18 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	DNS notes
{{ page.excerpt }} For DNS resolvers, refer to r/resolv.tsv
Automaattinen sisällysluettelo / Automatically generated Table of Contents
Identifying DNS resolver
- DNS-OARC’s Check My DNS - popup under “Network”.
- dnsleaktest
- whatsmydnsserver
- ipleak.net
- dnsadblock
- browserleaks.net/dns
- dnscheck.tools
The above list is based on redirect2me/which-dns README alternatives section
Identifying ECH support
At it’s current state of implementation, Encrypted Client-Hello requires DNS-over-HTTPS in the browser level or it won’t be used. If downgrade from application level DoH to OS resolver is allowed, ECH will get disabled at least temporary. Thus I think this list belongs here close enough.
- Cloudflare
Browser Check which still speaks of ESNI, while ECH replaced
Encrypted Server Name Indication ages ago.
- crypto.cloudflare.com/cdn-cgi/trace,
look for sni=encrypted.
 
- crypto.cloudflare.com/cdn-cgi/trace,
look for 
- tls-ech.dev
- BONUS: OCSP stapling test
What is ECS?
EDNS
Client-Subnet
is a DNS extension letting the authoritative nameserver know your
subnet, generally a /24 (IPv4) or a /56
(IPv6), but the revealed subnet size is up to your DNS resolver
configuration.
See also simpler explanation at PrivacyGuides.org DNS Overview.
- /24 is the first three parts of your IPv4 address e.g. 192.0.2.xxx. The last part of your IP address (the xxx) again is a number between 1 to 254 (since 0 is reserved for the network itself and 255 is the broadcast address).
- /56includes 256- /64s and if your ISP (Internet Service Provider) follows RFC 6177, it’s assigned solely to you meaning the authoritative nameserver will know the request originated from your network.- However many ISPs, especially wireless ones, will just assign you a
64which is required for stateless address autoconfiguration which is the most common way of getting IPv6 address in your local area network as opposed to IPv4 where you would have Dynamic Host Configuration Protocol (DHCP).- Your router does get the IPv6 subnet assignment for LAN distribution by means of DHCPv6 Prefix Delegation which is also common on mobile networks.
 
 
- However many ISPs, especially wireless ones, will just assign you a
If you are reading my personal notes (that being useful for you would bring me a bit of happiness), please note that I am somewhat indecisive and change the DNS resolver a lot (at least daily judging by my feelings), but do check the git log.
Why to use ECS?
Android DoH3 option: dns.google
[…] The longer the distance the data must travel from the data centre to the end-user device, the more energy the transmission consumes – regardless of the transmission path used. Intercontinental transmission networks are fundamentally very efficient. Transferring data from the United States to Europe may consume a fraction of the energy compared to the last kilometre from the base station to the mobile phone.
- Green Code (pdf txt)
If you utilize services of internet giants or content delivery networks, ECS will likely give you the shortest distance, the lowest latency, the highest speed and may help with decreasing your digital carbon footprint.
I was also surprised to find speedy Google Play Store download in the middle of sea (Helsinki-Tallinn) when switching from non-ECS to ECS nameserver. I wonder if they had an edge node somewhere in close proximity or if it was just happenstance.
The above means GAFAM, if you don’t use them in any form, there may not be a need for ECS.
If those matter to you, you may also like to consider increasing your minimum TTL to around an hour in a local server.
Why to not use ECS?
Android DoH3 option: cloudflare-dns.com
[…] we [Cloudflare] don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
[…]
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. […]
- Cloudflare co-founder, emphasis mine.
ECS will decrease the cost of mass surveillance as instead of having to surveill everything happening on the network, anyone between your DNS server and the authoritative nameserver can see which IP addresses access the site with a reasonable accuracy.
Then there are those with commercial interests, particularly outside of Europe, advertisers may be interested in making money out of the additional metadata. There may also be adblockers which don’t block the DNS request, causing the advertising company to receive your IP address (or close enough to it) even if you didn’t see the advertisement itself.
Some say the less metadata is produced, the smaller incentive there is for starting collecting and monetizing it.
This isn’t even mentioning that the internet isn’t a nice place or foreign advanced persistent threats or threat actors, who may not need a reason to attack you. CISA: Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society
Additionally researchers (below) have used it to perform cache poisoning against an individual target directing them to a wrong location and with low TTL making it near impossible to audit later.
What domains do you use? What if someone far above you knew regardless of Encrypted Client-Hello?
Are the domains you use DNSSEC-signed? Do you verify DNSSEC locally? Do you use HTTPS everywhere? Do you know to not accept warnings about certificate issues? Do the other (less technical) users of your network? Would you or them be a delicious target? Do you even use GAFAM services?
It’s important to remember that authoritative nameserver is the one
that knows where the domain is hosted that you can see through
e.g. whois aminda.eu which will reply
lakas.ns.cloudflare.com and
coco.ns.cloudflare.com. Thus when you perform a DNS query
with ECS enabled, the USA will know your IP with the accuracy of 256
users (poor example since this site
is currently hosted on GitHub pages). Same as when you visit a
domain ending .af,
Afganistan will know.
See also:
Why to use private ECS?
Android DoH3 option: ?
Do you want the benefits of ECS with the privacy and security of not having ECS? Private ECS is a compromise solution in the middle, although not without its own issues.
Your private DNS provider will lie a bit for you and say that your IP address is somewhere else where it will also place many others from your ISP. However what if it says you are a customer of another ISP, possibly even located in another country? It tends to have greater accuracy with IPv4 than IPv6, see AdGuard Google Domains issue. What if no one else uses the same DNS server as you, especially from your ISP? I guess you can always advocate your DNS provider so it could be someone else too (I couldn’t)? If it works most of time, does that outweight the times it won’t work? Is perfect the enemy of good enough?
In that case you may get even worse performance be in even
worse situation than without ECS. Then again if everything works
properly, you will get the benefit of ECS without the privacy impact and
lessened security impact.
I am often observing Cloudflare and other public DNS providers connecting me to Swedish servers when no ECS is used and so far the only place where I spent significant amount of time with wrong private ECS was a school and considering the drawbacks of ECS in the current world situation, I think private ECS is easily the least bad option.
See the next section for testing “where you are.” Consider also what is important for you if you had to pick one or two from privacy, performance and climate.
See also:
- NextDNS (Medium.com): How we made DNS both fast and private with ECS
- AdGuard DNS: Privacy-friendly EDNS Client Subnet
Is this a relevant question?
It’s likely greener to just use adblocking DNS no matter where it is located, preferably on router level. I don’t trust router/DHCP provided DNS and encrypt it on the end device anyway. And if something needs unfiltered access (AdNauseam?), give it DNS over HTTPS like all browsers and curl have the ability nowadays.
Are you someone whom someone might want bad things to just for existing?
Identifying support for ECS
Or what is being sent to the authoritative servers.
# https://support.google.com/interconnect/answer/7658602
dig +short TXT o-o.myaddr.l.google.com.
# https://www.akamai.com/blog/developers/introducing-new-whoami-tool-dns-resolver-information
dig +short TXT whoami.ds.akahelp.net.
dig +short TXT whoami.ipv6.akahelp.net.
dig +short TXT whoami.ipv4.akahelp.net.
# https://powerdns.org/useful-names/
dig +short TXT whoami-ecs.lua.powerdns.org.
dig +short TXT whoami-ecs.v6.powerdns.org.
dig +short TXT whoami-ecs.v4.powerdns.org.CLI applications
- drillgets often mentioned, Fedora has it in- ldns-utils, so others probably have it in similarly named packages.
Mobile applications
With the exception of those apps that config I remember otherwise or share it with desktop versions etc.
Android
Use either cloudflare-dns.com (which doesn’t have ECS)
or dns.google (which has ECS) as the (Settings → Network
& Internet → Advanced →) Private DNS server as they
have special handling and are thus DNS over HTTPS3 instead of the
usual DNS over TLS. This can be confirmed with https://1.1.1.1/help
(when using cloudflare-dns.com). However is
connectivity in limited networks and maybe a bit faster speed in bad
network more important than a level of security reached by a filtering
resolver?
Then setup your web browser (including Firefox Nightly (other
channels disable about:config) and Chrome) to use DNS over
HTTPS with your preferred server and while at it enabling HTTPS only
mode.
At least https://security.cloudflare-dns.com/dns-query
won’t downgrade to system DNS resolver so malware.testcategory.com
is blocked and that will hopefully affect other filtering DNS servers
and actual malicious domains as well. Meanwhile nudity.testcategory.com
loads as expected outside of
https://family.cloudflare-dns.com/dns-query.
If testing Cloudflare, see also:
- 1.1.1.1/help for general troubleshooting
- help.teams.cloudflare.com
for filtering although it just sends you to
- radar.cloudflare.com where IP is worth checking too.
 
