Those are the IPv4 addresses, yes, and you should set both of them. But you should also set both corresponding IPv6 addresses:
2620:fe::fe
2620:fe::9
...because when you have IPv6 connectivity, it's nearly always more recently engineered, often over a cleaner, more direct path, so may give you better performance. I see from your post that you're happily ensconced in bandwidth-rich New York (where the city also uses Quad9 for all their own offices, and public facilities like parks and libraries), and in COVID times you might not wind up roaming around that much, but when you do, letting your devices choose the better of the two options at any time will get you the best performance.
If you want a little more privacy, you could look at taking the additional step of using an encryption protocol between your device and our servers... That's still a bit of work, because it requires installing additional software on anything other than iOS. We'll have a configuration tutorial for iOS up on the web site shortly. If you're running Android, you can run this app, which encrypts the connection. If you're running MacOS or Windows, native support in the OS for encryption is coming pretty soon.
A further step would be to run PiHole as a caching forwarding resolver for your home or office, and use Stubby to make it encrypt the queries. Lots of people have done this, and many of them have written tutorials. Here's one.
This is a completely useless way of testing the performance of any service that sits on top of a global network - testing from 14 nodes means they're not even hitting all of these providers' facilities. OpenDNS has nearly twice as many facilities than he has test nodes.
Also based on the locations they tested from, guessing he just spun up a bunch of servers in AWS or Digital Ocean, which tells you absolutely nothing about the performance an end user on an actual eyeball network could expect from any of these services.
Look at the results from New York: #1 Google: 1 msec #1 Quad9: 1 msec The server they tested from is literally in the same building (or they're hitting local cache which would be even more facepalm).
NextDNS allow to choose from a curated selection of blocklists (covering ads, tracking, malware, annoyances), and create different profiles to apply different blocking and other settings to different devices. You can try their service out for free, without even needing an account, at https://nextdns.io/
Yes, there are many authoritative DNS providers which support this.
I like ns1 - they do secondary dns
Anytime a non-cached DNS name needs to be matched to an IP, the DNS host needs to be queried, so latency will have an effect.
Check out DNS Benchmark, it can help you find the fastest/closest/whatever DNS server for your connection.
Its an RFC violation to have an SOA and a CNAME with the same record name. When you have a CNAME, you're not allowed to have any other records with that name.
That said.. There are cases with a special record type to do what you want (CNAME your zonename). In PowerDNS, its an ALIAS record. A quick glance at Amazon's R53 docs, says that its also ALIAS there (https://aws.amazon.com/route53/faqs/#which_dns_records_are_supported).
OpenNIC servers don't log i have used them in the past. Also there is https://cryptostorm.is/, http://dnsrec.meo.ws/
You can use a local dns resolver like the in Pfsense to speed things up abit.
Good Luck mate.
That book is still fine for learning from, DNS is a fairly stable thing and not a lot had changed. There have been new features added, but that will not affect the foundations you learn there. It's worth noting Amazon has the date wrong, it seems to be 2009, not 2006. Though it could just be an update/revision shown there and Amazon is listing date of first publication.
You may add https://www.amazon.com/DNS-BIND-IPv6-Next-Generation-Internet/dp/1449305199 to your list for later reading too.
A lot of nations with less progressive governments try to control the flow of information. Obviously this is bad. It means you are living in a system that wants you to be ignorant.
Anyways, I have no particular experience with Iran's version of the "great firewall" but it may not be DNS. It's possibly but unlikely that your network is filtering individual results that you get from Google DNS or another open resolver. I suspect they may be allowing DNS resolution but blocking connection.
You can test if Google DNS is working from from the command line in Windows like this:
C:\ > nslookup www.spotify.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: edge-web-split-geo.dual-gslb.spotify.com
Addresses: 2600:1901:1:c36::
35.186.224.25
Aliases: www.spotify.com
If you see an answer of some sort then DNS resolution is probably fine and the connection is being blocked. If that is happening then using a different DNS resolver will not help you. But a VPN might.
Feel free to post your nslookup result or DM it to me.
