Secure default DNS server - no censoring, no logging, encryption #256
Comments
|
I ran a local DNS cache with DNSSEC / DNSCrypt and open / uncensored / privacy oriented resolvers for a while because my ISP DNS resolver was censoring. Bottom line : absolute pain to setup, recurrent request timeouts no matter the setup or servers I picked. Maybe I wasn't up to the task, but I ended up dumping the DNSSEC / DNSCrypt part because it was creating way too much issues. I'm still using a local pdnsd cache with OpenNIC resolvers (six of them queried in parallel, IPv4 and IPv6) and I still end up getting request timeouts once in a while and having to replace some resolvers in the pdnsd configuration because they're down for an extended period (days) despite having supposedly three 9s uptime. I'd like to be proven wrong by someone more comfortable with those technologies than I managed to be, but I personally think they aren't reliable / straightforward enough (yet) to serve as a default here. |
The thing is if we get it right once here, it'd be usable for anyone. I hope we can "steal" the configuration from some security-minded distro, such as Tails?
I don't have experience with OpenNIC, but I'm using some of the privacy-focused resolvers successfully. I also have/had the local unbound running. I'm adding some TODO to the issue. |
|
I think people wanting a super private and secure DNS for their openvpn container should be running it in another container (with secns/unbound for instance). IMO this is a whole separate project by itself and feels quite out of the scope of this one. |
You're always able to switch DNS resolvers. When you're running So, the DNS is not hardcoded, it's just the default, which is. That's all #240 had been about. I have to admit, the
It's very easy: Run an unbound container on your host and point the dns-resolvers via
The projects' goals are not about privacy. This project wants to deliver a working OpenVPN container. I'd rather use a DNS server, which is stable and not so private than something I don't even know. The google's DNS servers well established and can be taken safely as default. As long it's changeable, it's ok. You may want to improve the docs how to run this container in paranoid mode. |
|
Thanks for the clarifications, @bebehei ! I've changed the issue to reflect that.
I'll try it and then document. If that's in scope for this project, I'd like to create some hardened config for docker-compose that would automate the process in the |
|
Thanks @bebehei for summing up a number of important details of this project:
|
|
Be sure to check DNSCrypt container if you haven't already. It'll likely be the easiest and most reliable method of running a secure DNS container. |
The PR #240 suggests to be able to switch DNS resolver (from current google's 8.8.8.8).
I think we should improve privacy and security by having a privacy-minded default DNS.
Here's a list with suggestions:
https://www.doileak.com/blog-DNS%20Server%20for%20privacy.html
The features to look for:
A possible further improvement would be spinning our local recursive DNS, such as
unboundfor example:https://www.unbound.net/
TODO:
replace google's 8.8.8.8 with some of the "privacy oriented" DNS resolverstest local DNS cache (unbound, pdnsd,...)Document docker/unbound image and how to connect to it-noption to change DNSThe text was updated successfully, but these errors were encountered: