Add DNS provider data files and move DNS page

This commit is contained in:
Jonah Aragon 2021-05-11 13:37:53 -05:00
parent f94878ed87
commit a70fa8f0c4
No known key found for this signature in database
GPG Key ID: 6A957C9A9A9429F7
16 changed files with 430 additions and 20 deletions

View File

@ -13,16 +13,10 @@ collections_dir: collections
collections: collections:
evergreen: evergreen:
output: true output: true
permalink: /:name/ permalink: /:slug/
devices: pages:
output: true output: true
permalink: /devices/:path/ permalink: /:path/
software:
output: true
permalink: /software/:path/
providers:
output: true
permalink: /providers/:path/
posts: posts:
permalink: /blog/:year/:month/:day/:title/ permalink: /blog/:year/:month/:day/:title/
people: people:

30
_data/dns/adguard.yml Normal file
View File

@ -0,0 +1,30 @@
title: AdGuard
homepage: 'https://adguard.com/en/adguard-dns/overview.html'
source: 'https://github.com/AdguardTeam/AdGuardDNS/'
anycast: true
locations:
- CY
privacy_policy:
link: 'https://adguard.com/en/privacy/dns.html'
type:
name: Commercial
logs:
policy: true
text: Some
link: 'https://adguard.com/en/privacy/dns.html'
tooltip: >-
We store aggregated performance metrics of our DNS server, namely the number of complete requests to a particular server, the number of blocked requests, the speed of processing requests.
We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats.
We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters.
protocols:
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
filtering: Based on server choice
providers:
- name: Choopa, LLC
link: 'https://www.choopa.com'
- name: Serveroid, LLC
link: 'https://flops.ru/en/about.html'

29
_data/dns/blahdns.yml Normal file
View File

@ -0,0 +1,29 @@
title: BlahDNS
homepage: 'https://blahdns.com/'
source: 'https://github.com/ookangzheng/blahdns/'
anycast: false
locations:
- FI
- DE
- JP
- SG
privacy_policy:
tooltip: >-
"No Logs" claim on homepage.
type:
name: Hobby Project
logs:
policy: false
protocols:
- name: DoH
- name: DoT
tooltip: Additionally supports port 443
- name: DNSCrypt
dnssec: true
qname_minimization: true
filtering: Some DoH servers can optionally filters ads, trackers, or malicious domains.
providers:
- name: Choopa, LLC
link: 'https://www.choopa.com'
- name: Hetzner Online GmbH
link: 'https://www.hetzner.com/'

25
_data/dns/cloudflare.yml Normal file
View File

@ -0,0 +1,25 @@
title: Cloudflare
homepage: 'https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/'
anycast: true
locations:
- US
privacy_policy:
link: 'https://www.cloudflare.com/privacypolicy/'
type:
name: Commercial
logs:
policy: true
text: Some
link: 'https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/'
tooltip: >-
"Cloudflare collects and stores only the limited DNS query data that is sent to the 1.1.1.1 resolver.
The 1.1.1.1 resolver service does not log personal data,
and the bulk of the limited non-personally identifiable query data is only stored for 25 hours."
protocols:
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
filtering: Based on server choice.
providers:
- name: Self

23
_data/dns/cznic.yml Normal file
View File

@ -0,0 +1,23 @@
title: CZ.NIC
homepage: 'https://www.nic.cz/odvr/'
anycast: false
locations:
- CZ
privacy_policy:
link: 'https://www.nic.cz/files/documents/20180525_Zasady_zpracovani_osobnich_udaju_AJ.pdf'
tooltip: >-
"CZ.NIC temporarily processes IP addresses of devices you are using and never stores it in permanent logs. CZ.NIC stores these IP addresses only temporarily for a few minutes and then CZ.NIC deletes it permanently."
type:
name: Association
link: 'https://www.nic.cz/page/351/about-association/'
tooltip: >-
"CZ.NIC is an interest association of legal entities, founded in 1998 by leading providers of Internet services."
logs:
policy: false
protocols:
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
providers:
- name: Self

