n/dns.md: note DNS0 brownie points as another hand to overseas round-trip issue

.pre-commit-config.yaml

@@ -68,7 +68,7 @@ repos:
           ]
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.31.1
+    rev: 0.31.2
     hooks:
       - id: check-dependabot
       - id: check-github-actions

Gemfile.lock

@@ -119,24 +119,24 @@ GEM
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
     minitest (5.25.4)
-    nokogiri (1.18.2)
+    nokogiri (1.18.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.18.2-aarch64-linux-gnu)
+    nokogiri (1.18.3-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.2-aarch64-linux-musl)
+    nokogiri (1.18.3-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.2-arm-linux-gnu)
+    nokogiri (1.18.3-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.2-arm-linux-musl)
+    nokogiri (1.18.3-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.2-arm64-darwin)
+    nokogiri (1.18.3-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.2-x86_64-darwin)
+    nokogiri (1.18.3-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.2-x86_64-linux-gnu)
+    nokogiri (1.18.3-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.2-x86_64-linux-musl)
+    nokogiri (1.18.3-x86_64-linux-musl)
       racc (~> 1.4)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
@@ -152,40 +152,38 @@ GEM
     rexml (3.4.1)
     rouge (4.5.1)
     safe_yaml (1.0.5)
-    sass-embedded (1.85.0)
+    sass-embedded (1.85.1)
       google-protobuf (~> 4.29)
       rake (>= 13)
-    sass-embedded (1.85.0-aarch64-linux-android)
+    sass-embedded (1.85.1-aarch64-linux-android)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-aarch64-linux-gnu)
+    sass-embedded (1.85.1-aarch64-linux-gnu)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-aarch64-linux-musl)
+    sass-embedded (1.85.1-aarch64-linux-musl)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-aarch64-mingw-ucrt)
+    sass-embedded (1.85.1-aarch64-mingw-ucrt)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-arm-linux-androideabi)
+    sass-embedded (1.85.1-arm-linux-androideabi)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-arm-linux-gnueabihf)
+    sass-embedded (1.85.1-arm-linux-gnueabihf)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-arm-linux-musleabihf)
+    sass-embedded (1.85.1-arm-linux-musleabihf)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-arm64-darwin)
+    sass-embedded (1.85.1-arm64-darwin)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-riscv64-linux-android)
+    sass-embedded (1.85.1-riscv64-linux-android)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-riscv64-linux-gnu)
+    sass-embedded (1.85.1-riscv64-linux-gnu)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-riscv64-linux-musl)
+    sass-embedded (1.85.1-riscv64-linux-musl)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-x86_64-cygwin)
+    sass-embedded (1.85.1-x86_64-darwin)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-x86_64-darwin)
+    sass-embedded (1.85.1-x86_64-linux-android)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-x86_64-linux-android)
+    sass-embedded (1.85.1-x86_64-linux-gnu)
       google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-x86_64-linux-gnu)
-      google-protobuf (~> 4.29)
-    sass-embedded (1.85.0-x86_64-linux-musl)
+    sass-embedded (1.85.1-x86_64-linux-musl)
       google-protobuf (~> 4.29)
     securerandom (0.4.1)
     syntax_tree (6.2.0)
@@ -206,7 +204,7 @@ GEM
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.6.0)
-    uri (1.0.2)
+    uri (1.0.3)
     webrick (1.9.1)
 
 PLATFORMS

n/dns.md

@@ -39,7 +39,6 @@ _{{ page.excerpt }} For DNS resolvers, refer to [r/resolv.tsv](/r/resolv.tsv)_
 - [Mobile applications](#mobile-applications)
   - [Android](#android)
   - [Rethink](#rethink)
-    - [Using Obtainium with APKPure/Aegon](#using-obtainium-with-apkpureaegon)
   - [FFUpdater](#ffupdater)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
@@ -203,18 +202,19 @@ HTTPS everywhere? Do you know to not accept warnings about certificate issues?
 Do the other (less technical) users of your network? Would you or them be a
 delicious target? Do you even use GAFAM services?
 
