privacyguides.org/_includes/sections/dns.html
Cláudio Júlio Ferraz 6c7cc2100e Firefox "esni" configuration fix (#1230)
The correct configuration name is "network.security.esni.enabled"
2019-08-27 21:49:58 +00:00

436 lines
24 KiB
HTML

<h1 id="dns" class="anchor"><a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Domain Name System (DNS)</h1>
{% include cardv2.html
title="OpenNIC - Service"
image="/assets/img/tools/OpenNIC.png"
description="OpenNIC is an alternate network information center/alternative DNS root which lists itself as an alternative to ICANN and its registries. Like all alternative root DNS systems, OpenNIC-hosted domains are unreachable to the vast majority of the Internet."
website="https://www.opennic.org/"
forum="https://forum.privacytools.io/t/discussion-opennic/338"
github="https://github.com/OpenNIC"
%}
{% include cardv2.html
title="Njalla - Domain Registration"
image="/assets/img/provider/Njalla.png"
description="Njalla only needs your email or jabber address in order to register a domain name for you. Created by people from The Pirate Bay and IPredator VPN. Accepted Payments: Bitcoin, Litecoin, Monero, DASH, Bitcoin Cash and PayPal. A privacy-aware domain registration service."
website="https://njal.la/"
tor="http://njalladnspotetti.onion"
forum="https://forum.privacytools.io/t/discussion-njalla/339"
%}
{% include cardv2.html
title="DNSCrypt - Tool"
image="/assets/img/tools/DNSCrypt.png"
description="A protocol for securing communications between a client and a DNS resolver. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver."
website="https://dnscrypt.info/"
forum="https://forum.privacytools.io/t/discussion-dnscrypt/340"
github="https://github.com/jedisct1/dnscrypt-proxy"
%}
<h1 id="icanndns" class="anchor"><a href="#icanndns"><i class="fas fa-link anchor-icon"></i></a> Encrypted ICANN DNS Providers</h1>
<div class="alert alert-warning" role="alert">
<strong>Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.</strong>
</div>
<div class="table-responsive">
<table class="table sortable-theme-bootstrap" data-sortable>
<thead>
<tr>
<th data-sorted="true" data-sorted-direction="ascending">ICANN DNS Provider</th>
<th data-sortable="true">Server Locations</th>
<th data-sortable="false">Privacy Policy</th>
<th data-sortable="true">Type</th>
<th data-sortable="true">Logging</th>
<th data-sortable="true">Protocols</th>
<th data-sortable="true">DNSSEC</th>
<th data-sortable="true">QNAME Minimization</th>
<th data-sortable="true">Filtering</th>
<th data-sortable="true">Source Code</th>
</tr>
</thead>
<tbody>
<tr>
<td data-value="AdGuard">
<a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-cy"></span>
Cyprus)
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://adguard.com/en/privacy/dns.html" href="https://adguard.com/en/privacy/dns.html">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Commercial</td>
<td>No</td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>Ads, trackers, malicious domains</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://github.com/AdguardTeam/AdGuardDNS/" href="https://github.com/AdguardTeam/AdGuardDNS/">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
</tr>
<tr>
<td data-value="BlahDNS">
<a href="https://blahdns.com/">BlahDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-ch"></span>
Switzerland,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-jp"></span>
Japan,
</span>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-de"></span>
Germany
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title='"No logs."'>
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td data-value="dot/443">
<span class="no-text-wrap">
DoH,
<span data-toggle="tooltip" data-placement="bottom" data-original-title="Supports port 443 in addition to 853">
<strong>DoT</strong>,
</span>
</span>
DNSCrypt
</td>
<td>Yes</td>
<td>Yes</td>
<td>Ads, trackers, malicious domains <span class="badge badge-warning" data-toggle="tooltip" data-original-title="And some wildcard, IDN, and non-ASCII domains."><a href="https://github.com/ookangzheng/blahdns#default-blocked-wildcard-domain"><i class="fas fa-exclamation-triangle"></i></a></span></td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://github.com/ookangzheng/blahdns/" href="https://github.com/ookangzheng/blahdns/">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
</tr>
<tr>
<td data-value="Cloudflare">
<a href="https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/">Cloudflare</a> <span class="badge badge-warning" data-toggle="tooltip" title="Cloudflare is one of the world's largest networks, and a problem considering anonymity and decentralization."><a href="https://codeberg.org/crimeflare/cloudflare-tor/"><i class="fas fa-exclamation-triangle"></i></a></span>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.cloudflare.com/privacypolicy/" href="https://www.cloudflare.com/privacypolicy/">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Commercial</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"We will collect limited DNS query data that is sent to the resolvers. This data does not contain user IP addresses or any other personally identifiable information, and the bulk of the data is only stored for 24 hours."' href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/privacy-policy/">Some</a></td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://github.com/cloudflare/dns" href="https://github.com/cloudflare/dns">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