You have to setup dnssec for your whole domain not just for a webserver that being said here's a tutorial on how to setup dnssec for your domain (assuming you're running your own bind DNS servers)
Recursive resolving in your locally hosted pihole means you're sending Do53 requests directly to nameservers. These are readable and modifiable by the ISP. However, even if you're using a third-party or your own VPS-hosted (which in turn requires you to trust the VPS provider) DoH/DoT server, the ISP still easily sees what domain you eventually visit in HTTP (rare these days) and HTTPS (through SNI). If your ISP offer zero-rating for some site/services, they already have SNI monitoring in place. In some countries domain blocking already uses SNI filtering.
ECH (so far only supported by Firefox-derived browsers, and mostly on Cloudflare powered websites) helps to hide the SNI, but unless the site you visit uses CDN, then the IP would be linked to that site and the ISP can easily deduce what domain you're visiting. Some countries even actively block packets with ECH entirely.
If you're concerned about being tracked, encrypted DNS, HTTPS, and ECH don't stop cookies and fingerprinting
When EDNS does not work correctly, it can break your internet, see the example from Adguard that had EDNS broken for some time: https://adguard.com/en/blog/dns-google-domains-fixed.html
So, when it works, it can improve you internet.
Essentially, yes.
I'd also not use the terminology 'subdomain' but I get that's what cPanel/etc calls it. It's just a record.
See if the CNAME Limitations section explains it better, here.
I have used Joker in the past - along with Dotster, GoDaddy, Verisign, Network Solutions.
Gandi is by far the best. I know you said you didn't want to move just for DNSSEC, but moving would get you that...and Gandi is hands down the best registrar I have used to date. You will also get to take advantage of all of the other services Gandi has, such as whois privacy. Gandi also donates/supports a lot of profits to various organizations: https://www.gandi.net/supports/ which alone is a reason to to use them.
use whatever is fastest and most reliable for you.
Go download NameBench or DNS Benchmark and let it test them all.
It should give you a pretty good idea of which servers are the best and what type of improvement you should expect.
Google's NameBench - https://code.google.com/p/namebench/
GRC's DNS Benchmark - https://www.grc.com/dns/benchmark.htm
It is probably something in your TRACEROUTE if I had to guess but I recommend you try GRC DNS Benchmark to be sure it isn't really a DNS thing. Also, you might find a DNS you like better for some reason.
I've been using DNS Made Easy for over a year. It has been reliable, inexpensive, and fast. The UI is simple but allows for all record types (at least all I've needed) and their service allows server monitoring and failover to backup IPs should your server or ISP go down.
What I finally did was set up Cloud DNS with Google. The only thing at the registrar, dotgov.gov, is a pointer to the name server. Once I set up the managed public zone then I updated the pointer to the name server at dotgov.gov. Here is a link to setting up the managed zone with Google. https://cloud.google.com/dns/docs/zones
It’s really very straightforward when you find the right resources.
If you're using a VPN you should use the VPN's DNS server and make sure your queries are channeled through the VPN. It doesn't make any sense from a privacy stand point to add more third parties to your DNS requests.
You can use a online DNS Leak-Test to make sure your computer isn't falling back to use your default DNS provider. You can also use a packet analyzer like Wireshark to make sure your DNS queries are encrypted.
Use a privacy oriented DNS provider and DNSCrypt, only when you're not using the VPN.
A mobile hotspot usually won't forward through a VPN client.
Nord has a router config but will depend on whether your router supports it and would be all or nothing (not just TV)
Otherwise you could run nordvpn client on a windows machine setup as a DNS forwader and point TV at it
Going back to another suggestion though - have you tested using another DNS server? i.e. Support may just say it doesnt work because thats what their script says to say.
Got it! Thanks! I already pay for NordVPN but I can't install it on my TV obviously, so do you have any idea how I could use it on my phone as a sort of proxy, sending out a new wifi connection? I have pdanet (paid version) but I'm not sure if creating a hotspot though it would automatically go through the VPN.
VPN bypasses the whole network, usually not just DNS. I wouldnt trust any VPN thats free .. "if its free you're the product". So you could use PrivateInternetAccess, Cyberghost VPN or NordVPN as an example but for blocking ads would be overkill IMO. A VPN can be terminated from a phone, tablet, laptop, mac, PC etc or from a router (more complex).
well, rpi is just reference I meant you can pick anything
u/sohan_ray
u/saint-lascivious in that case you can run everything on linode or heroku
If you have a raspberry or a small server, you can opt for a solution such as Pi-hole, that will allow you to manage your block/withlist at the level of your lan, even according to some clients.
