XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
It is currently Thu May 25, 2017 9:38 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 116 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Tue Mar 28, 2017 9:01 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
I probably don't fully understand how ones private data is captured. What I do: my ISP DNS is hopefully out of the picture (in my case, big bad Verizon), logging of search requests thwarted, Google link tracking redirects sanitized one way or another, Google cookies blocked, Google Encrypted to bypass my ISP knowing where or what I search (or DuckDuckGo or Startpage, which claim to not track searches), anti-tracking programs such as Ghostery + Privacy Badger, or whatever, not allowing any third party cookies and promptly deleting all cookies on a regular basis, no Flash cookies allowed, etc.

OK, DNS has to be provided somehow, and I know what you think of OpenDNS's Privacy Policy, but even if one were running ones own DNS Server, where is the exposure to data mining in the above? What am I leaving out? Besides OpenDNS or an A-V like Sophos, which gets to see what I'm doing (supposedly anonymized), where is the weak link in all this. The sites one visits rat me out?


Top
 Profile  
 
PostPosted: Tue Mar 28, 2017 9:52 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
In theory your ISP could block your ability to use third party DNS servers and redirect those requests to their servers. Some ISPs do this.

Any unencrypted data going out your internet connection could be captured and analyzed by your ISP for monetization purposes. This includes normal DNS requests since they're unencrypted. There is a new dnscrypt standard for encrypted DNS though.

Sadly what I expect will happen is ISPs will block customers from using VPN tunnels since this is now a revenue stream for them. To use one you will probably need to upgrade to a business class connection which is typically $10 to $50 more each month. A decade or so ago Comcast was doing exactly this but as part of the furor over ISPs being prosecuted for customer activities they abandoned it.


Top
 Profile  
 
PostPosted: Tue Mar 28, 2017 1:18 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
So far, what you appear to be saying is that there are hypotheticals by which my ISP, Verizon, could capture my data, even with another DNS server or with their DNS blocked. But wondering how this applies currently real world?

You mention dnscrypt-proxy. Seeing a checkbox for that in Basic->Network. Will using that make my current DNS more secure from being eavesdropped upon by VZ? Should be compatible with OpenDNS, right?--they seem to be associated with each other. Any downsides? Will it slow things down? Also, would be doing this from Tomato 1.28.0000 MIPSR2-132 K26 Max--not the most current--which probably won't use the new dnscrypt standard you refer to. Should I try using this anyway?


Top
 Profile  
 
PostPosted: Tue Mar 28, 2017 4:44 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Basically your ISP is capable of capturing and analyzing all nonencrypted traffic flowing over your internet connection. Technically with some effort they could break most of your encrypted traffic too (the stuff that's uses weak encryption) but for the most part that takes too much effort so they don't do it.

To be honest I really haven't looked into DNSCrypt. The project has a pretty informative website though:
https://dnscrypt.org/

The Tomato routers at my current site are all running older versions so I don't even have the DNSCrypt option to look at.

I tend to get DNSSEC and DNSCrypt confused. DNSSEC runs over port 53 TCP, DNS runs over port 53 UDP, and DNSCrypt runs over port 443 TCP. The latter is the same as HTTPS so it's unlikely to require any special effort.


Top
 Profile  
 
PostPosted: Tue Mar 28, 2017 10:45 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9609
Location: North of the State of Jefferson
Your ISP has to handle all your data, so it can (and does) see all bytes flowing over their network to/from your network. Encryption can make it harder to make sense of those bytes, but in the absence of encryption it's trivial for them to see and record everything that you do, then sell it to Acxiom, Experian, Datalogic or their ilk.

In general I suspect that "metadata is the message."

What they collect and how they collect it may depend on their initiative. Simply jotting down DNS queries to their own servers represents little to no effort. Intercepting queries to other servers, or just reading them in transit, might require the equivalent of lifting a finger. All you HTTP data probably already flow through a caching proxy, so making a list of sites you visit that way is also pretty easy, but data-mining the content is probably enough work that they'd have to spend some money to do it on a wholesale basis -- although "some money" is not very much money for a company the size of Verizon. Without data-mining the content they might not capture a lot more that way than they would by just by mining the DNS queries. HTTPS doesn't help much at this level because the host name of the HTTPS site you connect to is sent unencrypted (this wasn't always the case, but it is now for technical reasons beyond the scope of this post). They can also record all the IP addresses that you send traffic to in order to build a profile. This doesn't require looking at any protocol nor interfering with traffic, and combined with a tiny bit of bulk analysis would probably yield fascinating insights in to your opinions, beliefs, and behavior. They could also use a hybrid approach: more carefully analyze data for high profile or more valuable domains (eg queries sent to the top ten most popular medical and political web sites) and collect general metadata on other Internet usage. Any of these in combination with your 100% guaranteed valid subscriber information, address, service tier, etc., would be a veritable gold mine.