View File

@ -0,0 +1,27 @@
title: Foundation for Applied Privacy
homepage: 'https://appliedprivacy.net/services/dns/'
anycast: false
locations:
- AT
privacy_policy:
link: 'https://appliedprivacy.net/privacy-policy'
type:
name: Non-Profit
logs:
policy: true
text: Some
link: 'https://applied-privacy.net//privacy-policy/'
tooltip: >-
"We do NOT log your IP address or DNS queries during normal operations.
We do NOT share query data with third parties that are not directly involved with resolving the query
(i.e. sending queries to authoritative nameservers for resolution)."
protocols:
- name: DoH
- name: DoT
tooltip: Additionally supports port 443
dnssec: true
qname_minimization: true
filtering: None
providers:
- name: IPAX OG
link: 'https://www.ipax.at/'

25
_data/dns/libredns.yml Normal file
View File

@ -0,0 +1,25 @@
title: LibreDNS
homepage: 'https://libredns.gr/'
source: 'https://gitlab.com/libreops/libredns'
anycast: false
locations:
- DE
privacy_policy:
link: 'https://libreops.cc/terms.html'
type:
name: Informal Collective
link: 'https://libreho.st/'
tooltip: >-
Part of LibreHosters,
"a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms."
logs:
policy: false
protocols:
- name: DoH
- name: DoT
dnssec: false
qname_minimization: true
filtering: Based on server choice (DoH servers only)
providers:
- name: Hetzner Online GmbH
link: 'https://www.hetzner.com/'

25
_data/dns/nextdns.yml Normal file
View File

@ -0,0 +1,25 @@
title: NextDNS
homepage: 'https://www.nextdns.io/'
anycast: true
locations:
- US
privacy_policy:
link: 'https://www.nextdns.io/privacy'
type:
name: Commercial
logs:
policy: true
text: Optional
tooltip: >-
NextDNS can provide insights and logging features on an opt-in basis.
Users can choose retention times and log storage locations for any logs they choose to keep.
color: info
protocols:
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
filtering: Based on server choice
providers:
- name: Self

26
_data/dns/nixnet.yml Normal file
View File

@ -0,0 +1,26 @@
title: NixNet
homepage: 'https://nixnet.xyz/'
source: 'https://git.nixnet.xyz/NixNet/dns'
anycast: true
locations:
- US
- LU
privacy_policy:
link: 'https://nixnet.xyz/privacy/'
type:
name: Informal Collective
link: 'https://libreho.st/'
tooltip: >-
Part of LibreHosters,
"a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms."
logs:
policy: false
protocols:
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
filtering: Based on server choice
providers:
- name: Frantech Solutions
link: 'https://frantech.ca/'

20
_data/dns/powerdns.yml Normal file
View File

@ -0,0 +1,20 @@
title: PowerDNS
homepage: 'https://powerdns.org/'
source: 'https://github.com/PowerDNS/pdns'
anycast: false
locations:
- NL
privacy_policy:
link: 'https://powerdns.org/doh/privacy.html'
type:
name: Hobby Project
logs:
policy: false
protocols:
- name: DoH
dnssec: true
qname_minimization: false
filtering: None
providers:
- name: TransIP B.V. Admin
link: 'https://www.transip.nl/'

25
_data/dns/quad9.yml Normal file
View File

@ -0,0 +1,25 @@
title: Quad9
homepage: 'https://quad9.net/'
anycast: true
locations:
- CH
privacy_policy:
link: 'https://quad9.net/policy/'
type:
name: Non-Profit
logs:
policy: true
text: Some
tooltip: >-
"Our normal course of data management does not have any IP address information or other PII logged to disk or transmitted out of the location in which the query was received."
protocols:
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
filtering: Malware blocking by default
providers:
- name: Self
- name: Packet Clearing House
link: 'https://www.pch.net/'

24
_data/dns/snoptya.yml Normal file
View File

@ -0,0 +1,24 @@
title: Snoptya
homepage: 'https://snopyta.org/service/dns/index.html'
anycast: false
locations:
- FI
privacy_policy:
link: 'https://snopyta.org/privacy_policy/'
type:
name: Informal Collective
link: 'https://libreho.st/'
tooltip: >-
Part of LibreHosters,
"a network of cooperation and solidarity that uses free software to encourage decentralisation through federation and distributed platforms."
logs:
policy: false
protocols:
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
filtering: None
providers:
- name: Hetzner Online GmbH
link: 'https://www.hetzner.com/'