</tr>
<tr>
<td data-value="CZ.NIC">
<a href="https://www.nic.cz/odvr/">CZ.NIC</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-cz"></span>
Czech Republic
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title='"CZ.NIC resolvers neither collect any personal data nor gather information on pages where your computer sends personal data."'>
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"CZ.NIC is an interest association of legal entities, founded in 1998 by leading providers of Internet services."' href="https://www.nic.cz/page/351/about-association/">Association</a></td>
<td>No</td>
<td>DoH, DoT</td>
<td>Yes</td>
<td>Yes</td>
<td data-value="No">?</td>
<td>?</td>
</tr>
<tr>
<td data-value="dnswarden">
<a href="https://github.com/bhanupratapys/dnswarden/blob/master/README.md">dnswarden</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-de"></span>
Germany
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://github.com/bhanupratapys/dnswarden/blob/master/README.md#privacy-policy-and-tc" href="https://github.com/bhanupratapys/dnswarden/blob/master/README.md#privacy-policy-and-tc">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td data-value="dot/443">
<span class="no-text-wrap">
DoH,
<span data-toggle="tooltip" data-placement="bottom" data-original-title="Supports port 443 in addition to 853">
<strong>DoT</strong>,
</span>
</span>
DNSCrypt
</td>
<td>Yes</td>
<td>Yes</td>
<td>Based on server choice</td>
<td>?</td>
</tr>
<tr>
<td data-value="Foundation for Applied Privacy">
<a href="https://appliedprivacy.net/services/dns/">Foundation for Applied Privacy</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-at"></span>
Austria
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://appliedprivacy.net/privacy-policy" href="https://appliedprivacy.net/privacy-policy">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Non-Profit</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"We do NOT log your IP address or DNS queries during normal operations. We do NOT share query data with third parties that are not directly involved with resolving the query (i.e. sending queries to authoritative nameservers for resolution)."' href="https://appliedprivacy.net/privacy-policy/">Some</a></td>
<td data-value="dot/443">
<span class="no-text-wrap">
DoH,
<span data-toggle="tooltip" data-placement="bottom" data-original-title="Supports port 443 in addition to 853">
<strong>DoT</strong>
</span>
</span>
</td>
<td>Yes</td>
<td>Yes</td>
<td>No</td>
<td>?</td>
</tr>
<tr>
<td data-value="nextdns">
<a href="https://www.nextdns.io/">nextdns</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.nextdns.io/privacy" href="https://www.nextdns.io/privacy">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Commercial</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"Some of the features require some sort of data retention. In that case, we give our users the choice to granularly or completely disable those features (and associated data retention), and we follow up immediately on that promise"' href="https://www.nextdns.io/privacy">Based on user choice</a></td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>Based on user choice</td>
<td>?</td>
</tr>
<tr>
<td data-value="PowerDNS">
<a href="https://powerdns.org/">PowerDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-nl"></span>
The Netherlands
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://powerdns.org/doh/privacy.html" href="https://powerdns.org/doh/privacy.html">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td>DoH</td>
<td>Yes</td>
<td>No</td>
<td>No</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://github.com/PowerDNS/pdns" href="https://github.com/PowerDNS/pdns">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
</tr>
<tr>
<td data-value="Quad9">
<a href="https://quad9.net/">Quad9</a> <span class="badge badge-warning" data-toggle="tooltip" title="Founders include the Global Cyber Alliance, comprised of the City of London Police and Manhattan District Attorney's Office"><i class="fas fa-exclamation-triangle"></i></span>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-us"></span>
US)
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://quad9.net/policy/" href="https://quad9.net/policy/">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Non-Profit</td>
<td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"Our normal course of data management does not have any IP address information or other PII logged to disk or transmitted out of the location in which the query was received."' href="https://quad9.net/policy/">Some</a></td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>Malicious domains</td>
<td>?</td>
</tr>
<tr>
<td data-value="SecureDNS">
<a href="https://securedns.eu/">SecureDNS</a>
</td>
<td>
<span class="no-text-wrap">
<span class="flag-icon flag-icon-nl"></span>
The Netherlands
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title="https://securedns.eu/#privacy" href="https://securedns.eu/#privacy">
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td>DoH, DoT, DNSCrypt</td>
<td>Yes</td>
<td>Yes</td>
<td>Based on server choice</td>
<td>?</td>
</tr>
<tr>
<td data-value="UncensoredDNS">
<a href="https://blog.uncensoreddns.org/">UncensoredDNS</a>
</td>
<td>Anycast (based in
<span class="no-text-wrap">
<span class="flag-icon flag-icon-dk"></span>
Denmark)
</span>
