Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 13 Nov 2018, 11:41
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Why not use IP numbers instead of DNS?
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 2 [29 Posts]   Goto page: 1, 2 Next
Author Message
purple379

Joined: 04 Oct 2014
Posts: 101

PostPosted: Thu 08 Nov 2018, 11:59    Post subject:  Why not use IP numbers instead of DNS?
Subject description: And what about CloudFlare?
 

What is wrong with keeping a text file of the IP numbers of websites I frequently go to, instead of using a name and a DNS?

Perhaps add a little program to inquire of several DNS servers simultaneously - what the IP number is for a website?

While I am asking questions. Does CloudFlare offer an encrypted DNS? Any reason not to trust CloudFlare?
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1576

PostPosted: Thu 08 Nov 2018, 16:40    Post subject: Re: Using IP numbers instead of DNS?
Subject description: DNS security.
 

purple379 wrote:
What is wrong with keeping a text file of the IP numbers of websites I frequently go to, instead of using a name and a DNS?

Perhaps add a little program to inquire of several DNS servers simultaneously - what the IP number is for a website?

While I am asking questions. Does CloudFlare offer an encrypted DNS? Any reason not to trust CloudFlare?



I like this idea, purple.

But what has always confused me is this: let's use a simple example:

if you open a puppy, or ddog, or fatdog (or heck, any linux OS), and you open a browser to a blank page, if you type in a known website IP number (that you know to be good and valid), does your browser still communicate with your ISP's DNS server that is entered into your ISP-facing modem/router---despite the fact you typed in an IP number into your browser??? I've heard that no matter if we enter IP numbers, DNS Servers still get involved in sending our browsers to that IP address we specified/entered into our browsers.

Or does simply entering a website IP number in your browser bypass whatever is entered in your ISP modem and/or router-DNS list and/or your network setup inside your OS, & thus allows you to know in confidence that you are heading to your specified-intended IP address and bypassing the back-and-forth handoff of DNS Servers??


I wish someone could answer this clearly for me, because I have heard all sorts of arguments on both sides of the tracks from so-called experts. I would really like to know with 100% assurance that there is a way to bypass all DNS Servers when one is operating a browser inside their chosen OS.
Back to top
View user's profile Send private message 
8Geee


Joined: 12 May 2008
Posts: 1714
Location: N.E. USA

PostPosted: Thu 08 Nov 2018, 18:25    Post subject:  

I can't directly answer the question, but there are domains that require a direct connection. In the browser address-bar this requirement has a green header to the left.

As a test enter this domain random.org

My FF27 indicates a green header to the left side.

Regards
8Geee

_________________
Linux user #498913

Some people need to reimagine their thinking.
Back to top
View user's profile Send private message 
upnorth


Joined: 11 Jan 2010
Posts: 286
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Thu 08 Nov 2018, 23:54    Post subject:  

@purple379
Cloudflare supports both dns over tls and dns over https.

Firefox 60 or above is easy to set up using about:config for dns over https (doH)
https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/

For those with dnscrypt-proxy see toward bottom of this page:
https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/

ADDED 20181110: alternative publicly available servers for doH, including quad9 and google:
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

_________________
====
[url=]page[/url]

Last edited by upnorth on Sat 10 Nov 2018, 21:42; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website 
s243a

Joined: 02 Sep 2014
Posts: 1267

PostPosted: Fri 09 Nov 2018, 03:23    Post subject:  

I wouldn't trust cloudflair. If you want good DNS security than use DNSCrypt with a DNS Caching program.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1576

PostPosted: Fri 09 Nov 2018, 05:49    Post subject:  

s243a wrote:
I wouldn't trust cloudflair. If you want good DNS security than use DNSCrypt with a DNS Caching program.


DNSCrypt lost itself, for good reasons (it was found to have known problems that cannot be fixed given how the code is currently written & implemented). No upkeep, no longer working, its not viable, period.

For many years I used DNSCrypt (with a DNS Caching) until they just up and left things go like they did. That gave me no confidence in them at all, despite the fact they've tried to get it going again.

DNS-over-TLS is better. Heck, it is even what DNSCrypt founders have said people should migrate to. If I recal correctly, even DNSCrypt-prooxy's founder said to go this route. More and more, DNS services are now compatible with DNS-over-TLS.


But still none of this answers the basic question I asked in the 2nd post of this thread, and it is the question that hangs over all of this and everything. Can DNS Servers (whosever they are, even f you've set up your own) be bypassed by sticking the simple formula of:

1) choose your OS
2) have your browser open itself to a blank page
3) enter an IP number and not a www address

....and thus the canary: does the browser completely bypass any & all DNS Servers when you click to head to that IP address. Many online gurus say yes, many online gurus say no (that even IP numbers wil pass through whosever DNS Servers/Caches you are using (including your own if you set your own DNS Server up).


