of exploits. If you trust dnsmasq or some other embedded daemon, such that is included with most router software, it's completely illogical to somehow fear software so similar that adds exactly one extra feature for the case we are discussing.

There are many sites on the net that will give you a stock configuration file for a caching resolver, it's really not rocket science or as difficult as you are making it sound.

The only other change that needs to be made other than installing the server is setting your DNS configuration to the IP of the installed software's host. It requires so little intervention you'd probably be best writing yourself a note to stick on the bottom of your keyboard that you even have the server installed.
I used to do DNS maintenance for NSI so I do understand what I'm talking about.

What you are suggesting is much more difficult than editing a plain text file.

You can spout off plenty of config info here that few people will care about if it makes you feel important, but the fact is recommending these things is not helpful for those who aren't doing it for a living or are extremely interested in it.

There are plenty of pitfalls that came come from running your own show with DNS, so I don't recommend it to anyone unless they know what they are doing.

This is not slashdot it's calguns, let's know our audience a bit.

If you want to get into a pissing contest about who knows what, I'm not going to go there, I'm just suggesting this thread shouldn't be filled with stuff nobody will have the time nor inclination to do.
__________________
while (bullets > 0 && target == 1){fire == 1;}
Reply With Quote
  #14  
Old 04-02-2018, 9:52 PM
sholling's Avatar
sholling sholling is offline
CGN/CGSSA Contributor
CGN Contributor
 
Join Date: Sep 2007
Posts: 10,330
iTrader: 5 / 100%
Default

I've used OpenDNS for years and Cloudflare is noticeably faster for me. Keep in mind that while 14ms doesn't seem that much faster than 24ms, when you surf to a website the DNS is not just resolving the IP address of the main page, it's also resolving the IPs of every object and advertisement on that page and those add up.

Cloudflare is not a fly by night company and what they offer is very fast basic DNS services (no anti malware or child safe modes) with no destination logging and no selling your surfing history. They also promise to pay an outside auditing company to keep them honest.
__________________
"Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." --FREDERIC BASTIAT--

Proud Life Member: National Rifle Association and the Second Amendment Foundation.

Disappointed Life Member: California Rifle & Pistol Association

Last edited by sholling; 04-02-2018 at 9:54 PM..
Reply With Quote
  #15  
Old 04-03-2018, 9:23 AM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

Quote:
Originally Posted by jdfthetech View Post
I used to do DNS maintenance for NSI so I do understand what I'm talking about.

What you are suggesting is much more difficult than editing a plain text file.

You can spout off plenty of config info here that few people will care about if it makes you feel important, but the fact is recommending these things is not helpful for those who aren't doing it for a living or are extremely interested in it.

There are plenty of pitfalls that came come from running your own show with DNS, so I don't recommend it to anyone unless they know what they are doing.

This is not slashdot it's calguns, let's know our audience a bit.

If you want to get into a pissing contest about who knows what, I'm not going to go there, I'm just suggesting this thread shouldn't be filled with stuff nobody will have the time nor inclination to do.
Not going to get into a public spat with you, but your post is utter BS. People in this sub-forum are inclined technically and want to learn. You are trying to shut them down to other options, what's your deal?

By the way, I've done NS admin for over 100 companies, a dozen or so being Fortune 50's, so you can stick your NSI crap you know where. Done with arguing. If anyone else wants info, I'll be happy to answer their questions.
Reply With Quote
  #16  
Old 04-03-2018, 7:02 PM
remusrm remusrm is offline
Member
 
Join Date: Jan 2013
Posts: 219
iTrader: 2 / 100%
Default

I have been using it and it does seem faster then openDNS
Reply With Quote
  #17  
Old 04-03-2018, 7:11 PM
DRM6000's Avatar
DRM6000 DRM6000 is offline
Junior Member
CGN Contributor
 
Join Date: Jan 2006
Posts: 4,512
iTrader: 50 / 100%
Default

How can I check to see if this is working?
Reply With Quote
  #18  
Old 04-03-2018, 8:11 PM
AreWeFree's Avatar
AreWeFree AreWeFree is offline
Veteran Member
 
Join Date: Jan 2013
Posts: 4,144
iTrader: 39 / 100%
Default

Quote:
Originally Posted by DRM6000 View Post
How can I check to see if this is working?
nslookup
Reply With Quote
  #19  
Old 04-03-2018, 9:15 PM
SkyHawk's Avatar
SkyHawk SkyHawk is offline
Front Toward Enemy 🔫
CGN Contributor
 
Join Date: Sep 2012
Location: Nakatomi Plaza - 30th floor
Posts: 11,630
iTrader: 131 / 100%
Default

Who cares if the time to resolve is 'fastest' when the resolved IP in the answer sends you to Ireland instead of San Jose for the actual content, if the site is on a CDN. The net-net is a huge performance penalty. If you care about true performance, do not use this crap. Some Apple App store downloads will go from minutes to hours, just for example. Cloudflare is not supporting EDNS0/ECS:

https://developers.cloudflare.com/1....ritty-details/
Quote:
EDNS Client Subnet
1.1.1.1 is a privacy centric resolver so it does not send any client IP information and does not send the EDNS Client Subnet Header to authoritative servers
And in my personal opinion - Matthew Prince is a hack, a pinko-commie type who cannot be trusted. He is pro hacker/pro anarchy, in my opinion. Only until very recently, he was giving up the contact info of security researchers who reported malware - to the hackers who hosted it.