Heyo,
I’m using Mullvad VPN on my router, and use your tool to check for DNS leaks.
Today I noticed something new:
DNSSEC using Ed25519 (ERROR) Correct signature: not connected
It’s the only error it shows. I was just wondering if this is some sort of security risk, I no clue what it means😄🤷♂️
> Mullvad is not trustworthy?
Didn't say that. Only that if you don't want to use their dns, you have the choice.
> I don't master Dockers yet
It's okay. We all started not knowing but with enough interest we figured it out.
> Why should I use Gluetun?
It's like the swiss-army knife VPN tool and IMO most VPN clients (at least on Linux) are full of BS. Some will re(mis)configure your and leave it like that after disconnecting.
> I did test dns leak, it says " DNS is not leaking"
That's not an important message. What you should be after is the dns servers in use.
If you were me, What should you do ? If you are concerned with privacy/security ? Because I'm really confused about custom DNS. Some say better to have DNS servers like NextDNS or Quad9. And others say you don't need DNS servers because Mullvad already has their own DNS or already encrypted
"Nope, Mullvad would be tunneling any DNS traffic anyway, so if your
concern is your ISP reading DNS traffic that's already handled"
If you are talking about ProtonVPN, i'm agree with you because its interface is very ugly and lacks many features. But Mullvad doesn't need to because he is very good, supports all like Wireguard, split tunneling, socks5....
But what did you mean by "your queries"?
So you need to create CNAME's for your subdomains. But then you need to use Apache to point those subdomains at the appropriate server. You can use mod_proxy for this. Check this out: https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
When you dont know just test it out with DNS Benchmark tool. Put in all the DNS server IP address that you want to test and find out which one is fastest from your network.
There are too many inconsistencies in the records https://mxtoolbox.com/emailhealth/taif2.de/
1. Ask from your ISP to perform a reverse dns registration for your ip address. (i am assuming the ip address is static.)
dig -x 91.54.34.186 should resolve as a-ns.taif2.de
2. Then set your a-ns.taif2.de and b-ns.taif2.de as your name servers at your registrar (denic.de)
>Why are those then marked by namespace4you dns servers as SOA?
There are too many inconsistencies in the records https://mxtoolbox.com/emailhealth/taif2.de/
1. Ask from your ISP to perform a reverse dns registration for your ip address. (i am assuming the ip address is static.)
dig -x 91.54.34.186 should resolve as a-ns.taif2.de
2. Then set your a-ns.taif2.de and b-ns.taif2.de as your name servers at your registrar (denic.de)
Different OSs resolve in different ways and you may have arp caches that persist so the IP address >> MAC address can be resolved. You may want to run Wireshark https://www.wireshark.org/ on some device to see what is really happening.
Better (IMHO) to have one device (i.e. router) resolve hostnames >> IP addresses and let mDNS (which is a broadcast protocol) be used for services (smb etc)
I would recommend the self hosted pi-hole dns solution.
Although I would imagine if you're on this subreddit, you may already be familiar with this.
Lots of other folks over at the pi-hole community here on reddit too.
>I use one myself in my home, I think they are fantastic!
>
>With a little searching, you can find many sites online & github that host blocklists that you can customise and append to your pi-hole for blocking traffic, even regular-expression queries.
It really doesn't matter honestly. They're both fast and secure enough that it'll never make much of a difference to you.
I suppose it's possible that google is mining more data from their resolver.
You could always run a dns benchmark and see which is fastest for you.
- Portability: DoH
- RFC standard: DoT
- Encryption+customization: DNSCrypt
You can always (and of curse, it's recommended) compare them side-by-side, and depending on your needs you can make a well educated choice.
FYI the Minecraft can use a SRV record to locate the server. So you could have the 'A' record for your web page, and a SRV record for minecraft.
example.org. IN A 10.0.0.1 www.example.org. IN A 10.0.0.1 _minecraft._tcp.example.org. 0 50 25565 mc.example.org. mc.example.org. in A 192.168.1.1
with that your web browser would hit 10.0.0.1, and your minecraft client would hit 192.168.1.1:25565 for example.org
.