So what are they doing right now? Some ISPs are unequivocally fucking with DNS, and if I were an evil ISP I'd be collating all the DNS queries on a per-account basis getting them queued up to mail off to the data brokers the moment the ink hits the paper making it unequivocally legal. And I'd have been saving these data getting ready to do this for at least the last year. I can see no realistic down side to doing so. ISPs in most of the country effectively monopolies so it's not like you can just switch to a different one. Plus, every one of the large ISPs will probably be gearing up to do the same thing, given how energetically they've lobbied for it being made legal.

So I'm off to shop for a VPS. Rackspace is too expensive (minimum $33/month). OVH is cheap, but at least until fairly recently (I don't know about recently) there hasn't been much outward visible evidence that they're concerned with customers abusing their network. At one point several years ago OVH was about half a step away from "ban on sight," and when I have banned broad swathes of their networks due to rampant abuse no one has ever complained. Linode might be OK: I used to see a lot of abuse from them six years ago, but haven't been in a position to observe it since then. Since the VPS will handle all traffic except streaming video from my home network I don't want a service that's too likely to be blocked by many sites.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 9:25 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
From what both of you are saying, looks like there's little point in doing anything less than getting a VPS + a VPN? Getting all that together seems rather above my pay grade.

On the other hand, in the not-wanting-to-leave-any-rock unturned dept, still wondering if dnscrypt-proxy in the router (comes built-in with Shibby Tomato) offers any real defense against Verizon's privacy intrusion. I've read various things here and there, but still very unclear to me what it accomplishes for preventing ISP snooping. In addition to all this, Verizon already has at least 15-20 years of my data. Seems a bit like closing the barn door after....

Besides that*

Image


Image

Checked the dnscrypt-proxy checkbox and saved with the first resolver offered, 4armed. Since this is with OpenDNS, perhaps that should be Cisco? But no idea, zip, zilch, what difference the resolver choice makes. Whatever it does, it doesn't appear to stop me from getting around on the Internet

Image


*First image courtesy Paul Krugman, re. the GOP health care debacle.

EDIT: According to the following, looks like it's not going to do the job I want:
Quote:
DNSCrypt verifies that responses you get from a DNS provider have been actually sent by that provider, and haven't been tampered with.

This is not a VPN. It doesn't mask your IP address, and if you are using it with a public DNS service, be aware that it will (and has to) decrypt your queries.

If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN "leaks", this isn't the right tool either: the proper way to prevent VPN "leaks" is to avoid sending data to yet another third party: use a VPN service that operates its own DNS resolvers.
https://wiki.openwrt.org/inbox/dnscrypt


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 12:12 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9609
Location: North of the State of Jefferson
There are two things that might be relevant:
1) Ensuring you get valid DNS responses, and
2) preventing your ISP from collecting saleable information on your Internet usage.

(1) is a much simpler than (2), and I recommend doing something about it because it's so simple. Just configuring dnsmasq will go a long way to ensuring (1). At some point your ISP could decide to be extra-evil and block third-party DNS resolvers, but you can cross that bridge when you come to it.

As for (2), a personal VPN is very easy to set up, unlike a router-based network VPN with your own custom built endpoint. It's not quite as sure-fire, but at least it solves the problem of Verizon being creepy. Even with a good VPN (1) may still be appropriate because the VPN doesn't inherently affect your DNS configuration: you could still be talking to a SiteFinder enabled DNS server.

The VPS is a pretty sure bet, but it is an enormous pain in the keister. I've never built this kind of VPN before so it'll be a learning experience. In the meantime, Linode looks dangerous because while the service starts at $5/month, transfer overages can push the monthly cost in excess of $6500/month, which is more than I'm willing to spend in the event that I accidentally misconfigure something. DigitalOcean doesn't have the downside of Linode, but may be more of a sewer -- at least it seemed so as of a couple years ago.

- Anonymous


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 3:02 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
DNSCrypt encrypts DNS requests and responses from/to your router. This makes it more difficult for your ISP to spy on DNS traffic.