And in order to get the prestige IP 1.1.1.1 from APNIC, he had to agree to their 'research' deal and is giving up query data to them. That's China and North Korea if you aren't aware. He has the IP for 5 years, and if the commies don't like what he gives them, they take back the IPs. He says he wont give up your query logs, I don't believe him. I'd sooner believe Zuckerberg than this guy.

The lack of ECS support is a non-starter, regardless of what you think about the other stuff. I personally like fast internet, not slow internet.
http://conferences.sigcomm.org/sigco...apers/p167.pdf


http://www.afasterinternet.com

http://blog.catchpoint.com/2017/05/0...kful-for-edns/

https://blogs.akamai.com/2015/08/end...t-nirvana.html
__________________
.



"Texans always move them!"
General Robert E. Lee, May 6, 1864 - Battle of the Wilderness

Last edited by SkyHawk; 04-03-2018 at 10:09 PM..
Reply With Quote
  #20  
Old 04-03-2018, 9:54 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

Once T-DNS (EDNS+TLS) gets going Extended DNS will be default anyway. No lightweight way to encrypt UDP traffic without a tunnel management server on each end.

https://ant.isi.edu/tdns/index.html
Reply With Quote
  #21  
Old 04-03-2018, 9:57 PM
SkyHawk's Avatar
SkyHawk SkyHawk is offline
Front Toward Enemy 🔫
CGN Contributor
 
Join Date: Sep 2012
Location: Nakatomi Plaza - 30th floor
Posts: 11,630
iTrader: 131 / 100%
Default

Quote:
Originally Posted by Robotron2k84 View Post
Once T-DNS (EDNS+TLS) gets going Extended DNS will be default anyway. No lightweight way to encrypt UDP traffic without a tunnel management server on each end.

https://ant.isi.edu/tdns/index.html
Well do let us know 'once it gets going'.
__________________
.



"Texans always move them!"
General Robert E. Lee, May 6, 1864 - Battle of the Wilderness
Reply With Quote
  #22  
Old 04-03-2018, 9:58 PM
DRM6000's Avatar
DRM6000 DRM6000 is offline
Junior Member
CGN Contributor
 
Join Date: Jan 2006
Posts: 4,512
iTrader: 50 / 100%
Default

Quote:
Originally Posted by AreWeFree View Post
nslookup
Thanks.
Reply With Quote
  #23  
Old 04-04-2018, 10:13 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

Quote:
Originally Posted by SkyHawk View Post
Well do let us know 'once it gets going'.
Code is already there, patches for Unbound plus proxies and server code.

It's still sitting in RFC, maybe it will go, maybe it won't, but it's much more elegant and efficient than DNSCrypt or any of the other tunnel hacks and its end to end.

Got any better solutions?
Reply With Quote
  #24  
Old 04-04-2018, 10:51 PM
SkyHawk's Avatar
SkyHawk SkyHawk is offline
Front Toward Enemy 🔫
CGN Contributor
 
Join Date: Sep 2012
Location: Nakatomi Plaza - 30th floor
Posts: 11,630
iTrader: 131 / 100%
Default

Quote:
Originally Posted by Robotron2k84 View Post
Code is already there, patches for Unbound plus proxies and server code.

It's still sitting in RFC, maybe it will go, maybe it won't, but it's much more elegant and efficient than DNSCrypt or any of the other tunnel hacks and its end to end.

Got any better solutions?
I stick with what works, I don't reinvent the wheel - that is for younger folks. I have seen stuff sit in RFC for 20 years and never see the light of day in the real world, so I'm not holding my breath on some wonderboy come lately idea. If it flies, it flies. If it doesn't, it has plenty of company on the shelf where RFC ideas go to die.

In the mean time, as in right now today - no way no how do I use some anycast DNS resolver that doesn't support ECS, no matter who offers it.
__________________
.



"Texans always move them!"
General Robert E. Lee, May 6, 1864 - Battle of the Wilderness

Last edited by SkyHawk; 04-04-2018 at 10:58 PM..
Reply With Quote
  #25  
Old 04-04-2018, 11:38 PM
Robotron2k84 Robotron2k84 is offline
Senior Member
 
Join Date: Sep 2017
Posts: 580
iTrader: 1 / 100%
Default

QUANTUMDNS and MORECOWBELL have proven unencrypted DNS is a liability. In that regard it is already broken and no-longer works.

Tunnels only get you privacy to the next hop, everything else is your *** hanging out in the open for all to profile.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 5:45 AM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2018, Calguns.net an Incorporated Company All Rights Reserved.
Calguns.net and The Calguns Foundation have no affiliation and are in no way related to each other.
All opinions, statements and remarks made by Calguns.net on this web site and elsewhere are solely attributable to Calguns.net.