Links
Here's a good example of this on serverfault. As long as you're using dnsmasq as your dhcp server this should be pretty easy.
Note that you don't need to "buy", just put the domain on Cloudflare with CNAME to the target site and you'll get automatic SSL, though this assumes the site doesn't block your domain
It's against the spec. If whatever management method allows it to get placed in the zone, it can cause the whole zone to fail, or resolution of it by some resolvers. BIND won't allow it, either.
Think about what a CNAME is. You are saying, essentially, "Look over here for the canonical answer at this point." It doesn't make sense to then have exceptions to that.
This might explain it better - look at the section for CNAME Limitations:
https://www.freecodecamp.org/news/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c/
Whoah whoah, you can transfer domains from one provider from another https://www.ionos.com/help/domains/transferring-your-domain-away-from-11-ionos-to-another-provider/transferring-a-domain-from-11-ionos-to-another-provider/
Do not cancel your domain, go through the process of a zone transfer.
After the record is added, there is a propagation time, companies like Godaddy have a propagation time of 4-6 hours, you can also ask them to refresh your DNS zone if it has been more than 4-6 hours.
You can set the TTL to a lower value if possible.
The DNS itself is okay, you can check this on
Please correct me if I'm wrong here, rather than blindly downvoting. I'm no expert.
You can, but it's not by DNS precisely. I do something like this with postfix:
I have a hosted VM running postfix configured as the MX for the domain. within postfix I configure it to send mail for the domain to another server
/etc/postfix/transport
transport:<domain.com> smtp:<second mailserver>
You also disable local delivery in this scenario. It's been running like this for 15 years with no issues.
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
Edit: The internal host is configured to use the other one as a smarthost, meaning it relays all outgoing mail through it. This simplifies your mail security a bit. More advanced discussion of this likely belongs in another sub though.
It's not a step by step guide for your exact use case, but you should be able to extract sufficient useful reference material from this guide: https://www.scaleway.com/en/docs/how-to-configure-nginx-reverse-proxy/
Well that still pointing here for NS
;spacelords.dog. IN NS
;; ANSWER SECTION: spacelords.dog. 86400 IN NS dns101.registrar-servers.com. spacelords.dog. 86400 IN NS dns102.registrar-servers.com.
You need to get your registrar to change where your domain points to for NS..
I show that domain registrar as, not namecheap. So you transferred the domain it seems but not where it points for NS.
Domain Name: spacelords.dog Registry Domain ID: 3c272c67997949738ea9ac1e982773f3-DONUTS Registrar WHOIS Server: whois.gandi.net Registrar URL: https://www.gandi.net
Test it yourself as described here: http://dnsredirector.com/sample/DNSTest/
Just cause some DNS server "looks good" on one ISP, doesn't make it the best one from another part of the country or another ISP.
Not really a dns question so probably the wrong place to post this.
That said, Speedtest.net does have a command line tool. It would be pretty trivial to write a script to do this.
Really any of the common ones or your usps would be perfectly fine. If you're main concern is speed of resolution, https://www.grc.com/dns/benchmark.htm use the tool here to test that. If it it's to get away from x thing, that is a end user preference.
Lol.... And???
I'm guessing you want recommendations. As this is going to be different based on a whole variety of factors, you may want to pick a few and do some testing.
Running something like: https://www.grc.com/dns/benchmark.htm may help you decide as well.
I've tried enabling DNSSEC on our Windows AD-DNS servers in the past... and had quite an issue that I never got around to resolve... because reasons.
Anyway.. my one and only experience which soured quickly was in the following environment -
After enabling and testing at our office site, everything was good. The next day I went ahead and turned it on the other AD-DNS servers, causing them to slowly go offline as TTLs aged out. Of course, it was in the middle of the night that the alarms started.
The only difference between our office site and the two datacenter sites are the forwarders... we (I) use DNSBench to measure actual resolution times from each site and use whatever A) isn't crappy (no redirection for bad FQDNs) and B) isn't google.