View File

@ -0,0 +1,31 @@
title: UncensoredDNS
homepage: 'https://blog.uncensoreddns.org/'
source: 'https://github.com/AdguardTeam/AdGuardDNS/'
anycast: true
locations:
- DE
- US
privacy_policy:
link: 'https://blog.uncensoreddns.org/faq/'
tooltip: >-
"Absolutely nothing is being logged, neither about the users nor the usage of this service.
I do keep graphs of the total number of queries, but no personally identifiable information is saved.
The data that is saved will never be sold or used for anything except capacity planning of the service."
type:
name: Hobby Project
logs:
policy: false
protocols:
- name: DoH
- name: DoT
dnssec: true
qname_minimization: false
filtering: None
providers:
- name: DeiC
link: 'https://www.deic.dk'
- name: Kracon ApS
link: 'https://kracon.dk'
- name: RGnet OU
- name: Telia Company AB
link: 'https://www.telia.dk'

View File

@ -8,7 +8,7 @@ items:
- type: link - type: link
title: DNS Servers title: DNS Servers
icon: fad fa-map-signs icon: fad fa-map-signs
file: legacy_pages/providers/dns.html file: _pages/providers/dns.md
- type: link - type: link
title: Email Providers title: Email Providers
icon: fad fa-envelope icon: fad fa-envelope

View File

@ -0,0 +1,116 @@
---
layout: page
title: "Encrypted DNS Resolvers"
description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers."
breadcrumb: "DNS"
---
<div class="alert alert-warning" role="alert">
DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides <em>only</em> your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the <a href="#dns-definitions">definitions</a> below.
</div>
{% include recommendation-table.html data='dns' %}
## Encrypted DNS Clients for Desktop
{%
include legacy/cardv2.html
title="Unbound"
image="/assets/img/legacy_svg/3rd-party/unbound.svg"
description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
website="https://nlnetlabs.nl/projects/unbound/about/"
github="https://github.com/NLnetLabs/unbound"
%}
{%
include legacy/cardv2.html
title="dnscrypt-proxy"
image="/assets/img/legacy_svg/3rd-party/dnscrypt-proxy.svg"
description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'
website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}
{%
include legacy/cardv2.html
title="Stubby"
image="/assets/img/legacy_png/3rd-party/stubby.png"
description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
github="https://github.com/getdnsapi/stubby"
%}
{%
include legacy/cardv2.html
title="Firefox's built-in DNS-over-HTTPS resolver"
image="/assets/img/legacy_svg/3rd-party/firefox_browser.svg"
description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually use any other DoH resolver.'
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/firefox::text==Warning::tooltip==Cloudflare logs a limited amount of data about the DNS requests that are sent to their custom resolver for Firefox."
website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
%}
## Encrypted DNS Clients for Android
{%
include legacy/cardv2.html
title="Android 9's built-in DNS-over-TLS resolver"
image="/assets/img/legacy_svg/3rd-party/android.svg"
description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
website="https://support.google.com/android/answer/9089903#private_dns"
%}
{%
include legacy/cardv2.html
title="Nebulo"
image="/assets/img/legacy_png/3rd-party/nebulo.png"
description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
privacy-policy="https://smokescreen.app/privacypolicy"
fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
%}
## Encrypted DNS Clients for iOS
{%
include legacy/cardv2.html
title="DNSCloak"
image="/assets/img/legacy_png/3rd-party/dnscloak.png"
description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://blog.privacytools.io/adding-custom-dns-over-https-resolvers-to-dnscloak/">add custom resolvers by DNS stamp</a>.'
website="https://github.com/s-s/dnscloak/blob/master/README.md"
privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
ios="https://apps.apple.com/app/id1452162351"
github="https://github.com/s-s/dnscloak"
%}
## Native Operating System Support
<p>
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in <em>Safari</em>).
After installation, the encrypted DNS server can be selected in <em>Settings &rarr; General &rarr; VPN and Network &rarr; DNS</em>.
</p>
<ul>
<li><strong>Signed profiles</strong> are offered by <a href="https://adguard.com/en/blog/encrypted-dns-ios-14.html">AdGuard</a> and <a href="https://apple.nextdns.io/">NextDNS</a>.</li>
</ul>
## Definitions
<p><strong>DNS-over-TLS (DoT):</strong>
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
</p>
<p><strong>DNS-over-HTTPS (DoH):</strong>
Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
</p>
<p><strong>DNSCrypt:</strong>
With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.
</p>
<p><strong>Anonymized DNSCrypt:</strong>
A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md">relays</a>.
</p>

View File

@ -1,10 +0,0 @@
---
layout: page
permalink: /providers/dns/
title: "Encrypted DNS Resolvers"
description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers."
breadcrumb: "DNS"
---
{% include legacy/sections/dns.html %}