What DNS provider do I use now?

  • hamborgr@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    3 years ago

    You could get a Raspberry Pi for cheap and use Pihole with Unbound to get your own selfhosted ad-blocking recursive DNS server.

    I did it myself and can say that it’s definitely worth it and is easy enough, even for someone without much know-how. Just follow the documentation and some guides and you’ll be golden.

    • electrodynamica
      link
      fedilink
      arrow-up
      3
      ·
      3 years ago

      You know what’s “funny”? I distinctly remember advice from “hatters” in 1993 telling me to set up recursive DNS to prevent exactly this scenario. I remember thinking it was excessive but did it anyway because it cost basically nothing, but to think now the dystopia became so universal that it is good advice for everyone is just mind-blowing.

    • krolden@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      3 years ago

      You still need to use upstream DNS which I assume is what op was asking about.

      • drspod@lemmy.ml
        link
        fedilink
        arrow-up
        10
        ·
        3 years ago

        No you don’t, that’s the point of setting up a recursive DNS server. It queries the root nameservers and looks up everything itself.

  • nachtigall@feddit.de
    link
    fedilink
    arrow-up
    8
    ·
    3 years ago

    What DNS provider do I use now?

    Kuketz Blog has compiled a nice list of uncensored and unprotocolled DNS providers (see spoiler below). If you live in Europe those should be sufficiently fast.

    Alternative DNS Provider

    Digitalcourage | Serverstandort: Deutschland

    [1] dns3.digitalcourage.de (unterstützt DNSSEC)
    DNS over TLS:
       Host: dns3.digitalcourage.de
       Port: 853
       IPv4: 5.9.164.112
       IPv6: 2a01:4f8:251:554::2
    Besonderheit: Unterstützt aussschließlich DNS over TLS (DoT)
    

    dismail.de | Serverstandort: Deutschland

    [1] fdns1.dismail.de (unterstützt DNSSEC)
    Unverschlüsselt (Port 53)
       IPv4: 80.241.218.68
       IPv6: 2a02:c205:3001:4558::1
    DNS over TLS:
       Host: fdns1.dismail.de
       Port: 853
    Besonderheit: Werbe- und Tracking-Filterliste
    
    [2] fdns2.dismail.de (unterstützt DNSSEC)
    Unverschlüsselt (Port 53)
       IPv4: 159.69.114.157
       IPv6: 2a01:4f8:c17:739a::2
    DNS over TLS:
       Host: fdns2.dismail.de
       Port: 853
    Besonderheit: Werbe- und Tracking-Filterliste
    

    dnsforge.de | Serverstandort: Deutschland

    [1] dnsforge.de (unterstützt DNSSEC)
    Unverschlüsselt (Port 53)
       IPv4: 176.9.93.198
       IPv6: 2a01:4f8:151:34aa::198
       IPv4: 176.9.1.117
       IPv6: 2a01:4f8:141:316d::117
    DNS over TLS:
       Host: dnsforge.de
       Port: 853
    Besonderheit: Werbe- und Tracking-Filterliste
    

    Mullvad | Serverstandort: Deutschland, Australien, Schweiz und weitere Länder

    [1] adblock.doh.mullvad.net (unterstützt DNSSEC)
    DNS over TLS:
       Host: adblock.doh.mullvad.net
       Port: 853
       IPv4: 194.242.2.3
       IPv4: 193.19.108.3
       IPv6: 2a07:e340::3
    DNS over HTTPS: 
       Host: https://adblock.doh.mullvad.net/dns-query
       Port: 443
    Besonderheit: Werbe- und Tracking-Filterliste | Unterstützt aussschließlich DNS over TLS (DoT) und DNS over HTTPS (DoH)
    

    ffmuc.net | Serverstandort: Deutschland

    [1] dot.ffmuc.net (unterstützt DNSSEC)
    Unverschlüsselt (Port 53)
       IPv4: 5.1.66.255
       IPv6: 2001:678:e68:f000::
       IPv4: 185.150.99.255
       IPv6: 2001:678:ed0:f000::
    DNS over TLS:
       Host: dot.ffmuc.net
       Port: 853
    

    Digitale Gesellschaft | Serverstandort: Schweiz

    [1] dns.digitale-gesellschaft.ch (unterstützt DNSSEC)
    DNS over TLS:
       Host: dns.digitale-gesellschaft.ch
       Port: 853
    DNS over HTTPS:
       Host: https://dns.digitale-gesellschaft.ch/dns-query
       Port: 443
    

    UncensoredDNS | Serverstandort: Dänemark

    [1] anycast.censurfridns.dk (unterstützt DNSSEC):
    Unverschlüsselt (Port 53)
       IPv4: 91.239.100.100
       IPv6: 2001:67c:28a4::
    
    [2] unicast.censurfridns.dk (unterstützt DNSSEC)
    Unverschlüsselt (Port 53)
       IPv4: 89.233.43.71
       IPv6: 2a01:3a0:53:53::
    DNS over TLS:
       Host: unicast.uncensoreddns.org
       Port: 853
    
    • Arthur Besse@lemmy.ml
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      3 years ago

      whats the business model of operating this large expensive service for free? (if you read their website, you’ll find the answer is that they do it for the data. shocking, right?)

