Comments (38)
Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through
Well I think that the self hosting proxy like DNScrypt and cloudflared tunnel should solve this issue and also for Cloudbleeds "Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory"(i'm not to sure but i think a own proxy should keep you out of this problem.. But i get it, these kind of things is bad for business
I will try and fix up repo to suite and have a wiki explaining the popular dns providers advantages and disadvantages, and users reviews. This can take a while .. any help would be appreciated.. links, post, forums etc @jo20201 if you have time can you help build wiki about the informations dns (google/quad9/opendns) providers from what ever you can find and put it together.
"Tor users and VPN users are also a victim of Cloudflare. Both solutions are being used by many people who cannot afford uncensored internet due to their country/corporation/network policy or who wants to add an extra layer to protect their privacy. Cloudflare is shamelessly attacking those people, forcing them to turn off their proxy solution."
And no, the Cloudflared Tunnel does not solve that issue for the same reason Cloudflare Warp doesn't solve it:
BECAUSE IT RUNS THROUGH CLOUDFLARE!
from adguard-wireguard-unbound-dnscrypt.
Don't use 9.9.9.11
.
EDNS Client-Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. This means that there is privacy “leakage” for recursive resolvers that send EDNS Client-Subnet data, where components of the end user’s IP address are transmitted to the remote site.
I'd use 9.9.9.10
and set up DoT. It's what I've set up in several corporate environments.
from adguard-wireguard-unbound-dnscrypt.
@T145 this article promote issues about what can take place in most DNS companies. Do you think google, quad9 etc do not see your data in some technical way because they said so ? and cloudflare does not cause of this article ?
also that article explains server side issues cause of countries which can happen on other DNS companies with fewer servers around the world.. and the other things it points out like servers downtime, blocks ban reviews, hCaptcha, poor internet connectivity from accessing the websites behind it etc, you will find one or all of these issues in some other DNS companies just no one wrote about it.
These problems might affect some users I do not see to stop promoting when it works fast and stable for millions of users.
This repo is not about the best DNS security providers but a good security setup. I will add to the guide other DoH providers. Because at some point down the line what ever DNS service I choose as in main setup other can find issues, so i just keep adding options ..
I will remove stuff when its deprecated or it has really gone bad when i see pages of negativity on the web
thanks for this btw T145/white-bear
from adguard-wireguard-unbound-dnscrypt.
@T145 honestly for a while i wanted to change title and logo so i would not look like im promoting one thing
from adguard-wireguard-unbound-dnscrypt.
You're right that it suffers from what's inherent to all DNS providers, however it's precisely why this project is meant to be "a good security setup" that Cloudflare services shouldn't be used. Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through. This functionally makes it a massive "Man-in-the-middle" attack, and is therefore an inherent security and privacy risk. If you kept reading you'd see information about "Cloudbleeds" and how Cloudflare's HTTPS can never inherently be end-to-end. The reason I'd not promote a service like Google is that they're only secure, and do not promote privacy. Quad9 is the largest I've known of that promotes both security and privacy.
from adguard-wireguard-unbound-dnscrypt.
Cloudflare decrypts secured web traffic when it arrives, then re-encrypts it and sends it through
Well I think that the self hosting proxy like DNScrypt and cloudflared tunnel should solve this issue and also for Cloudbleeds "Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory"(i'm not to sure but i think a own proxy should keep you out of this problem.. But i get it, these kind of things is bad for business
I will try and fix up repo to suite and have a wiki explaining the popular dns providers advantages and disadvantages, and users reviews. This can take a while .. any help would be appreciated.. links, post, forums etc @jo20201 if you have time can you help build wiki about the informations dns (google/quad9/opendns) providers from what ever you can find and put it together.
from adguard-wireguard-unbound-dnscrypt.
just share what you find or put everything in a text file and will sort out when making wiki
from adguard-wireguard-unbound-dnscrypt.
keep them coming
from adguard-wireguard-unbound-dnscrypt.
To put it simply, if you keep using Cloudflare then the project description needs to be revised from:
"The ultimate self-hosted network security guide ─ Protection🔒 | Privacy🔎 | Performance🚀 for your network 24/7🕛 Accessible anywhere🌏"
to:
"The ultimate self-hosted network guide ─ Performance🚀 for your network when Cloudflare is up🕛 Accessible anywhere Cloudflare says it is🌏"
from adguard-wireguard-unbound-dnscrypt.