Anyway, for whatever reason, the datacenter provided forwarders (they happened to be the best) didn't like our DNSSEC queries and those two sites went down as a result. Our office, on the other hand, worked just fine using their forwarders.
Since this was a pet project, I quickly rolled back my changes and never looked into it further.
Anyway, I hope my experience might shed some light into yours. I'm good enough with DNS, in the sense that I understand the result codes that nslookup's DB2 mode shows... but to look at packet captures and try to troubleshot the error I created is well beyond my day-to-day knowledge.
Good Luck!
Even if you don't use your ISP's DNS, it's still possible for them to see your traffic going to some other DNS provider.
The only true "secure" solution is a VPN that tunnels your DNS traffic too.
This page describes how to speed test multiple DNS providers to see which is really fastest: https://www.grc.com/dns/benchmark.htm
https://www.getcloudapp.com/uses/what-is-cloudapp
You would have to dig a little more deeper to find out if it's specifically from skype. But it does looks like it could be for any number of apps. Depending on the OS of the laptops as well there could be bloatware making these calls.
Thank you very much for your reply! After some more googling I found this thread where the exact same issue was discussed. One of the posts seemed pretty straight forward, however I must admit that I don't quite know how to set that up. Can you help there?
>you need to run your own private dns with artificial records for example pandora.com you also need a real dns to fall back on. now that all requests for these sites are going to your US located box you can open up port 80 on squid and listen for the traffic. your cache_peer settings should allow you to map each domain to their real ip. The trafic now flows initially from your US located box to the service but then the server responds it responds directly to the host. no magic here. I won't share the fine details as it probably best serves all to not over exploit this.
DNS Made Easy is a reputable online platform that offers DNS service to approximately 600,000 domains over the internet. It is the largest enterprise DNS provider in the industry and facilitates people to keep prices low and overtake the savings directly to the clients. They have always stressed on the policy to invest more cents per dollar on infrastructure as compared to any other DNS company. They continue doing the same. They are the only one which enterprise IP Anycast provider over the planet that works with customers of all sizes. They have diverse clients comprising of government, non-profit and commercial sectors. These clienteles vary from start-ups to internationally distinguished corporate organizations. On visit their website http://www.dnsmadeeasy.com/, one will find that they have clearly mentioned what DNS is all about and why choosing DNS has become easy. They have also discussed about the ways to manage DNS.
guess depends on what part of the world you are in "AWS currently provides Domain Name Registration Services through Gandi SAS , Mesh Digital Limited, Amazon Registrar, Inc., and other ICANN-accredited registrars (the “Registrar”)," https://aws.amazon.com/route53/domain-registration-agreement/
Well then yeah you need to get with AWS on why it hasn't updated as of yet.
Until relatively recently, I had very little working knowledge of DNS. Then I had to implement a new system feature which required non-trivial usage of DNS. I stumbled my way through designing and implementing the feature; although I'm far from an expert now, I was forced to gain enough of an understanding of the basics to build something functional. I did eventually manage to find some in-house DNS experts to review the design post-facto, but prior to that it was just a combination of googling, Stack Overflow, and trial-and-error.
For you, I would recommend defining what specifically your goals for "DNS skills" are and figuring out a way to exercise them in some kind of project, whether it's real or just for learning/practice. Although it's fundamental to practically all computer networks, DNS seems to be one of those niche technical subjects where there is rarely a focus on it as a separate subject unto itself, and I think the best way to learn is by seeing how it is applied in the context of a broader technical system.
Edit: I would recommend AWS Route53 as a good tool for learning about DNS - it makes it simple to play around with various types of records, including a UI for testing them.
You can change the name servers for the wix nameservers as /u/lolklolk said, or you can add all the records for your domain
I never used google as a dns provider but there is documentation about how to do it
I mean, my domain point to Google Could DNS:
NS 21600
ns-cloud-c1.googledomains.com.
ns-cloud-c2.googledomains.com.
ns-cloud-c3.googledomains.com.
ns-cloud-c4.googledomains.com.
