What DNS provider do I use now?
yes,
You could get a Raspberry Pi for cheap and use Pihole with Unbound to get your own selfhosted ad-blocking recursive DNS server.
I did it myself and can say that it’s definitely worth it and is easy enough, even for someone without much know-how. Just follow the documentation and some guides and you’ll be golden.
You know what’s “funny”? I distinctly remember advice from “hatters” in 1993 telling me to set up recursive DNS to prevent exactly this scenario. I remember thinking it was excessive but did it anyway because it cost basically nothing, but to think now the dystopia became so universal that it is good advice for everyone is just mind-blowing.
Instead of a Raspberry Pi, I can recommend one of the Pine64 boards. They work well with Manjaro: https://pine64.com/product-category/single-board-computers/
You still need to use upstream DNS which I assume is what op was asking about.
No you don’t, that’s the point of setting up a recursive DNS server. It queries the root nameservers and looks up everything itself.
Same here.
What DNS provider do I use now?
Kuketz Blog has compiled a nice list of uncensored and unprotocolled DNS providers (see spoiler below). If you live in Europe those should be sufficiently fast.
Alternative DNS Provider
Digitalcourage | Serverstandort: Deutschland
[1] dns3.digitalcourage.de (unterstützt DNSSEC) DNS over TLS: Host: dns3.digitalcourage.de Port: 853 IPv4: 5.9.164.112 IPv6: 2a01:4f8:251:554::2 Besonderheit: Unterstützt aussschließlich DNS over TLS (DoT)dismail.de | Serverstandort: Deutschland
[1] fdns1.dismail.de (unterstützt DNSSEC) Unverschlüsselt (Port 53) IPv4: 80.241.218.68 IPv6: 2a02:c205:3001:4558::1 DNS over TLS: Host: fdns1.dismail.de Port: 853 Besonderheit: Werbe- und Tracking-Filterliste [2] fdns2.dismail.de (unterstützt DNSSEC) Unverschlüsselt (Port 53) IPv4: 159.69.114.157 IPv6: 2a01:4f8:c17:739a::2 DNS over TLS: Host: fdns2.dismail.de Port: 853 Besonderheit: Werbe- und Tracking-Filterlistednsforge.de | Serverstandort: Deutschland
[1] dnsforge.de (unterstützt DNSSEC) Unverschlüsselt (Port 53) IPv4: 176.9.93.198 IPv6: 2a01:4f8:151:34aa::198 IPv4: 176.9.1.117 IPv6: 2a01:4f8:141:316d::117 DNS over TLS: Host: dnsforge.de Port: 853 Besonderheit: Werbe- und Tracking-FilterlisteMullvad | Serverstandort: Deutschland, Australien, Schweiz und weitere Länder
[1] adblock.doh.mullvad.net (unterstützt DNSSEC) DNS over TLS: Host: adblock.doh.mullvad.net Port: 853 IPv4: 194.242.2.3 IPv4: 193.19.108.3 IPv6: 2a07:e340::3 DNS over HTTPS: Host: https://adblock.doh.mullvad.net/dns-query Port: 443 Besonderheit: Werbe- und Tracking-Filterliste | Unterstützt aussschließlich DNS over TLS (DoT) und DNS over HTTPS (DoH)ffmuc.net | Serverstandort: Deutschland
[1] dot.ffmuc.net (unterstützt DNSSEC) Unverschlüsselt (Port 53) IPv4: 5.1.66.255 IPv6: 2001:678:e68:f000:: IPv4: 185.150.99.255 IPv6: 2001:678:ed0:f000:: DNS over TLS: Host: dot.ffmuc.net Port: 853Digitale Gesellschaft | Serverstandort: Schweiz
[1] dns.digitale-gesellschaft.ch (unterstützt DNSSEC) DNS over TLS: Host: dns.digitale-gesellschaft.ch Port: 853 DNS over HTTPS: Host: https://dns.digitale-gesellschaft.ch/dns-query Port: 443UncensoredDNS | Serverstandort: Dänemark
[1] anycast.censurfridns.dk (unterstützt DNSSEC): Unverschlüsselt (Port 53) IPv4: 91.239.100.100 IPv6: 2001:67c:28a4:: [2] unicast.censurfridns.dk (unterstützt DNSSEC) Unverschlüsselt (Port 53) IPv4: 89.233.43.71 IPv6: 2a01:3a0:53:53:: DNS over TLS: Host: unicast.uncensoreddns.org Port: 853I use quad9 (9.9.9.9)
whats the business model of operating this large expensive service for free? (if you read their website, you’ll find the answer is that they do it for the data. shocking, right?)
They detail their business model in this blog post: https://quad9.net/news/blog/quad9-and-your-data
It seemed honnest to me. Furthermore, it is non-profit organisation. Am I wrong to trust them ?
Best thing about Quad9 is that they are based outside of the US in Switzerland. Swiss privacy laws are much better than US ones.
I think this rant greatly exaggerates the alleged “risk” that CloudFlare poses, and also makes unsubstantiated claims about the inadequate protection provided by CloudFlare
I do think it’s a good thing for more people to consider self-hosted options, but we should do this on the merits and not in an artificial climate of fear
There’s no way to know what cloudflare is doing with your data. It is therefore a true risk. We have the technology (end-to-end HTTPS) to allow DDOS protection without allowing man in the middle. If Cloudflare is doing something else, we have full reason to be skeptical.