DNSCrypt implements DNSSEC for queries, which verifies the response to your query is legitimate. People tend to get these two things confused but they are separate.

It doesn't prevent the DNSCrypt provider you choose from spying on your DNS lookups. Ultimately nothing stops your DNS provider from logging & cataloging your DNS lookups with or without DNSCrypt, DNSCrypt just makes it more difficult for your ISP to perform a MITM attack to gather your data by sending you to their servers instead of your provider's servers. At this point I'm far more worried about my ISP than I am OpenDNS or any other DNS provider. ISPs have no restrictions now - DNS providers may actually have more restrictions since, by and large, they aren't ISPs.

A decent VPN solution will encrypt all traffic to/from your system or network. Tomato has implementations of OpenVPN built into the router but performance is shockingly bad on all but very high end routers, because encryption/decryption is entirely done in the CPU which is very weak. Even $400 routers have bad VPN performance for this reason - their CPUs are better but they're still amazingly bad compared to desktop CPUs.

For around $75 or $80 you could get a Edgerouter Lite which has an equally bad CPU but encryption/decryption is offloaded to dedicated hardware, so its performance is correspondingly higher. However implementing said VPN would require understanding the CLI interface which is something I haven't done yet because my workplace has screwed up priorities.


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 3:51 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 969
Location: Melbourne
The VPN service I use has its own DNS server. I wrote to them some time ago enquiring about this and they said it is more secure using theirs as it won't leak DNS queries. LittleSnitch verifies mDNSResponder is using theirs.

I am surprised to read US ISPs shall soon be datamining their customers for fun and profit. In this country they do they same (record everything) except the purpose is for government surveillance.


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 4:55 pm 
Offline
Master

Joined: Sun Apr 20, 2008 5:24 am
Posts: 9609
Location: North of the State of Jefferson
roam wrote:
I am surprised to read US ISPs shall soon be datamining their customers for fun and profit. In this country they do they same (record everything) except the purpose is for government surveillance.

If you really want to understand anything in the US, just ask yourself "so how could a guy make a few $$$ off this?"

Of course the US government also wants these data for surveillance, but perhaps the difference is that it likes to pretend it doesn't. Now the government needn't go to the messy trouble of wiretapping: instead I see no immediately obvious reason it can't simply buy the data it's interested in, thus serving profit and surveillance in one tidy package.*

- Anonymous

* In reality there might be some legal subtlety in another law that makes this untenable, but on the surface it seems plausible.


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 5:35 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
MB: thanks for the explanation. Was in fact getting around to asking about what appeared to be a
contradiction: what I quoted above, that Dnscrypt does not encrypt DNS requests, and OpenDNS, who say it does (writing from iPad now, so can't easily find that reference, and quote it here with a link.) Very good to know that using Dnscrypt-proxy in Tomato should help, at least to some extent, to get Verizon out of the picture.

But what about that list of resolvers in my screenshot? Cisco, since they are OpenDNS now? if not Cisco, any idea which one is trustworthy?

And I don't yet understand what those resolvers in that dropdown do, since I thought OpenDNS was dealing with all my DNS resolution.

(Never knew that the demise of that N12 would lead to all this.)


Top
 Profile  
 
PostPosted: Wed Mar 29, 2017 6:04 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
I'm pretty sure that build of Tomato was made before Cisco acquired OpenDNS.

Currently OpenDNS handles all your port 53 udp DNS needs. However if you opt for DNSCrypt then whatever provider you choose in DNSCrypt will handle it.

You'll probably want to nuke most of the options in advanced DNS or at least comment them out to avoid conflicting settings.

As far as Cisco goes, most of what I've read comes from the tinfoil hat side of things, which insists Cisco is an arm of the US government so there's no way we should ever choose them. I think they need to start listening to their doctors.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 7:36 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
MB: Sorry this is dragging on. Will completely understand if you run out of patience for any more of this. A lot to look at here, but I'm in no rush. Whenever you have the time.

No matter which resolver I use, I'm still seeing all the current OpenDNS IPs at https://www.dnsleaktest.com/, as well as the correct report for the Welcome to OpenDNS link.

Latest one I've tried is dnscrypt.org-fr, just for testing purposes.