+It's important to remember that authoritative nameserver is the one that knows
+where the domain is hosted that you can see through e.g. `whois aminda.eu` which
+will reply `lakas.ns.cloudflare.com` and `coco.ns.cloudflare.com`. Thus when you
+perform a DNS query with ECS enabled, the USA will know your IP with the
+accuracy of 256 users (poor example since
+[this site is currently hosted on GitHub pages](https://github.com/Mikaela/mikaela.github.io/issues/153)).
+Same as when you visit a domain ending
+[`.af`, Afganistan will know](https://en.wikipedia.org/wiki/.af#Restrictions).
+
 See also:
 
 - [_Understanding the Privacy Implications of ECS_](https://yacin.nadji.us/docs/pubs/dimva16_ecs.pdf)
 
-<del>_Later I have been torn on whether the quote above is correct and helps
-decrease my digital climate footprint more or less than adblocking on DNS level,
-but what really put the scales towards ECS for me was late night GApple update
-that was keeping me from sleeping. So ECS is for busy people who want to
-sleep?_</del> _The CISA link above makes me question this the very next day
-considering I belong to gender and sexual minorities, Pirate Party of Finland,
-and everything..._
-
 ### Why to use private ECS?
 
 _Android DoH3 option:_
@@ -224,7 +224,7 @@ Do you want the benefits of ECS with the privacy and security of not having ECS?
 Private ECS is a compromise solution in the middle, although not without its own
 issues.
 
-Your private DNS provider will lie for you and say that your IP address is
+Your private DNS provider will lie a bit for you and say that your IP address is
 somewhere else where it will also place many others from your ISP. However what
 if it says you are a customer of another ISP, possibly even located in another
 country? It tends to have greater accuracy with IPv4 than IPv6,
@@ -238,6 +238,12 @@ In that case you may <del>get even worse performance</del> be in even worse
 situation than without ECS. Then again if everything works properly, you will
 get the benefit of ECS without the privacy impact and lessened security impact.
 
+I am often observing Cloudflare and other public DNS providers connecting me to
+Swedish servers when no ECS is used and so far the only place where I spent
+significant amount of time with wrong private ECS was a school and considering
+the drawbacks of ECS in the current world situation, I think private ECS is
+easily the least bad option.
+
 See the next section for testing "where you are." Consider also what is
 important for you if you had to pick one or two from privacy, performance and
 climate.
@@ -285,14 +291,16 @@ dig +short TXT whoami-ecs.v4.powerdns.org.
 In my experience [DNS0.eu] tends to have better filtering and
 [reporting options](https://www.dns0.eu/report) than [Quad9], while
 [servers being located only in](https://www.dns0.eu/network) the
-[European Union](https://european-union.europa.eu) is mildly problematic when
-your users start traveling outside it either for work or leisure, which across
-continents tends to bring round-trips overseas. Additionally private ECS (see
-above) tends to be bad poor for IPv6 and for very small AS like a school, it
-directs to another side of the country, but that is a very minor issue.
+[European Union](https://european-union.europa.eu) may either be free brownie
+points on not sending DNS queries outside of the EU or mildly problematic when
+your users start traveling outside the EU which which brings round-trips
+overseas. Additionally private ECS (see above) tends to be bad poor for IPv6 and
+for very small AS like a school, it directs to another side of the country, but
+that is a very minor issue, as opposed to constantly being directed to another
+country.
 
 Meanwhile [Quad9] blocking seems almost as good in
-[tests like this](https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-2024/)
+[tests like this](https://techblog.nexxwave.eu/public-dns-malware-filters-tested-in-september-2024/)
 and they give me impression
 [of more transparency](https://quad9.net/about/transparency-report) (as opposed
 to
@@ -311,33 +319,6 @@ other options; [default filters](https://www.dns0.eu),
 [DNS0.eu]: https://www.dns0.eu
 [Quad9]: https://quad9.net
 