Not sure about the terms though, but I think we're talking about the same thing, right? https://cloud.google.com/dns
It looks like your web host is referenced by "linux-sharedweb2.namesco.net". If you want other records (like hello.dodobro.co.uk) to point to your web host, you'll need to add a CNAME record for them too (for example, you would add "hello | type CNAME | linux-sharedweb2.namesco.net"). If you want all subdomains except those specified otherwise (like ftp, imap) to point to your web host, use "*" instead of "hello".
You can't put a CNAME record on the root ("@" or just "") of your domain, unless your DNS provider provides CNAME flattening (they probably don't). For your naked domain (without any subdomains) you will need to add A and AAAA records. You can find out the A and AAAA addresses of your web server by using MXToolBox and submitting "a:linux-sharedweb2.namesco.net" and "aaaa:linux-sharedweb2.namesco.net". Keep in mind that these might change over time and if they do, your root domain will stop working (but subdomains will continue to work).
Note, SPF record type was depreciated cause nobody used it, implement as TXT instead
Proofs: https://mxtoolbox.com/problem/spf/spf-record-deprecated https://en.wikipedia.org/wiki/Sender_Policy_Framework#DNS_SPF_Records
Enabling the subdomain to be visible by Google require manually emailing the admin. They replied and manually processed my request in a day, so I'm guessing you can email them directly to ask about donation too.
You could have a Backup DNS like "freedns.afraid.org" (https://freedns.afraid.org/secondary/). I THINK Cloudflare does this as well, but I'm not a client there so don't take my word for it.
Not what OP is requesting though... quad9 blocks malware sites. And the .11 service they offer is only different from .9 in that it serves client subnet data to queried servers to avoid suboptimal routing due to geolocation errors.
Doesn't block porn. Their frontpage has a friendly test form, https://www.quad9.net/
I've been using Cloudflare's 1.1.1.3 which does block porn and malware domains for the past three months and haven't had any issues or resolution response time complaints.
Yes it does seem to be ambiguous; I personally chose not to chance it (especially for my parents) and set their router to use Quad9 (their EDNS Client-Subnet enabled addresses: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet) as they like to stream a lot of videos and this helps with choosing servers closer to them.
Switch to Cloudflare or Google DNS servers, they're most likely better availability-wise than those of your ISP:
You can always switch back later by using the Auto mode if you prefer.
This is hard to follow without specifics, but to me it kind of sounds like you have web servers on multiple AWS instances, maybe using some kind of global load balancing. As you may know web servers can serve different host names from the same server. Apache calls this name based virutal hosts. What you describe could be caused when one apache instance knows that it serves qa.domain.com, but another instance does not.
Check your current DNS status here https://www.dnsleaktest.com/
If don't see the DNS provider you want, either change the DNS setting in the router or directly on your computer to ensure you're using the DNS server you want to use, then retest.
Let's Encrypt's Cert Bot can automatically manage an nginx instance, renewing the cert and restarting the service.
If you look at the Benefit Matrix on https://www.opendns.com/home-internet-security/ you'll see that "Built-in protection for malicious phishing & malware domains" is not included in the free tier.
I came across recent DNS tests that do verify this as well.
Years ago I used OpenDNS. That was about a decade ago and I'm not quite sure what's changed, aside from the acquisition by Cisco.
Now days my stupid ISP router/gateway won't let me edit the DNS.
> hides all kinds of traffic from my isp
Yup.
>What privacy does proton vpn not give me
It doesn't prevent browser fingerprinting, it obviously doesn't prevent you from registering on sites that will happily collect your information, it doesn't stop apps reading the files in your devices and send them to HQ either by design or due to vulnerabilities.
The only browser that avoids fingerprinting as much as possible is the Tor browser, simply don't register to unnecessary sites, only install apps you fully trust, and keep everything updated.
Maybe you can try NextDNS, if you want a nonselfhosted service. If not, you can run your own DNS, as u/GrecoMontgomery said.
r/pihole and Pi-hole website.
The list used by AdGuard is undisclosed, so... it might not be the best approach for you. A solid option is DNSCrypt with a good block list (my recommendation goes to /r/oisd_blocklist). Still it depends on what you want/need (speed, reliability, privacy...). Another option includes running a pi-Hole or using a service (the best I know of is nextDNS). Can you elaborate on "unblocking"?
