n/dns.md

@@ -36,7 +36,7 @@ _For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
 
 - [DNS-OARC's Check My DNS](https://cmdns.dev.dns-oarc.net) - popup under "Network".
 - [dnsleaktest](https://dnsleaktest.com)
-- [whatsmydnsserver](https://www.whatsmydnsserver.com)
+- [whatsmydnsserver](http://www.whatsmydnsserver.com)
 - [ipleak.net](https://ipleak.net)
 - [dnsadblock](https://dnsadblock.com/dns-leak-test/)
 - [browserleaks.net/dns](https://browserleaks.net/dns)
@@ -145,7 +145,7 @@ _Android DoH3 option:_ [?](https://cs.android.com/android/platform/superproject/
 
 Do you want the benefits of ECS with the privacy and security of not having ECS? Private ECS is a compromise solution in the middle, although not without its own issues.
 
-Your private DNS provider will lie for you and say that your IP address is somewhere else where it will also place many others from your ISP. However what if it says you are a customer of another ISP, possibly even located in another country? It tends to have greater accuracy with IPv4 than IPv6, [see AdGuard Google Domains issue](https://adguard-dns.io/en/blog/dns-google-domains-fixed.html).
+Your private DNS provider will lie for you and say that your IP address is somewhere else where it will also place many others from your ISP. However what if it says you are a customer of another ISP, possibly even located in another country?
 
 In that case you may get even worse performance than without ECS. Then again if everything works properly, you will get the benefit of ECS without the privacy impact and lessened security impact.
 
@@ -157,6 +157,54 @@ See also:
 - [AdGuard DNS: Privacy-friendly EDNS Client Subnet](https://adguard-dns.io/en/blog/privacy-friendly-edns-client-subnet.html)
 - [DNS0 Privacy Policy](https://www.dns0.eu/privacy)
 
+<!--
+
+[_Understanding the Privacy Implications of ECS_](https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf)
+brings up two bigger issues EDNS client-subnet:
+
+- Authoritative nameserver is given part of the subnet, which can be
+  personally identifiable and as the connection between recursor and
+  authoritative is unencrypted, anyone between them can observe all the
+  queries.
+  - Think of VPNs where traffic within the VPN is encrypted, but it won't
+    magically encrypt plain traffic leaving it.
+  - The part given to the au4thoritative nameserver is `/24` on IPv4 and
+    `/56` on IPv6. These equal 192.0.2.x so if a MITM wanted to know who you
+    are there would be 254 options (assuming there are no NATs). On IPv6 a
+    `/56` includes 256 `/64` blocks and `/64` is the most used block and there
+    is a recommendation of giving customers a `/56` block, so it would point
+    directly to your connection. However some mobile operators give a `/64`
+    so it will again point to 256 options again. Not that many.
+- Anyone between the recursive and authoritative nameservers can perform cache
+  poisoning attack and give it a narrow target. With short TTL, it may be
+  impossible to audit afterwards. Only DNSSEC can protect from this, but
+  DNSSEC signing isn't used that widely.
+
+These issues bring additional questions:
+
+- Do you care?
+  - If you run open wireless network and offer everyone ECS nameserver such as
+    Google DNS through DHCP while using manually configured encrypted DNS by
+    yourself, is there any cause for concern? You can always say it was
+    someone using your open network? Or if this is a multi-user system like
+    VPS running titlefetcher bot or Matrix homeserver, who knows who triggered
+    the original queries and where? SteamOS? Speed over all as it's only used
+    for gayming. Virtual machine lab? Who cares. Larger organization? That may
+    be a big target?
+  - How much does getting local content matter to you? More or less than
+    increased resource use of contacting a server further away? _Is private ECS
+    an option?_ ([r/resolv.tsv](/r/resolv.tsv))
+- What is the impact of domains you visit being surveilled?
+  - This page mentions cases like FFUpdater where the surveillance would
+    reveal that I interact with github.com and other sites it downloads apk
+    files from, which hardly matters, but how about you?
+- What is the impact of cache poisoning tailored to you?
+  - Everything is encrypted and TLS certificates wouldn't match so would you
+    continue to the wrong site regardless of the prompt, or decide something
+    is wrong and try again later. How about your users?
+
+-->
+
 ### Identifying support for ECS
 
 Or what is being sent to the authoritative servers.
@@ -196,14 +244,6 @@ Then setup your web browser (including Firefox (other than stable which
 disables `about:config`) and Chrome) to use DNS over HTTPS with your preferred
 server and while at it enabling HTTPS only mode.
 
-Do other Android based OSes contain the special handling?
-
-- GrapheneOS: [yes](https://github.com/GrapheneOS/platform_packages_modules_DnsResolver/blob/13/PrivateDnsConfiguration.h)
-- LineageOS:
-  [yes](https://github.com/LineageOS/android_packages_modules_DnsResolver/blob/lineage-20.0/PrivateDnsConfiguration.h)
-  - /e/OS:
-    [yes](https://gitlab.e.foundation/e/os/android_packages_modules_DnsResolver/-/blob/v1-t/PrivateDnsConfiguration.h)
-
 ### [Rethink](https://github.com/celzero/rethink-app)
 
 **_NOTE!_** This pretends to be a VPN and thus breaks things depending on

r/yama.md

@@ -1,5 +0,0 @@
----
-redirect_to: https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html
-permalink: /r/yama.html
-sitemap: false
----