  • jokeyrhyme@lemmy.ml
    link
    fedilink
    arrow-up
    9
    arrow-down
    4
    ·
    3 years ago

    I think this rant greatly exaggerates the alleged “risk” that CloudFlare poses, and also makes unsubstantiated claims about the inadequate protection provided by CloudFlare

    I do think it’s a good thing for more people to consider self-hosted options, but we should do this on the merits and not in an artificial climate of fear

    • blank_sl8@lemmy.ml
      link
      fedilink
      arrow-up
      10
      ·
      3 years ago

      There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.

      • jokeyrhyme@lemmy.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        3 years ago

        Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS

        But this would be incompatible with the CAPTCHA insertion, right?

        And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange

        This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise

        • nutomic@lemmy.ml
          link
          fedilink
          arrow-up
          7
          ·
          3 years ago

          Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.

        • blank_sl8@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          3 years ago

          True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.

          • jokeyrhyme@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 years ago

            For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)

            There might not be a single product on the planet that is more suitable for this use case than Cloudflare

            Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases

    • isleofmist@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      3 years ago

      The biggest point against cloudflare is that it is a US-based company and is vulnerable to US government spying.

      • jokeyrhyme@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        I’m sure for many people it is true that the USA government is a major threat, but neither “USA” nor “government” appear in the article/rant, and ideally an article written for these people wouldn’t single CloudFlare out, but would list major companies that this applies to equally

        I’d even take this further and say that we shouldn’t trust software (or hardware) vendors that are beholden to laws in any of the Five Eyes countries ( https://en.wikipedia.org/wiki/Five_Eyes )

        Australia’s Assistance and Access Bill 2018 surely damages the credibility of Australian vendors, possibly even more than USA vendors: https://www.techtarget.com/searchsecurity/definition/Australian-Assistance-and-Access-Bill

        • tardigrada@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          3 years ago

          Just read the BBC article, see the link I postex above. The US government was directly involved when they started Cloudflare. Cloudflare’s CEO leaves no doubt about that.

  • Decentralizer@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    3 years ago

    Nextdns is great, but yes 9.9.9.9 or mullvad would also be a great option. More advanced is nextdns, decloudus and controld

  • tardigrada@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    3 years ago

    There is a BBC article on Cloudflare’s beginnings, saying, ". …when he (Cloudflare’s CEO Matthew Prince, ed.) got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.

    Mr Prince recalls: “They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data.” "

    (see https://47a824e91bd781c66916f216129b096363daefb2-m.eu-proxy.startpage.com/npd/dcc/xxx/ST/m54xdoDgc5nRTxiNsIgZF4aWuw//////////news/business-37348016)

    Cloudflare blocks Tor by default. Technically it is a man in the middle (which is VERY unfriendly to say the least). It decrypts your data. It is a big step towards the centralization of the web.

    https://news.ycombinator.com/item?id=28854425

  • GadgeteerZA@lemmy.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    3 years ago

    What interests me is that there is too much speculation without actual facts. We can suspect anything of anyone (including Lemmy, Facebook, etc). We’ve seen the numerous factual revelations about Facebook and a few others, but then there is something that proves they are being unethical. I’d be interested to see such facts though about CloudFlare, not what they can potentially do.

    Cloudflare also means a lot to small websites that want to obscure their hosting IP address, and who want to make use of a global CDN to speed up the response on their self-hosted sites, as a CDN. So yes, they do also provide a positive service in that regard. They are not a free service as many including big corporates pay CloudFlare - that payment is not to get our data or push adverts into our websites, but to use the actual service. So that I see as their business model.

    Yes they break the end-to-end SSL, but for plain public websites that is not a major concern. I gather the paying service is where corporates go for security which allows pass-through of SSL to the hosting site.

    For smaller guys, CloudFlare can provide a valuable service if the data being hosted is not super sensitive. Yes it is US based, but so are many IT services, and again that needs to be considered in terms of what you are hosting. I recently went to look for alternatives that would be free for global CDN, obscuring IP, proxy, malicious traffic protection, etc and really could not find anything. Only basic DNS services.

      • GadgeteerZA@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        3 years ago

        Yes, it draws from what is published on their own website at https://www.cloudflare.com/our-story/. It is still speculation though as to what is happening. They claim their motivation was to identify and prevent spammers and other malicious actors taking websites, by crowdsourcing and blacklisting bad actors. From that perspective, users will see numerous addresses blocked that are supposedly part of those identified.

        So yes, one could say, is that real? Well that’s the point, we don’t really know either way, and as far as I’m aware there have been no court cases yet against CloudFlare ie. evidence brought forward justifying criminal actions.

        Certainly my own website was being hammered every day as I can see for the WP WordFence security plugin. WordFence also blocks masses of IP addresses based on attempted logins as well as crowdsourced data from similar actions elsewhere that they have detected. I can see people, after being blocked, running up their IP address range attempting to get around the block. So there are genuinely bad actors out their running automated tools to do this. That does not make WordFence now a bad thing. So websites are looking at many ways to try to protect themselves from this constant bombardment, that also uses up the hosting network traffic.

        I’m not saying either that Cloiudflare does not have the potential to do bad. We can see how they work technically. But have they actually sold users’ data, have they exploited the man-in-the-middle or given others access to it? That I’ve seen no evidence of yet. I just dislike ungrounded speculation, as that leads to conspiracy theories that may be unfounded.