-<!--
-
-### Conclusion
-
-As the size and confusion this page induces to anyone else than me shows, I have spent too much time thinking about DNS and related matters.
-
-- Android: while the system only gives the option between `cloudflare-dns.com` and `dns.google` (HTTP/3, see below),
-  web browsers are free to choose the DoH server. If the device is not expected to travel far outside the EU, DNS0.eu may be a safe choice, otherwise Quad9.
-  - As I have to support devices going outside of the EU, I lean towards Quad9.
-- iOS (or Apple in general): same question, do the devices travel outside of the EU? Both provide configuration profiles.
-  - While not noticing the DNS0.eu configuration profile is difficult, [Quad9 currently hides it a bit under docs.quad9.net iOS instructions](https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/).
-- Personal computers: I have reached the cursed conclusion of [using Unbound upstreams DNS0 for IPv4, Quad9 ECS for IPv6](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf) and [using the hosts file to point web browsers away from DNS0.eu IPv6](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/hosts/dns) using [IPv4 mapped IPv6 addresses](https://en.m.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses).
-  - Especially the last part is cursed.
-  - Yes, ECS has privacy concerns, however _theoretically_ it's only a fallback if IPv4 goes down (very rare, has happened for short periods of time in my experience), but the environment also weights my decision. See above on whether to ECS or not.
-    - I hope to offset the risks of ECS by [not allowing TTLs below an hour](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/min-ttl-hour.conf) so whether I have a tab open or not cannot be figured out from DNS traffic alone and somewhat relatedly [serve stale records if I must](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/unbound/unbound.conf.d/expired-stale-serving-rfc8767.conf).
-- Personal servers: Personal preference, you could even use all of the DNS servers or be your own recursor. I again have small preference towards Quad9 ECS as titlefetching for unencrypted IRC connection is already open for mass surveillance and there is no telling who triggered a DNS query there anyway.
-- Business/association/enterprise/whatever device: there may be free political/regulational/bureaucratic/whatever brownie points for using DNS0.eu with the queries not being transmitted outside of the EU.
-
-This may also be a wrong approach entirely and it should just be an adblocking
-DNS as noted before.
-
-Additionally DNS filtering for web browsers may be irrelevant if browser
-policy enforces extensions that block malicious domains (such as µBlock Origin
-or AdNauseam) or even Google Safe Browsing.
-
--->
-
 ---
 
 ## CLI applications
@@ -362,7 +343,7 @@ using `cloudflare-dns.com`). **_However is connectivity in limited networks and
 maybe a bit faster speed in bad network more important than a level of security
 reached by a filtering resolver?_**
 
-Then setup your web browser (including Firefox (other than stable which disables
+Then setup your web browser (including Firefox Nightly (other channels disable
 `about:config`) and Chrome) to use DNS over HTTPS with your preferred server and
 while at it enabling HTTPS only mode.
 
@@ -439,31 +420,9 @@ Hopefully there is no situation where Rethink stops working and thinks it's
 still working. As can be deduced from this section, sometimes Rethink and I
 disagree with each other. _I don't guarantee I know what I am doing._
 
-#### Using Obtainium with APKPure/Aegon
-
-I think a few of the blocklists in Rethink are blocking apkpure's domain
-breaking Obtainium and their official app and the steps to fix that are:
-
-1. Use a DNS server that doesn't have the block (`https://open.dns0.eu/` or
-   `https://unfiltered.adguard-dns.com/dns-query` if private ECS is desirable?)
-1. Select `Apps` in Rethink's main screen (the biggest button below `Proxy` and
-   `Logs`.
-1. Search for `Obtainium` or `APKPure` and select it.
-1. Select `Domain Rules`.
-1. Select the floating `+` from bottom right.
-1. Select Wildcard, enter `*.winudf.com` and select `Trust`.
-1. Select `Okay` and now Obtainium/APKPure should work assuming no DNS is
-   blocking it (check the logs).
-
-The `Trust` could also be set globally, but what business does any other app
-have for that domain?
-
 ### [FFUpdater](https://github.com/Tobi823/ffupdater)
 
 - `https://dns0.eu;2a0f:fc80::;2a0f:fc81::;193.110.81.0;185.253.5.0`
 - `https://open.dns0.eu;2a0f:fc80::ffff;2a0f:fc81::ffff;193.110.81.254;185.253.5.254`
-- `https://doh.opendns.com/dns-query;2620:119:35::35;2620:119:53::53;208.67.222.222;208.67.220.220`
-- `https://dns11.quad9.net/dns-query;2620:fe::11;2620:fe::fe:11;9.9.9.11;149.112.112.11`
-- `https://dns12.quad9.net/dns-query;2620:fe::12;2620:fe::fe:12;9.9.9.12;149.112.112.12`
 