</td>
<td>
<a data-toggle="tooltip" data-placement="bottom" data-original-title='"Absolutely nothing is being logged, neither about the users nor the usage of this service. I do keep graphs of the total number of queries, but no personally identifiable information is saved. The data that is saved will never be sold or used for anything except capacity planning of the service."'>
<img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">
</a>
</td>
<td>Hobby Project</td>
<td>No</td>
<td data-value="doh">DoT</td> <!-- "hack" to group "DoT" values (when sorted) with "DoH" values -->
<td>Yes</td>
<td>No</td>
<td>No</td>
<td>?</td>
</tr>
</tbody>
</table>
<h4>Terms</h4>
<ul>
<li>DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.</li>
<li>DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."><a href="https://tools.ietf.org/html/rfc8484#section-8.2"><i class="fas fa-exclamation-triangle"></i></a></span></li>
<li>DNSCrypt - An older yet robust method of encrypting DNS.</li>
</ul>
<h4>How to verify DNS is encrypted</h4>
<ul>
<li>DoH / DoT
<ul>
<li>Check <a href="https://www.dnsleaktest.com/">DNSLeakTest.com</a>. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title="Your DNS provider may not appear with their own name, so compare the responses to what you know or can find about your DNS provider. Just ensure you don't see your ISP or old unencrypted DNS provider."><i class="fas fa-exclamation-triangle"></i></span></li>
<li>Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include <a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a> and <a href="https://1.1.1.1/help">Cloudflare</a>.</li>
<li>If using Firefox's trusted recursive resolver (TRR), navigate to <code>about:networking#dns</code>. If the TRR column says "true" for some fields, you are using DoH. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='Some fields will say "false" depending on the the value of network.trr.mode in about:config'><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver"><i class="fas fa-exclamation-triangle"></i></a></span></li>
</ul>
</li>
<li>dnscrypt-proxy - Check <a href="https://github.com/jedisct1/dnscrypt-proxy/wiki/Checking">dnscrypt-proxy's wiki on how to verify that your DNS is encrypted</a>.
</li>
<li>DNSSEC - Check <a href="https://dnssec.vs.uni-due.de/">DNSSEC Resolver Test by Matthäus Wander</a>.</li>
<li>QNAME Minimization - Run <code><a href="https://en.wikipedia.org/wiki/Dig_(command)">dig</a> +short txt qnamemintest.internet.nl</code> from the command-line (taken from <a href="https://nlnetlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">this NLnet Labs presentation</a>). You should see this display: <code>"HOORAY - QNAME minimisation is enabled on your resolver :)!"</code></li>
</ul>
<h3>Worth Mentioning and Additional Information</h3>
<ul>
<li><strong>Encrypted DNS clients for desktop:</strong>
<ul>
<li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li>
<ul>
<li>DNS over HTTPS can be enabled in Menu -> Preferences (<code>about:preferences</code>) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.</li>
<li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.security.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li>
</ul>
</ul>
</li>
<li><strong>Encrypted DNS clients for mobile:</strong>
<ul>
<li><em>Android 9</em> comes with a DoT client by <a href="https://support.google.com/android/answer/9089903">default</a>. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="...but with some caveats"><a href="https://www.quad9.net/private-dns-quad9-android9/"><i class="fas fa-exclamation-triangle"></i></a></span></li>
<li><em><a href="https://apps.apple.com/app/id1452162351">DNSCloak</a></em> - An <a href="https://github.com/s-s/dnscloak">open-source</a> DNSCrypt and DoH client for iOS by <td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"A charitable non-profit host organization for international Free Software projects."' href="https://techcultivation.org/">the Center for the Cultivation of Technology gemeinnuetzige GmbH</a>.</li>
<li><em><a href="https://git.frostnerd.com/PublicAndroidApps/smokescreen/blob/master/README.md">Nebulo</a></em> - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.</li>
</ul>
</li>
<li><strong>Local DNS servers:</strong>
<ul>
<li><em><a href="https://namecoin.info/">Namecoin</a></em> - A decentralized DNS open-source information registration and transfer system based on the Bitcoin cryptocurrency.</li>
<li><em><a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby">Stubby</a></em> - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.</li>
</ul>
</li>
<li><strong>Network wide DNS servers:</strong>
<ul>
<li><em><a href="https://pi-hole.net/">Pi-hole</a></em> - A network-wide DNS server mainly for the Raspberry Pi. Blocks ads, tracking, and malicious domains for all devices on your network.</li>
<li><em><a href="https://gitlab.com/quidsup/notrack">NoTrack</a></em> - A network-wide DNS server like Pi-hole for blocking ads, tracking, and malicious domains.</li>
</ul>
</li>
<li><strong>Further reading:</strong>
<ul>
<li>On Firefox, DoH and ESNI</li>
<ul>
<li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH</a></li>
<li><a href="https://blog.cloudflare.com/encrypted-sni/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
</ul>
<li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
<li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li>
</ul>
</li>
</ul>
</div>