Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info

  New Forum: http://forum.puppylinux.com
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Thu 13 Aug 2020, 20:04
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Operating one's own local DNS resolution server
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
Page 1 of 1 [9 Posts]  
Author Message

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Thu 15 Nov 2018, 20:16    Post subject:  Operating one's own local DNS resolution server
Subject description: Enabling DNS over HTTPS on Firefox, Opera, Chrome for added privacy

Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect applications, services, and users from potential risks.

Every open source server platform, such as Linux or BSD, offers many free implementations of the DNS resolution service. The oldest of these is called BIND, but newer implementations such as PowerDNS, Unbound, and Knot are also well-trusted, production-ready software packages. Most will offer some kind of template configuration that includes local DNS resolution.
Source : https://www.darkreading.com/vulnerabilities---threats/benefits-of-dns-service-locality/a/d-id/1333088?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple


To a great extent, protecting DNS today begins with DNSSEC. The DNS Security Extensions handle one set of tasks, but it's an extremely important set in the overall scheme of things. DNSSEC is all about making sure that the server (or service) you want to talk to is the one you're actually talking to.

DNSSEC uses a DNSSEC-validating DNS resolver to check DNS signatures and ensure that the resolution information has not been changed and the responding server is the correct server. It's important to note that the signatures in DNSSEC aren't used for any sort of encryption — they're only responsible for validating the identity of the servers involved.

It's also important to note that DNSSEC can protect more than Web pages. Any service that uses a DNS-based address, from email to instant messaging, can benefit from the server authentication provided by DNSSEC.


Quad9 is a joint project of the Global Cyber Alliance (GCA), IBM, and Packet Clearing House. Beyond basic name resolution, Quad9 (named for its address, is intended to block the vast majority of malicious sites, including those hosting and controlling malware, botnet infrastructure, and more. To do so, Quad9 collects reputation and security information from 18 different partners, including F-Secure, abuse.ch, Cisco, Proofpoint, and NetLab.

In addition to the blacklist functions, Quad9 will support both a whitelist of the million top-requested domains and a "gold list" of major sites (such as Google, Amazon Web Services, and Microsoft Azure) that should always be considered "safe." Both types of lists are intended to maintain high performance while providing security from bad actors and their malicious destinations.

Source : https://www.darkreading.com/operations/7-ways-to-keep-dns-safe/d/d-id/1332252

Further reading :
DuckDuckGo's public DNS list
"DNS [security] is still not top of mind,"
Intra, the Android App for DNS Encryption
Best Public DNS Servers
Public DNS for IPv4 and IPv6
The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS

Last edited by labbe5 on Sat 04 Jan 2020, 21:28; edited 4 times in total
Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Thu 10 Jan 2019, 10:27    Post subject: Google DNS Service ( Now Supports DNS-over-TLS  


Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com).

Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an individual visits but is also vulnerable to spoofing attacks.

To address these problems, Google announced Wednesday that its Public DNS (Domain Name System) service finally supports DNS-over-TLS security protocol, which means that the DNS queries and responses will be communicated over TLS-encrypted TCP connections.
Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Fri 09 Aug 2019, 18:45    Post subject: Knot DNS
Subject description: High-performance authoritative-only DNS server

Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Sat 07 Sep 2019, 19:53    Post subject: Configure DNS over TLS  


The future is to encrypt DNS.
Here is a tutorial.

It is not to be applied as a step-by-step tutorial for Puppy or Dog-based OS.
Just read and think about DNS over TLS and maybe adapt the tutorial for Puppy or a Dog-based OS.

Further reading :
DNS Privacy Daemon - Stubby
Google plans to test DNS over HTTPS in Chrome 78
Mozilla plans to roll out DNS over HTTPS to US users in late September 2019
Turn off DoH, Firefox. Now.
Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It?
Self-hosted Dns Over Https service

Last edited by labbe5 on Tue 15 Oct 2019, 15:46; edited 1 time in total
Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Mon 07 Oct 2019, 08:15    Post subject: DNSCrypt  

This simple tutorial will show you to install two privacy tools, The Onion Router (TOR) and Dnscrypt-Proxy, on Ubuntu Bionic Beaver. We will make use of existing Mozilla Firefox browser instead and just configure system wide proxy using Ubuntu System Settings. We do not install Tor Browser or any other additional stuffs to make everything simple for everybody.