Until this question can be answered with 100% verfiication, we are just twisting in the wind about anything we do and/or set up with DNS.
Back to top
View user's profile Send private message 
upnorth


Joined: 11 Jan 2010
Posts: 286
Location: Wisconsin UTC-6 (-5 DST)

PostPosted: Sat 10 Nov 2018, 21:13    Post subject: firefox trr caveates
Subject description: important considerations
 

"Caveats

TRR doesn't read or care about /etc/hosts
In TRR-only mode, you might end up " held hostage " if you start up Firefox while behind a captive portal
There's no way to exclude or white list specific domains"


The bypassing of /etc/hosts is a very important
consideration for those that rely on it to block sites, and its other uses.

from the main author of trr mode on firefox:
https://www.tuicool.com/articles/V77j2yN

_________________
====
[url=]page[/url]
Back to top
View user's profile Send private message Visit poster's website 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13079
Location: Arizona USA

PostPosted: Sat 10 Nov 2018, 23:47    Post subject: Re: Using IP numbers instead of DNS?
Subject description: DNS security.
 

belham2 wrote:
But what has always confused me is this: let's use a simple example:

if you open a puppy, or ddog, or fatdog (or heck, any linux OS), and you open a browser to a blank page, if you type in a known website IP number (that you know to be good and valid), does your browser still communicate with your ISP's DNS server that is entered into your ISP-facing modem/router---despite the fact you typed in an IP number into your browser??? I've heard that no matter if we enter IP numbers, DNS Servers still get involved in sending our browsers to that IP address we specified/entered into our browsers.

Or does simply entering a website IP number in your browser bypass whatever is entered in your ISP modem and/or router-DNS list and/or your network setup inside your OS, & thus allows you to know in confidence that you are heading to your specified-intended IP address and bypassing the back-and-forth handoff of DNS Servers??

Good question. I know nothing about the subject, so I'll just shoot from the hip here. Would traceroute or something like it work to tell if entering the IP address bypasses the DNS server? In other words, is the route different when you enter the URL instead of the actual IP address?
Back to top
View user's profile Send private message 
purple379

Joined: 04 Oct 2014
Posts: 101

PostPosted: Sun 11 Nov 2018, 18:39    Post subject: Old experience.  

When OpenDNS was getting started, before it was bought by Cisco, I used that setting on my home computer connection. IP numbers were returned noticeable faster than using Google DNS 8.8.8.8 or letting the default of the ISP DNS give the IP address back. So obviously then it was not going through another DNS check.

I can guess that it is possible, for an ISP or a motel to capture the entire connection. For using a VPN, from say a hotel connection, we are guessing the encryption of the VPN is sufficient to warn of a "man in the middle attack." If I was in China or Iran, maybe the encryption would not be sufficient.

I say this with the belief that a VPN or Tor use their own DNS addresses. Else they would not be so very useful.

I have a Firefox addon IP from DNSlytics, which shows interesting information, but I really do not know if it is accurate.

Might be interesting to have a webpage of my own, somewhere, that I always used as my first hop, and then that webpage give me traceback information.

I am guessing some one could tell me how that could easily not give me accurate info back.
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1267

PostPosted: Sun 11 Nov 2018, 20:21    Post subject: Re: Old experience.  

purple379 wrote:
When OpenDNS was getting started, before it was bought by Cisco, I used that setting on my home computer connection. IP numbers were returned noticeable faster than using Google DNS 8.8.8.8 or letting the default of the ISP DNS give the IP address back. So obviously then it was not going through another DNS check.

I can guess that it is possible, for an ISP or a motel to capture the entire connection. For using a VPN, from say a hotel connection, we are guessing the encryption of the VPN is sufficient to warn of a "man in the middle attack." If I was in China or Iran, maybe the encryption would not be sufficient.

I say this with the belief that a VPN or Tor use their own DNS addresses. Else they would not be so very useful.

I have a Firefox addon IP from DNSlytics, which shows interesting information, but I really do not know if it is accurate.

Might be interesting to have a webpage of my own, somewhere, that I always used as my first hop, and then that webpage give me traceback information.

I am guessing some one could tell me how that could easily not give me accurate info back.


Many VPNs use there own DNS server but with tor it depends on whether or not the exit node runs a DNS server and keep in mind that many tor exit nodes are owned by government agencies. There are VPNs that you can connect to with a tor onion services. This way the VPN doesn't know who you are and you are not dependent on the tor exit node for DNS information.

https://www.reddit.com/r/TOR/comments/90ohrr/which_dns_server_does_tor_use/

As for connecting to a VPN there are VPNs that you can connect to via SSH. This means that a government agency couldn't pressure a certificate authority to sign a fake certificate for them so that they could man-in-the-middle you.

Edit: Some VPNs that you can connect to as a tor Onion service are:

1. Anonymous VPN - murga-linux.com, onion site, onion site


Or as an alternative to connecting to a VPN over tor one can connect over i2p. However, i2p address while more secure than tor aren't as fast. Here are some VPNs that one can connect to over i2p.

1, Fossmint - murga-linux.com, fossmint.com, opensource.com (note I think this is only a tool to set up your own VPN over i2p, but there should be commercial services based on it.