From the most recent log after a router reboot:

Mar 30 09:54:03 unknown daemon.info dnscrypt-proxy[507]: Refetching server certificates
Mar 30 09:54:03 unknown daemon.info dnscrypt-proxy[507]: Server certificate #1490391488 received
Mar 30 09:54:03 unknown daemon.info dnscrypt-proxy[507]: This certificate looks valid
Mar 30 09:54:03 unknown daemon.info dnscrypt-proxy[507]: Chosen certificate #1490391488 is valid from [2017-03-25] to [2018-03-25]
Mar 30 09:54:03 unknown daemon.info dnscrypt-proxy[507]: Server key fingerprint is E7F8:4477:BF89:1434:1ECE:23F0:D6A6:6EB9:4F45:3167:D71F:80BB:4E80:A04F:F180:F778
Mar 30 09:54:03 unknown daemon.notice dnscrypt-proxy[507]: Proxying from 127.0.0.1:40 to 208.67.220.220:443
Mar 30 10:54:39 unknown cron.err crond[461]: time disparity of 24848094 minutes detected


Checking 212.47.228.136:443 with nslookup reports:

nslookup 212.47.228.136:443
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find 212.47.228.136:443: NXDOMAIN


Or is that not incorrect, since it should be going out on port 443, and the NXDOMAIN it's reporting happens because it can't resolve the :443 suffix? So maybe that's a red herring? 212.47.228.136 is the correct IP for dnscrypt.org-fr.

When I do a search for 212.47.228.136:443, getting a number of hits showing the same issue. Particularly this one (not sure the replies are all that relevant to my situation, just citing this one as an example):
Quote:
hello, i have tested about 10 different dnscrypt-proxy servers today but all shows IP of my DNS provider? i tested at dnsleaktest.com
what could be wrong? i have no errors in syslog my asus rt-ac68u.....is possible the dnsleaktest site do not shows properly? is there other solution to test if dnscrypt-proxy working ok or not? https://www.snbforums.com/threads/dns-l ... dns.30564/

Some questions:

-do I need to uncheck Intercept DNS port (UDP 53) in order to prevent the current Dnsmasq from overriding Dnscrypt?
-If not, what should I be adding or commenting out in the current Dnsmasq:

#Only use DNS servers configured here
no-resolv
#Never forward non-routable address requests
bogus-priv
#Never forward requests w/o a .TLD
domain-needed
#Stop ACK and REQ DHCP spam
quiet-dhcp
#Prevent proxy server request spam
dhcp-option=252,"\n"
#Larger cache for dnsmasq
cache-size=5000
#Larger queue for logging
log-async=10

#strict-order (not used)
#OpenDNS servers
server=208.67.222.222
server=208.67.220.220
server=208.67.222.220
server=208.67.220.222

#Level3 servers
#server=4.2.2.1
#server=4.2.2.2

#Block Verizon DNS servers
bogus-nxdomain=71.243.0.12
bogus-nxdomain=68.237.161.12

#Block iOS update
#address=/mesu.apple.com/10.255.255.1


-For this to work, do I need to stop using OpenDNS in Dynamic DNS 1 in Basic>DDNS?

-You say
>>You'll probably want to nuke most of the options in advanced DNS or at least comment them out to avoid conflicting settings, so what about these settings?

Image

-Or what else do I have to look at? Aside from simply checking the Dnscrypt-proxy checkbox and setting a resolver, not finding any decent instructions for doing this in Tomato.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 8:17 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 14420
Roam... has the weather got you down under?


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 11:00 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Either delete or comment out everything in advanced DNS. Some of those settings are going to override changes you make anywhere else in the GUI.

You'll also want to go into ddns and disable opendns there as well.

Intercept DNS just prevents your clients from using servers other than the router. If a client tries to talk to an external DNS server it redirects that traffic to the router's DNS server. At least for port 53 udp DNS traffic.

Sorry for the short response, work's keeping me busy.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 2:32 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 969
Location: Melbourne
BDAqua wrote:
Roam... has the weather got you down under?

Hi BD, No I'm a long way from that tropical part of the country. Every year there are cyclones (hurricanes) and every few years some place gets wiped out. Once they hit landfall they turn into tropical lows and the heavy rain creates floods. Once place since yesterday morning received 600mm which is two feet.
I'm happy to live at this latitude - though it can get a bit hot in summer.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 2:39 pm 
Offline

Joined: Thu Jul 05, 2012 4:02 pm
Posts: 969
Location: Melbourne
Anonymous wrote:
Of course the US government also wants these data for surveillance, but perhaps the difference is that it likes to pretend it doesn't.