 ---

package.json

@@ -1,13 +1,13 @@
 {
 	"devDependencies": {
-		"@aminda/global-prettier-config": "2025.7.1",
+		"@aminda/global-prettier-config": "2025.8.0",
 		"@prettier/plugin-ruby": "4.0.4",
 		"@prettier/plugin-xml": "3.4.1",
-		"prettier": "3.5.1",
+		"prettier": "3.5.2",
 		"prettier-plugin-nginx": "1.0.3",
-		"prettier-plugin-sh": "0.14.0",
-		"prettier-plugin-toml": "2.0.1"
+		"prettier-plugin-sh": "0.15.0",
+		"prettier-plugin-toml": "2.0.2"
 	},
-	"packageManager": "pnpm@10.4.1+sha512.c753b6c3ad7afa13af388fa6d808035a008e30ea9993f58c6663e2bc5ff21679aa834db094987129aa4d488b86df57f7b634981b2f827cdcacc698cc0cfb88af",
+	"packageManager": "pnpm@10.5.0+sha512.11106a5916c7406fe4b8cb8e3067974b8728f47308a4f5ac5e850304afa6f57e2847d7950dfe78877d8d36bfb401d381c4215db3a4c3547ffa63c14333a6fa51",
 	"prettier": "@aminda/global-prettier-config"
 }

pnpm-lock.yaml

@@ -8,32 +8,32 @@ importers:
   .:
     devDependencies:
       "@aminda/global-prettier-config":
-        specifier: 2025.7.1
-        version: 2025.7.1
+        specifier: 2025.8.0
+        version: 2025.8.0
       "@prettier/plugin-ruby":
         specifier: 4.0.4
-        version: 4.0.4(prettier@3.5.1)
+        version: 4.0.4(prettier@3.5.2)
       "@prettier/plugin-xml":
         specifier: 3.4.1
-        version: 3.4.1(prettier@3.5.1)
+        version: 3.4.1(prettier@3.5.2)
       prettier:
-        specifier: 3.5.1
-        version: 3.5.1
+        specifier: 3.5.2
+        version: 3.5.2
       prettier-plugin-nginx:
         specifier: 1.0.3
         version: 1.0.3
       prettier-plugin-sh:
-        specifier: 0.14.0
-        version: 0.14.0(prettier@3.5.1)
+        specifier: 0.15.0
+        version: 0.15.0(prettier@3.5.2)
       prettier-plugin-toml:
-        specifier: 2.0.1
-        version: 2.0.1(prettier@3.5.1)
+        specifier: 2.0.2
+        version: 2.0.2(prettier@3.5.2)
 
 packages:
-  "@aminda/global-prettier-config@2025.7.1":
+  "@aminda/global-prettier-config@2025.8.0":
     resolution:
       {
-        integrity: sha512-fTxXBUsillMfAigewcuhqHVBhn2Xr2mwCH41t9rY/p3FNKsX9DvRAWOROrkvnT9gyW86J9Aw/ZGGNwPeiq4PTQ==,
+        integrity: sha512-B5TaC6F9G9y1Yy3lZmAHSpBwueIVBcLZV0HK6f38TxEzNyI8Q0AFhUTK5zG4QLWfvDmm0KzbpJnxqgXgfJ5nIw==,
       }
 
   "@prettier/plugin-ruby@4.0.4":
@@ -88,28 +88,28 @@ packages:
         integrity: sha512-vV5q85s8XnV6NEgvz1gVLfZhmxAxY03MyOYj2ApBpjFkbs00lRsRkTmqO9L39ADuD18z1RRCcfZ3eVxKhI/nqg==,
       }
 