Other VPNs can be used in conjection with tor but maybe not as a VPN. For example:

1. PIA VPN - suggested by Anastasis on the Facebook Termux Community.
Back to top
View user's profile Send private message 
belham2

Joined: 15 Aug 2016
Posts: 1576

PostPosted: Yesterday, at 09:17    Post subject:  

So, officially, is it best to say that there is---currently---no way to know, as what Flash wrote above:

"is the route different when you enter the URL instead of the actual IP address?"

I cannot figure out if my ISP is directing my browser to murga here (using the IP number in the browser instead of www) using their DNS Servers. Even when I change/remove their DNS Servers out of my router & computer, as stick in Google's DNS Servers, I cannot tell if the browser is FIRST passing through Google's servers after I've entered murga's IP number and not its www.

Dang....it sure seems into today's age we could know this little fact. I get the feeling even if we use IP numbers, our browser's designation is STILL getting logged by DNS Servers no matter if you arrive at that DNS Server with an IP address already in your browser.

Hope I am wrong....or just not understanding things clearly here Confused

Doesn't peer-to-peer go straight from one computer to another while bypassing any and all DNS Servers? Hard to remember from the days (years ago) of when I experimented with torrents and everything related to them.
Back to top
View user's profile Send private message 
purple379

Joined: 04 Oct 2014
Posts: 101

PostPosted: Yesterday, at 11:01    Post subject: VPN Secure?  

As some of the posters on this forum suggest, a VPN does not offer security. Many of the VPN's require one to register, or pay.

TAILS says they do not recommend the use of a VPN as no one can be sure of how it works in practice, even if the VPN owner says no data on users kept. Suggesting only using Tor, but "end to end encryption" to keep one safe. I have my suspicions about how much the NSA may have a lot of Tor nodes in its pocket, whether by owning them, or owning the first hop out of many Tor Node. (which is not a lot by itself, but.) Then again, I would have to guess no one can beat the NSA anyway.

Being one of millions does not give anonymity, given the accuracy of the NSA Computers/Servers keeping information, and being able to relate on thing to another.


A VPN could in the control of an actor I would not agree with.

I don't have answers. Like a lot of privacy/security computer topics, it just leads to more perplexions, and puzzles.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13079
Location: Arizona USA

PostPosted: Yesterday, at 13:50    Post subject:  

Belham2, I see that Puppy has traceroute. I've never used it. It seems like it might tell us what we want to know. Here's a YouTube video describing traceroute and how to use it. How do I find the forum's IP address?

Right here, the guy seems to say that R1 (his name for the first server the packet hits) is the DNS server. I can't really tell because he talks too fast.

This guy definitely implies here that the DNS server is not called into play unless you use a host name instead of an IP address.

Last edited by Flash on Yesterday, at 14:35; edited 1 time in total
Back to top
View user's profile Send private message 
s243a

Joined: 02 Sep 2014
Posts: 1267

PostPosted: Yesterday, at 14:35    Post subject: Re: VPN Secure?  

purple379 wrote:
As some of the posters on this forum suggest, a VPN does not offer security. Many of the VPN's require one to register, or pay.

TAILS says they do not recommend the use of a VPN as no one can be sure of how it works in practice, even if the VPN owner says no data on users kept. Suggesting only using Tor, but "end to end encryption" to keep one safe. I have my suspicions about how much the NSA may have a lot of Tor nodes in its pocket, whether by owning them, or owning the first hop out of many Tor Node. (which is not a lot by itself, but.) Then again, I would have to guess no one can beat the NSA anyway.

Being one of millions does not give anonymity, given the accuracy of the NSA Computers/Servers keeping information, and being able to relate on thing to another.


A VPN could in the control of an actor I would not agree with.

I don't have answers. Like a lot of privacy/security computer topics, it just leads to more perplexions, and puzzles.


If you only connect to the VPN via tor and pay for the VPN via bitcoin than the VPN does not know who you are. Using a VPN after tor helps keep sites that you visit from identifying you as a tor-user. This will prevent any special treatment of your traffic: ex. annoying captchas, security measures or possibly special logging/tracking measures.

Also since the traffic between you and the VPN through tor is encrypted it will be very difficult for an exit node to eaves drop on you communications even if you use an unencrypted protocol such HTTP.

Also, yes. If you want a good VPN then you will probably have to pay because otherwise they will have little incentive to resist efforts by government to get information about your traffic. The only exception might be a VPN run by activists like riseup.net but governments are always trying to infultrate/comprise such activists groups. Besides, I couldn't figure out how to get an account at riseup.net. I think I need an invite, which I don't have.
Back to top
View user's profile Send private message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13079
Location: Arizona USA

PostPosted: Yesterday, at 14:48    Post subject:  

I found the forum's IP address is 45.33.15.200 by using ping:
Code:
ping murga-linux.com

Apparently ping continued to send pinging packets about one per second until I closed the console window. Does that sound right? How else can I stop it?

Edit: I found out I needed to tell ping how many times to do its thing by adding -c plus the number of times to ping:
Code:
ping murga-linux.com -c 1

Last edited by Flash on Yesterday, at 15:28; edited 1 time in total
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 2 [29 Posts]   Goto page: 1, 2 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0772s ][ Queries: 12 (0.0056s) ][ GZIP on ]