Yes now you mention that, it could be getting two birds with one stone. In Australia the debate raged for years with the government trying to legislate to force ISPs to collect all metadata. In the end they got the law through and now all metadata is collected and stored for two years on a continuous basis.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 2:45 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Upon some further reflection now that I have working eyesight again (got something in my eye that caused an allergic reaction), getting VPN implemented on a cost effective basis would probably mean using VPN clients from each device rather than having the router itself run the VPN tunnel. I would probably still want to run dnscrypt on the router so that it doesn't leak as much data. The problem is getting a router beefy enough to run a VPN tunnel at modern broadband speeds requires quite a bit of change, whereas desktops & laptops have oodles of CPU power to spare. The downside is tablets, phones, etc. usually have a pretty lousy VPN ecosystem, so getting a client working there could be a challenge. So long as your internet connection is slow enough the ER3Lite would probably work but it doesn't take much to reach the point where you basically will want a PC to be the router.

Although, I do have to say, this really piques my interest:
https://www.amazon.com/dp/B01G45XVBO/

Which probably says something about me. :lol:


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 6:01 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
MonkeyBoy wrote:
Either delete or comment out everything in advanced DNS. Some of those settings are going to override changes you make anywhere else in the GUI.

You'll also want to go into ddns and disable opendns there as well.

Intercept DNS just prevents your clients from using servers other than the router. If a client tries to talk to an external DNS server it redirects that traffic to the router's DNS server. At least for port 53 udp DNS traffic.

So beside deleting all or commenting out most of my Dnsmasq--I'm supposing that's what you mean by "advanced DNS"--what about what's checked there (screenshot above), what has to be unchecked, if anything? And what kind of tradeoff am I making in getting DNS encrypted vs. losing all or most of my Dnsmasq? Any downside to that?

And if I disable OpenDNS in DDNS (I'm also losing the four OpenDNS IPs in Dnsmasq), how do I not lose OpenDNS? My idea was to keep OpenDNS plus dnscrypt-proxy? Keeping the two OpenDNS IPs in Static DNS does that?


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 6:23 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Sorry, by Advanced DNS I meant Advanced -> DHCP/DNS, which is where you enter in custom options for dnsmasq. By entering options there you are overriding options set everywhere else in the GUI. You probably could/should leave the bogus-nxdomain lines in place but some of the commands at start assume you will solely be configuring dnsmasq through the text entries, which you are not, especially during this initial stage. The server lines override any servers configured anywhere else, for example.

Essentially the configuration in advanced overrode options you were setting in the GUI, which is why you were stuck with opendns. Only by removing the troublesome configuration options and removing the ddns configuration will your dnscrypt selections have any hope of working. Since you're unfamiliar with the options removing them all seemed the most appropriate first step to take.

Ugh. I'm heading home to rinse my eye out and take some benadryl... my eye is aching from whatever the hell that was...


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 6:40 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Quote:
Sorry, by Advanced DNS I meant Advanced -> DHCP/DNS, which is where you enter in custom options for dnsmasq. By entering options there you are overriding options set everywhere else in the GUI. You probably could/should leave the bogus-nxdomain lines in place but some of the commands at start assume you will solely be configuring dnsmasq through the text entries, which you are not, especially during this initial stage. The server lines override any servers configured anywhere else, for example.

Essentially the configuration in advanced overrode options you were setting in the GUI, which is why you were stuck with opendns. Only by removing the troublesome configuration options and removing the ddns configuration will your dnscrypt selections have any hope of working. Since you're unfamiliar with the options removing them all seemed the most appropriate first step to take.


In that case, what about removing everything except the following. Don't want to lose anything useful that won't conflict with the dnscrypt-proxy.

#Never forward non-routable address requests
bogus-priv
#Never forward requests w/o a .TLD
domain-needed
#Stop ACK and REQ DHCP spam
quiet-dhcp
#Prevent proxy server request spam
dhcp-option=252,"\n"
#Larger cache for dnsmasq
cache-size=5000
#Larger queue for logging
log-async=10

#Block Verizon DNS servers
bogus-nxdomain=71.243.0.12
bogus-nxdomain=68.237.161.12

#Block iOS update
#address=/mesu.apple.com/10.255.255.1


What else there has to go? The two initial "Never forward....?"

Only when you feel better and have a little time. I'm in no hurry to do this.


Top
 Profile  
 
PostPosted: Thu Mar 30, 2017 7:19 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Since you're troubleshooting and you never know what options are going to affect the new code, I would comment out or remove everything before bogus-nxdomain.

Once you have it working then you can start adding sections back in. no-resolv will stay out.

