Mikaela/mikaela.github.io
1
0
Fork 0
mirror of https://github.com/mikaela/mikaela.github.io/ synced 2025-03-06 06:20:47 +01:00
Code Issues Projects Releases Wiki Activity

n/dns.md: update links, descriptions (especially private/ECS), cleanup

Browse Source
This commit is contained in:
Aminda Suomalainen 2025-02-26 10:56:23 +02:00
parent b7c24fc7c5
commit 38ee06c581
Signed by: Mikaela
GPG Key ID: 99392F62BAE30723
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
n/dns.md
View File

@ -39,7 +39,6 @@ _{{ page.excerpt }} For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
- [Mobile applications](#mobile-applications)
- [Android](#android)
- [Rethink](#rethink)
- [Using Obtainium with APKPure/Aegon](#using-obtainium-with-apkpureaegon)
- [FFUpdater](#ffupdater)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
@ -203,18 +202,19 @@ HTTPS everywhere? Do you know to not accept warnings about certificate issues?
Do the other (less technical) users of your network? Would you or them be a
delicious target? Do you even use GAFAM services?
It's important to remember that authoritative nameserver is the one that knows
where the domain is hosted that you can see through e.g. `whois aminda.eu` which
will reply `lakas.ns.cloudflare.com` and `coco.ns.cloudflare.com`. Thus when you
perform a DNS query with ECS enabled, the USA will know your IP with the
accuracy of 256 users (poor example since
[this site is currently hosted on GitHub pages](https://github.com/Mikaela/mikaela.github.io/issues/153)).
Same as when you visit a domain ending
[`.af`, Afganistan will know](https://en.wikipedia.org/wiki/.af#Restrictions).
See also:
- [_Understanding the Privacy Implications of ECS_](https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf)
<del>_Later I have been torn on whether the quote above is correct and helps
decrease my digital climate footprint more or less than adblocking on DNS level,
but what really put the scales towards ECS for me was late night GApple update
that was keeping me from sleeping. So ECS is for busy people who want to
sleep?_</del> _The CISA link above makes me question this the very next day
considering I belong to gender and sexual minorities, Pirate Party of Finland,
and everything..._
### Why to use private ECS?
_Android DoH3 option:_
@ -224,7 +224,7 @@ Do you want the benefits of ECS with the privacy and security of not having ECS?
Private ECS is a compromise solution in the middle, although not without its own
issues.
Your private DNS provider will lie for you and say that your IP address is
Your private DNS provider will lie a bit for you and say that your IP address is
somewhere else where it will also place many others from your ISP. However what
if it says you are a customer of another ISP, possibly even located in another
country? It tends to have greater accuracy with IPv4 than IPv6,
@ -238,6 +238,12 @@ In that case you may <del>get even worse performance</del> be in even worse
situation than without ECS. Then again if everything works properly, you will
get the benefit of ECS without the privacy impact and lessened security impact.
I am often observing Cloudflare and other public DNS providers connecting me to
Swedish servers when no ECS is used and so far the only place where I spent
significant amount of time with wrong private ECS was a school and considering
the drawbacks of ECS in the current world situation, I think private ECS is
easily the least bad option.
See the next section for testing "where you are." Consider also what is
important for you if you had to pick one or two from privacy, performance and
climate.
@ -292,7 +298,7 @@ above) tends to be bad poor for IPv6 and for very small AS like a school, it
directs to another side of the country, but that is a very minor issue.
Meanwhile [Quad9] blocking seems almost as good in
[tests like this](https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-2024/)
[tests like this](https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-september-2024/)
and they give me impression
[of more transparency](https://quad9.net/about/transparency-report) (as opposed
to
@ -362,7 +368,7 @@ using `cloudflare-dns.com`). **_However is connectivity in limited networks and
maybe a bit faster speed in bad network more important than a level of security
reached by a filtering resolver?_**
Then setup your web browser (including Firefox (other than stable which disables
Then setup your web browser (including Firefox Nightly (other channels disable
`about:config`) and Chrome) to use DNS over HTTPS with your preferred server and
while at it enabling HTTPS only mode.
@ -439,6 +445,8 @@ Hopefully there is no situation where Rethink stops working and thinks it's
still working. As can be deduced from this section, sometimes Rethink and I
disagree with each other. _I don't guarantee I know what I am doing._
<!--
#### Using Obtainium with APKPure/Aegon
I think a few of the blocklists in Rethink are blocking apkpure's domain
@ -458,6 +466,8 @@ breaking Obtainium and their official app and the steps to fix that are:
The `Trust` could also be set globally, but what business does any other app
have for that domain?
-->
### [FFUpdater](https://github.com/Tobi823/ffupdater)
- `https://dns0.eu;2a0f:fc80::;2a0f:fc81::;193.110.81.0;185.253.5.0`