- speed.cloudflare.com for speed testing
Do other Android based OSes contain the special handling of specific Private DNS domains turning into DNS-over-HTTP/3?
Rethink
NOTE! This pretends to be a VPN and thus breaks things depending on seeing the IP directly such as wireless debugging LAN IP, Briar LAN connections, cause warnings in Ooni Probe and disable automatic testing, Syncthing Fork will not autostart due to detecting the network as metered, unless it’s given permission to run in metered networks.
NOTE ESPECIALLY! Android Auto cannot be used when there is a “VPN” connected (why? ask Google, not me). Additionally you may encounter questionable battery drain.
- Use either GitHub or F-Droid release as Google Play doesn’t have blocklists.
- Enable it.
- In Android Settings, Internet, Advanced, VPN, select Rethink, make it always-on and block connections not using it.
- Disable private DNS in Android settings too, as it conflicts.
- In Rethink itself open Configure.
- DNS: enable whatever DNS you prefer.
- DNS: Visit on-device blocklists.
- DNS: Consider enabling Use in-app downloader, DNS booster
- DNS: Disable Prevent DNS leaks to avoid breakage.
- Network: enable Use all available networks (experimental)
- Network: Loopback (experimental)
- This also implies the previous option.
 
- Network: Choose IP version: Auto
- Network: Perform connectivity checks
- Remember to also visit Android app details for Rethink, in battery menu select unrestricted and in network allow unlimited data even with data saver.
- I also have a suspicion that Android Developer Setting
Always keep mobile data activeis interfering with Rethink as always-on VPN causing connectivity issues or it not being sure whether “metered” or unmetered network is being used.- The setting is enabled by default nowadays, to access it, go to
about phone and rapidly tap Software build number(backtranslated to English from Finnish (like everything else (TODO: check in English)).
- Once you are a developer, System Settings(withinSettings) should have a newDeveloper SettingsmenuMobile data always activeis underConnection propertiessection (which is aboveInput)
 
- The setting is enabled by default nowadays, to access it, go to
about phone and rapidly tap 
Hopefully there is no situation where Rethink stops working and thinks it’s still working. As can be deduced from this section, sometimes Rethink and I disagree with each other. I don’t guarantee I know what I am doing.