The options are mostly defined here:
http://www.thekelleys.org.uk/dnsmasq/do ... q-man.html

"Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file." Since the configuration file is blank and the command line doesn't include servers you should leave no-resolv out. resolv.conf should get built appropriately based on the options you select in the GUI.

"Use received DNS with user-entered DNS" controls whether the DNS servers handed out by DHCP/PPPoE on the WAN port get used alongside whatever options you configure in the GUI. In this instance you don't want them. Tomato itself may use the WAN servers for its purposes but that's OK, it needs DNS servers to do NTP lookups and whatnot. So you'll definitely want to leave that unchecked.


Top
 Profile  
 
PostPosted: Fri Mar 31, 2017 8:03 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 5822
Location: NYC
Looking good so far, at least from what I can tell:

Commented out everything except bogus nx-domain, removed OpenDNS from DDNS, have started using dnscrypt.org-fr, which appears to be decently rated here
Quote:
Same here use Dnscrypt for DNS Lookups but I do prefer the servers in the below order for their various Non Logging, DNSSEC Validation and NameCoin resolution capabilities.

dnscrypt.org-fr
cloudns-can
cloudns-syd
dnscrypt.eu-dk

Privacy protection much better in Europe. Not seeing any very worrisome delays in getting to sites, or loss of speed, even though the DNS is now a bit roundabout. Checked using https://www.dnsleaktest.com/, which is now showing only the dnscrypt.org-fr DNS IP, and checked in DNSSEC Resolver Test at http://dnssec.vs.uni-due.de/, which shows dnssec working.

Also, doing a dig resolver.dnscrypt.org gives me the following
dig resolver.dnscrypt.org

; <<>> DiG 9.8.3-P1 <<>> resolver.dnscrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34150
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1252
;; QUESTION SECTION:
;resolver.dnscrypt.org. IN A

;; ANSWER SECTION:
resolver.dnscrypt.org. 60 IN A 212.47.228.136

;; Query time: 128 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Mar 31 10:58:46 2017
;; MSG SIZE rcvd: 66


Looks like OpenDNS is still working, from the link https://www.opendns.com/welcome/ But not really sure what its function is now, if it's no longer doing DNS lookups.

Also discovered that setting media.peerconnection.enabled to false in about:config stops my internal IP from showing. Discovered this at https://ipleak.net/

Wondering now what the most important or useful items might be to start trying to add back in to Dnsmasq? Thanks for all the help with this.


Top
 Profile  
 
PostPosted: Sat Apr 01, 2017 12:39 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Krebs had a good writeup on VPN the other day. As part of poking around I discovered the term "Fourteen Eyes" which are fourteen countries who have agreed to cooperate with each other on intelligence and security, which was originally a secret cold war agreement - in one case it wasn't even disclosed to the political leaders running the country. France is part of 9 Eyes. The fewer the eyes the greater the level of cooperation.

https://en.wikipedia.org/wiki/UKUSA_Agr ... parties.22


Under Status -> Logs you can check on what DNS servers are in use. Look there after pressing save on advanced -> dns/dhcp since that reloads dnsmasq. When dnsmasq is loaded it lists information about the dns servers in use and some other configuration options. With "strict order" selected under dnscrypt proxy on basic -> network it should always hit the dnscrypt proxy first.

Interesting thing about media.peerconnection.enabled is I didn't have to reload FF for the setting to take effect, it immediately started working.

I have these options enabled:
#Never forward non-routable address requests
bogus-priv
#Never forward requests w/o a .TLD
domain-needed
#Larger cache for dnsmasq
cache-size=10000
#Larger queue for logging
log-async=15

However I'm seeing my ISP's servers in the DNS servers list (the log thats created when dnsmasq is restarted) so I'll have to puzzle through how to purge them from existence after I've gotten some sleep.

Oh. I know the DNSSEC keys just got updated last week (technically they added a key, the old key is still present), but I don't know if that affects DNSCrypt or not. Shibby's currently working on paying projects which is why he's gone silent.

Edit: Oh. That was easy. Fill up the Static DNS entries on Basic -> Network. The ISP's DNS entries get pushed out. And unlike entries on Advanced -> DHCP/DNS they show up after DNSCrypt.


Top
 Profile  
 
PostPosted: Sat Apr 01, 2017 2:59 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 9247
Location: Caught between the moon and NYC
Gosh, amazing what happens when you start reading the man page. trust-anchor is a configuration option, so it could be used to add the new dnssec cert.

Okay, this time I really am going to sleep.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 116 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group