300 ribu query kalo dah mentok sebulan g nyensor lagi sampe bulan depannya. Biar bisa rada hemat (karena kebanyakan query itu dari iklan) install https://adguard.com/en/adguard-android/overview.html lalu setting NextDNS nya di dalam AdGuard (private DNS di Android matiin), di AdGuard juga bisa subscribe DNS filter yang blokir pekob macam https://github.com/StevenBlack/hosts#list-of-all-hosts-file-variants
Steven Black should definitely be added to that comparison, or at least mentioned since it's not actually a DNS server but the actual blacklist itself:
https://github.com/StevenBlack/hosts
There's links there to several DNS formats as well as a script for Windows users to automatically keep your hosts file up to date.
If you select any dyn dns provider, Duiadns included, from OpenWRT's webinterface, you'll get dynamic dns updates of wan's interface IPv4/IPv6 addresses (not all supports IPv6 but Duiadns does). If you want to use IPv6 for LAN feature from Duiadns, for free, you need to runn a openWRT daemon on your openwrt who's gona take care of IPv6 updates of LAN devices. You can find all the details on this blog post.
Yes, there is native support in DD-WRT but if you want to take advantage of IPv6 for LAN feature you need to install our DD-WRT daemon.
Thanks. I'll look into it. Looks cheap enough to outweigh the manpower required to keep a public DNS server running.
Can you confirm whether alternating responses are supported? It's not listed in their FAQ and it's kind of a niche feature -- this is the first time I've even seen this behaviour.
If it's a Windows machine, you'll want to look at Web.config. If it's a linux machine, chances are it's running Apache 1.x or 2.x and you'll want to reference mod_rewrite to define your regex to send xyz.com to abc.com.
If you're new at regular expressions, check out https://regexr.com. Helped me visualize that shit faster than any manpage could. Good luck!
Best practice is to use your VPN providers DNS server. Depending on your device configuration, your DNS traffic could go out unencrypted to cloudfare and then once the DNS request has been resolved it will route the web traffic through your VPN.
Keep in mind that once your web traffic leaves your VPN provider's network it is no longer encrypted.
If you do a search you'll be able to see how your VPN provider handles DNS, I personally use ExpressVPN.
Most OS also have encrypted DNS support.
>always harm
Until ProtonVPN adds its own DoT/DoH endpoint, it will always increase the number of entities who get your DNS traffic. Some providers have filtering features but you can already do it on your device with a host file or browser extension.
>why would protons DNS ip be ignored by my device
The design and implementation of encrypted DNS have a privacy-oriented goal to avoid censorship & advertising and a commercial goal to get DNS traffic regardless of the user network. That requires ignoring ISP & network configuration (or in browser/apps setting, ignore OS config). For some people like me living in a country where ISPs reroute all Do53 traffic, encrypted DNS is a blessing since I can access blocked sites without VPN overhead. For network admin, it's a security nightmare, and as I allude in the first paragraph, you'll never know if one of your app actually just use its own DoH server.
> using any kind of DNS whether it logs or not proves no privacy to me because my isp can still see the domains or sites I go to
Yes, if you don't use a VPN
>if proton vpn provides their own DNS servers in the VPN servers and hides all the domains from the ISP
Yes, but you must disable Private DNS
>and everything else
Not at all. ProtonVPN only hides your traffic from your ISP. Trackers and ad networks still get your traffic unless you enable NetShield, and even then it's not fully guaranteed, networks can use various methods to evade NetShield blocking.
>Does proton provide all the privacy I need?
How much do you need? ProtonVPN gives you privacy from ISPs and some ad networks. It definitely doesn't give you any privacy against intelligence agencies or law enforcement.
The regular DNS, also called Do53 (because it runs over port 53) is not encrypted nor authenticated (except for few sites that use DNSSEC, still really rare). ISP can easily read it and modify it (usually for censorship, sometimes for ads)
"Private DNS" as Google calls it on Android, is an implementation of DNS-over-TLS or DoT. The goal is if you're not using a VPN, then your ISP/network admin cannot read nor modify the DNS traffic (but they still ultimately see the domain you end up visiting).
If you use ProtonVPN without DoT, all Do53 traffic is rerouted to ProtonVPN and resolved right there in their server, it never leaves to other entity.