It is best to use DNSCrypt if your DNS is provided by your ISP. If you have chosen from Quad9 or from Cloudflare, it is because you care about privacy. If you use a VPN, thanks to it, DNS is taken care of by your VPN provider. To be sure, go to : https://ipleak.net/. DNS Address section. Or do a DNS leak test : https://www.dnsleaktest.com/

Further reading :
How to use dnscrypt-proxy to secure DNS queries in Linux
The article is intended for the following software versions:
OS: Linux with systemd
Package: dnscrypt-proxy v2
Tested on: Debian 10
Installation and configuration steps should be mostly applicable to distros using systemd and dnscrypt-proxy v2.

Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS
How To Set Permanent DNS Nameservers

Last edited by labbe5 on Sat 04 Jan 2020, 21:42; edited 3 times in total
Back to top
View user's profile Send private message 

Joined: 04 Oct 2014
Posts: 158

PostPosted: Fri 11 Oct 2019, 09:43    Post subject: What Encrypted DNS already implemented in Easy OS?
Subject description: What would be simple to install in Easy OS?

I thought Firefox was going to implement a proxy something to resolve encrypted DNS issues like this. Where is that project?

I seem to recall some forum post where a fellow said he was talking to the Network Engineer on the ISP he used. The Network Engineer laughed and said, "If you want to enter the DNS number instead of doing the DNS look up, that is fine, I can change the DNS number you put in the browser box, and send you anywhere I choose." Not to be malevolent, just that is the way Servers can be changed by the ISP.

In truth, I personally suspect that is the way the internet was always intended to work. A lot of websites have pages cached in all kinds of places to make them load quicker. There was a fellow who was posting about a problem he had downloading content, the unreliability of the downloading and extra dollar costs, only to discover that while he was in the US, he was downloading content from Australia that was available from the same web site in the US, because the US had its own servers to download from.

What about a DNS comparison program, I get the DNS from one provider, compare it to the previous DNS I have for that web page, while also downloading the other DNS servers version of the same webpage. I guess the DNS companies do that all the time, so it is just another resource hog on my computer.

Anyone do a review on the YubiKey that is supposed to verify our getting to the correct webpage? That is, is the result of the Yubikey reliable, or is it just relying on what the DNS the ISP could be providing?

How much would need to be installed on a computer to slurp the password for a VPN. So the a group like the NSA or the Chinese equivalent could do a sophisticated "Man in the Middle" intercept, and read.

The Ultimate back door would be to have https keys. How could one trick a browser into letting one -- hmmm.
Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Tue 15 Oct 2019, 15:58    Post subject: LibreDNS  


DNS is a very old and essential internet protocol, that we all use daily. But it was built without privacy and secrecy in mind. It lacks encryption, and though it's decentralized in theory, for most people it has a central point of failure (or censorship), their ISP's DNS provider.


Today we announce our own DNS service, a public encrypted DNS service, that people can use to maintain secrecy of their dns traffic and bypass censorship. This is a DNS service run by LibreOps.

DNS over HTTPS (DoH) is best to be configured and used on applications, namely browsers.

At the moment the only browser that has sufficient support is Firefox. To configure Firefox do the following steps:

Open Firefox settings and navigate to:
General > Network Settings > Settings
At the bottom of this dialog:
Enable DNS over HTTPS.
Change from the default setting to Custom and fill in:

DNS over TLS (DoT) is best to be configured globally for the entire operating system.
Opera Software tests Cloudflare DNS over HTTPS in Opera 65
LibreDNS has a new AdBlock endpoint
Google tries to clear up DNS-over-HTTPS confusion
DNS Encryption Explained
How To Enable DNS-Over-HTTPS On Chrome, Firefox, Edge, Brave
How To Setup DoH On Firefox, Opera, Chrome
Back to top
View user's profile Send private message 

Joined: 13 Nov 2013
Posts: 2167
Location: Canada

PostPosted: Sat 04 Jan 2020, 21:54    Post subject: DNS over HTTPS
Subject description: Publicly available servers


Have your pick of public DNS servers.

Further reading :
How to Enable DNS Over HTTPS in Your Web Browser

Last edited by labbe5 on Fri 28 Feb 2020, 16:00; edited 1 time in total
Back to top
View user's profile Send private message 

Joined: 25 May 2012
Posts: 105
Location: Ontario

PostPosted: Sun 05 Jan 2020, 01:02    Post subject: Try pi-hole.  

If you need to control your DNS, try using pi-hole..

it further provides a platform to run some of the pkgs mentioned above.

Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [9 Posts]  
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0544s ][ Queries: 12 (0.0099s) ][ GZIP on ]