Sure, and it’d be nice for CloudFlare to offer a service that was compatible with end-to-end HTTPS
But this would be incompatible with the CAPTCHA insertion, right?
And instead of being able to use signal from the content of requests to identify an attack, they’d only be able to use the signal from the unencrypted part of the TCP exchange
This seems like inferior protection to me, but for some this might be the better compromise, and we have every right to seek such a compromise
Using captchas is another problem with cloudflare, no other hoster/provider needs that. So for users there are just downsides with cloudflare. Unfortunately a lot of websites decide to use it, and there is nothing we can do.
True, there are some attacks that cloudflare may be better positioned to mitigate…but a well-designed application won’t be susceptible to attacks unless they involve a huge amount of traffic, and in those cases the amount of traffic is so huge that it can be detected easily without needing to see the http content.
For some sites, both the content publisher and the consumer may prioritise availability over perfect secrecy (e.g. distributing life-saving information in a natural disaster or war)
There might not be a single product on the planet that is more suitable for this use case than Cloudflare
Many sites and many consumers will not share this priority of values, however, so I agree that Cloudflare is inappropriate for these cases
The biggest point against cloudflare is that it is a US-based company and is vulnerable to US government spying.
I’m sure for many people it is true that the USA government is a major threat, but neither “USA” nor “government” appear in the article/rant, and ideally an article written for these people wouldn’t single CloudFlare out, but would list major companies that this applies to equally
I’d even take this further and say that we shouldn’t trust software (or hardware) vendors that are beholden to laws in any of the Five Eyes countries ( https://en.wikipedia.org/wiki/Five_Eyes )
Australia’s Assistance and Access Bill 2018 surely damages the credibility of Australian vendors, possibly even more than USA vendors: https://www.techtarget.com/searchsecurity/definition/Australian-Assistance-and-Access-Bill
Just read the BBC article, see the link I postex above. The US government was directly involved when they started Cloudflare. Cloudflare’s CEO leaves no doubt about that.
Nextdns is great, but yes 9.9.9.9 or mullvad would also be a great option. More advanced is nextdns, decloudus and controld
Uncensored DNS is one of my favourites, as is AdGuard. @nachtigall@feddit.de 's comment is also helpful.
dns.watch is pretty good
Desec.io it also offers a nameserver
There is a BBC article on Cloudflare’s beginnings, saying, ". …when he (Cloudflare’s CEO Matthew Prince, ed.) got an unexpected phone call from the US Department of Homeland Security asking him about the information he had gathered on attacks.
Mr Prince recalls: “They said 'do you have any idea how valuable the data you have is? Is there any way you would sell us that data.” "
Cloudflare blocks Tor by default. Technically it is a man in the middle (which is VERY unfriendly to say the least). It decrypts your data. It is a big step towards the centralization of the web.
Obligatory Link
What interests me is that there is too much speculation without actual facts. We can suspect anything of anyone (including Lemmy, Facebook, etc). We’ve seen the numerous factual revelations about Facebook and a few others, but then there is something that proves they are being unethical. I’d be interested to see such facts though about CloudFlare, not what they can potentially do.
Cloudflare also means a lot to small websites that want to obscure their hosting IP address, and who want to make use of a global CDN to speed up the response on their self-hosted sites, as a CDN. So yes, they do also provide a positive service in that regard. They are not a free service as many including big corporates pay CloudFlare - that payment is not to get our data or push adverts into our websites, but to use the actual service. So that I see as their business model.
Yes they break the end-to-end SSL, but for plain public websites that is not a major concern. I gather the paying service is where corporates go for security which allows pass-through of SSL to the hosting site.
For smaller guys, CloudFlare can provide a valuable service if the data being hosted is not super sensitive. Yes it is US based, but so are many IT services, and again that needs to be considered in terms of what you are hosting. I recently went to look for alternatives that would be free for global CDN, obscuring IP, proxy, malicious traffic protection, etc and really could not find anything. Only basic DNS services.
Not the newest article, but relevant https://dt.gl/cloudflare-why-the-fuss/
Yes, it draws from what is published on their own website at https://www.cloudflare.com/our-story/. It is still speculation though as to what is happening. They claim their motivation was to identify and prevent spammers and other malicious actors taking websites, by crowdsourcing and blacklisting bad actors. From that perspective, users will see numerous addresses blocked that are supposedly part of those identified.
So yes, one could say, is that real? Well that’s the point, we don’t really know either way, and as far as I’m aware there have been no court cases yet against CloudFlare ie. evidence brought forward justifying criminal actions.
Certainly my own website was being hammered every day as I can see for the WP WordFence security plugin. WordFence also blocks masses of IP addresses based on attempted logins as well as crowdsourced data from similar actions elsewhere that they have detected. I can see people, after being blocked, running up their IP address range attempting to get around the block. So there are genuinely bad actors out their running automated tools to do this. That does not make WordFence now a bad thing. So websites are looking at many ways to try to protect themselves from this constant bombardment, that also uses up the hosting network traffic.
I’m not saying either that Cloiudflare does not have the potential to do bad. We can see how they work technically. But have they actually sold users’ data, have they exploited the man-in-the-middle or given others access to it? That I’ve seen no evidence of yet. I just dislike ungrounded speculation, as that leads to conspiracy theories that may be unfounded.
the article is mostly “The process is extremely annoying”
9.9.9.9 fast and without problems since years