But, if you enable DoT, ProtonVPN can't reroute it (the same reason ISP and network admin can't), it still goes to the provider you choose, which would see the domain you request and your ProtonVPN IP. ProtonVPN doesn't provide a DoT server (the only VPN provider that also provides a DoT server I know is Mullvad), so you must remember to disable DoT when connected to ProtonVPN.
Using ProtonVPN without DoT is the most private and secure you can achieve, assuming you trust ProtonVPN (otherwise, just use Tor).
Read again my previous response. I was talking about SNI in the context "if they don't", as in if the devices don't use ProtonVPN.
As for devices that can't use ProtonVPN, well what are you going to do anyway? Those devices likely don't even support ECH (read my previous link about due to SNI) anyway, so whatever DNS protocol you use, your ISP still sees the domain.
>We do not use third-party DNS servers. Each VPN server runs a DNS server as well, and our native apps have a default DNS leak protection feature that forces your internet connection to resolve DNS queries via our DNS servers. This means that when you are connected to ProtonVPN, your DNS queries through our encrypted VPN tunnel. We do not keep any logs of your DNS requests.
From ProtonVPN DNS leak docs
>Private DNS on other devices
Do these devices connects to ProtonVPN? If they don't, then even if you use private DNS, your ISP still can see what domain you visit due to SNI.
If you're already using ProtonVPN, then their built-in DNS already do the job. Any third-party DNS will just be another entity that gets your DNS request. There's not much point on hiding yourself from ProtonVPN because they already can see what domain you're accessing anyway (unless you're using Firefox and the site you visit use ECH, which is still very rare).
Since Lockdown. But this behavior you're describing I can't replicate myself and makes me think it could be a configuration of the VPN app you're using.
Friends, I strongly suggest that you need to try DNS Master. In addition to providing private dns, it also supports dns caching, firewalls, dns filtering, etc., which is very powerful. And supports both IPv4 and IPv6 networks.
Thanks for this report. If you are on Android, you can install Draeneg to enforce your privacy to block intrusive and malicious content (ads for example) in addition to use encrypted DNS (DoH or DoT).
your ISP is just blocking the traffic to those IP's, so a VPN would work but those usually aren't free, especially for p2p traffic. (e.g. ProtonVPN is free but only for non-p2p traffic) Nothing you can do about it then pay for a VPN, which isn't a bad idea anyway since torrent-downloaders are hunted in some countries.
I found a solution and it is working good.
https://play.google.com/store/apps/details?id=com.burakgon.dnschanger
But i have a question. Why it is asking permission for VPN? Is it making a VPN connection? And why i am seeing VPN (key) notification on status bar?
Im not certain what your trying to get at, Mullvad can easilly setup it servers to high jack all DNS requests that come in via certain ports. You are correct that you can't just pick any port but mullvad has certain connection ports open. From the FAQ it seems they may be TCP: 1401 UDP: 1300, 1301, 1302, 1303, 1400. The pfsense config guide appears to choose UDP 1301. Just change what port you connect on in OpenVPN to either 1401 TCP or 1400 UDP.
It looks like you are using Google's DNS servers - Google runs publicly accessible recursively resolving servers (resolver host IPv4s are 8.8.4.4 and 8.8.8.8), and queries from those nameservers likely come from multiple IPs. Google probably logs traffic going through those servers and uses them for various purposes.
What do you have in your in your VM, and how is it configured? Do you use DHCP over your virtual interface, or configure the resolver IPs directly?
If you are using Google's DNS resolvers directly from your computer (either because you manually configured it to use them, or your computer got those IPs from DHCP) , that would explain why you are seeing those results - try to find out if PureVPN provides a DNS server, and use that, or consider running your own DNS recursive resolver directly on your VM.
If you are using a PureVPN owned recursive resolver, it is possible that they are then forwarding to Google's DNS. In that case, to avoid sending all queries to Google, you would need to run your own server, or find an alternative DNS server that is open for you to use.
Agreed with port53, and adding that every free VPN out there won't allow you to stream content like that. That takes up bandwidth, bandwidth isn't free. Try a low cost VPN like Private Internet Access, you'll get to watch Robot Wars as well as experience a legless online experience.