-  prettier-plugin-sh@0.14.0:
+  prettier-plugin-sh@0.15.0:
     resolution:
       {
-        integrity: sha512-hfXulj5+zEl/ulrO5kMuuTPKmXvOg0bnLHY1hKFNN/N+/903iZbNp8NyZBTsgI8dtkSgFfAEIQq0IQTyP1ZVFQ==,
+        integrity: sha512-U0PikJr/yr2bzzARl43qI0mApBj0C1xdAfA04AZa6LnvIKawXHhuy2fFo6LNA7weRzGlAiNbaEFfKMFo0nZr/A==,
       }
     engines: { node: ">=16.0.0" }
     peerDependencies:
       prettier: ^3.0.3
 
-  prettier-plugin-toml@2.0.1:
+  prettier-plugin-toml@2.0.2:
     resolution:
       {
-        integrity: sha512-99z1YOkViECHtXQjGIigd3talI/ybUI1zB3yniAwUrlWBXupNXThB1hM6bwSMUEj2/+tomTlMtT98F5t4s8IWA==,
+        integrity: sha512-tUIIhyfdVX5DMsLGKX/2qaEwi3W48OkUSR7XC91PRI5jFzhexmaYWkrSP1Xh/eWUcEc0TVMQenM3lB09xLQstQ==,
       }
     engines: { node: ">=16.0.0" }
     peerDependencies:
       prettier: ^3.0.3
 
-  prettier@3.5.1:
+  prettier@3.5.2:
     resolution:
       {
-        integrity: sha512-hPpFQvHwL3Qv5AdRvBFMhnKo4tYxp0ReXiPn2bxkiohEX6mBeBwEpBSQTkD458RaaDKQMYSp4hX4UtfUTA5wDw==,
+        integrity: sha512-lc6npv5PH7hVqozBR7lkBNOGXV9vMwROAPlumdBkX0wTbbzPu/U1hk5yL8p2pt4Xoc+2mkT8t/sow2YrV/M5qg==,
       }
     engines: { node: ">=14" }
     hasBin: true
@@ -134,23 +134,23 @@ packages:
       }
 
 snapshots:
-  "@aminda/global-prettier-config@2025.7.1":
+  "@aminda/global-prettier-config@2025.8.0":
     dependencies:
-      "@prettier/plugin-ruby": 4.0.4(prettier@3.5.1)
-      "@prettier/plugin-xml": 3.4.1(prettier@3.5.1)
-      prettier: 3.5.1
+      "@prettier/plugin-ruby": 4.0.4(prettier@3.5.2)
+      "@prettier/plugin-xml": 3.4.1(prettier@3.5.2)
+      prettier: 3.5.2
       prettier-plugin-nginx: 1.0.3
-      prettier-plugin-sh: 0.14.0(prettier@3.5.1)
-      prettier-plugin-toml: 2.0.1(prettier@3.5.1)
+      prettier-plugin-sh: 0.15.0(prettier@3.5.2)
+      prettier-plugin-toml: 2.0.2(prettier@3.5.2)
 
-  "@prettier/plugin-ruby@4.0.4(prettier@3.5.1)":
+  "@prettier/plugin-ruby@4.0.4(prettier@3.5.2)":
     dependencies:
-      prettier: 3.5.1
+      prettier: 3.5.2
 
-  "@prettier/plugin-xml@3.4.1(prettier@3.5.1)":
+  "@prettier/plugin-xml@3.4.1(prettier@3.5.2)":
     dependencies:
       "@xml-tools/parser": 1.0.11
-      prettier: 3.5.1
+      prettier: 3.5.2
 
   "@taplo/core@0.1.1": {}
 
@@ -170,18 +170,18 @@ snapshots:
 
   prettier-plugin-nginx@1.0.3: {}
 
-  prettier-plugin-sh@0.14.0(prettier@3.5.1):
+  prettier-plugin-sh@0.15.0(prettier@3.5.2):
     dependencies:
       mvdan-sh: 0.10.1
-      prettier: 3.5.1
+      prettier: 3.5.2
       sh-syntax: 0.4.2
 
-  prettier-plugin-toml@2.0.1(prettier@3.5.1):
+  prettier-plugin-toml@2.0.2(prettier@3.5.2):
     dependencies:
       "@taplo/lib": 0.4.0-alpha.2
-      prettier: 3.5.1
+      prettier: 3.5.2
 
-  prettier@3.5.1: {}
+  prettier@3.5.2: {}
 
   regexp-to-ast@0.5.0: {}