@
my setting for use Quad9
for dnscrypt-proxy
# Server must support DNS security extensions (DNSSEC) server_names=['Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1'] [static] [static.'Quad9-main1'] stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0' [static.'Quad9-main2'] stamp = 'sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0' [static.'Quad9-ecs1'] stamp = 'sdns://AQMAAAAAAAAADTkuOS45LjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA' [static.'Quad9-ecs2'] stamp = 'sdns://AQMAAAAAAAAAEzE0OS4xMTIuMTEyLjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA' [static.'Quad9-doh1'] stamp = 'sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5' [static.'Quad9-doh2'] stamp ='sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk' [static.'Quad9-doh-ecs1'] stamp ='sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk' [static.'Quad9-doh-ecs2'] stamp ='sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ'for Cloudflared
CLOUDFLARED_OPTS=--address homeserver --port 5053 --upstream https://dns11.quad9.net/dns-query --upstream https://dns.quad9.net/dns-query --upstream https://dns>for unbund
# CloudflareQuad9 forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net forward-addr: 9.9.9.11@853#dns11.quad9.net forward-addr: 149.112.112.11@853#dns11.quad9.net forward-addr: 2620:fe::11@853#dns11.quad9.net forward-addr: 2620:fe::fe:11@853#dns11.quad9.netfor knot-resolver
-- Forward DNS to Quad9 using TLS (DoT) policy.add(policy.all( policy.TLS_FORWARD({ {'9.9.9.11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'149.112.112.11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'9.9.9.9', hostname='dns.quad9.net'; ca_file=tls_bundle}, {'149.112.112.112', hostname='dns.quad9.net'; ca_file=tls_bundle}, {'2620:fe::11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'2620:fe::fe:11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, }) )) -- Forward queries to Quad9 policy.add(policy.all(policy.FORWARD({'9.9.9.11', '149.112.112.11', '9.9.9.9', '149.112.112.112'})))
test out this https://github.com/CNMan/dnscrypt-proxy-config/blob/master/quad9-resolvers.md
from adguard-wireguard-unbound-dnscrypt.
I want to add quad9 and also opendns ..
from adguard-wireguard-unbound-dnscrypt.
@
my setting for use Quad9
for dnscrypt-proxy# Server must support DNS security extensions (DNSSEC) server_names=['Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1'] [static] [static.'Quad9-main1'] stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0' [static.'Quad9-main2'] stamp = 'sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0' [static.'Quad9-ecs1'] stamp = 'sdns://AQMAAAAAAAAADTkuOS45LjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA' [static.'Quad9-ecs2'] stamp = 'sdns://AQMAAAAAAAAAEzE0OS4xMTIuMTEyLjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA' [static.'Quad9-doh1'] stamp = 'sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5' [static.'Quad9-doh2'] stamp ='sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk' [static.'Quad9-doh-ecs1'] stamp ='sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk' [static.'Quad9-doh-ecs2'] stamp ='sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ'for Cloudflared
CLOUDFLARED_OPTS=--address homeserver --port 5053 --upstream https://dns11.quad9.net/dns-query --upstream https://dns.quad9.net/dns-query --upstream https://dns>for unbund
# CloudflareQuad9 forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net forward-addr: 9.9.9.11@853#dns11.quad9.net forward-addr: 149.112.112.11@853#dns11.quad9.net forward-addr: 2620:fe::11@853#dns11.quad9.net forward-addr: 2620:fe::fe:11@853#dns11.quad9.netfor knot-resolver
-- Forward DNS to Quad9 using TLS (DoT) policy.add(policy.all( policy.TLS_FORWARD({ {'9.9.9.11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'149.112.112.11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'9.9.9.9', hostname='dns.quad9.net'; ca_file=tls_bundle}, {'149.112.112.112', hostname='dns.quad9.net'; ca_file=tls_bundle}, {'2620:fe::11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, {'2620:fe::fe:11', hostname='dns11.quad9.net'; ca_file=tls_bundle}, }) )) -- Forward queries to Quad9 policy.add(policy.all(policy.FORWARD({'9.9.9.11', '149.112.112.11', '9.9.9.9', '149.112.112.112'})))test out this https://github.com/CNMan/dnscrypt-proxy-config/blob/master/quad9-resolvers.md
never mind looks like you have everything i expected ill just test out and start working on wiki
from adguard-wireguard-unbound-dnscrypt.
@jo20201 i do not think you set up dnscrypt correctly, I used for server names
server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
with dnscrypt servers (dnscrypt_servers = true
)
server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
from adguard-wireguard-unbound-dnscrypt.
@jo20201 i used this at first
[sources.quad9-resolvers]
urls = ["https://quad9.net/dnscrypt/quad9-resolvers.md", "https://raw.githubusercontent.com/Quad9DNS/dnscrypt-settings/main/dnscrypt/quad9-resolvers.md"]
minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
cache_file = "quad9-resolvers.md"
refresh_delay = 72
prefix = "quad9-"
then i realized all and more quad9 servers are already in public resolver list https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md 😅 no need for that method from CNMan quad9-resolvers.md
also where did you found these servers ?
Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1
I see from dnscrypt wiki , add static servers that "hasn't been defined anywhere" so I think we should use the quad9 servers from public resolvers list .. here is all of them
## quad9-dnscrypt-ip4-filter-pri
Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112
sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ
## quad9-dnscrypt-ip4-nofilter-ecs-pri
Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12
sdns://AQYAAAAAAAAADTkuOS45LjEyOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEyOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
## quad9-dnscrypt-ip4-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 149.112.112.10
sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
## quad9-doh-ip4-port443-filter-ecs-pri
Quad9 (anycast) dnssec/no-log/filter/ecs 9.9.9.11 - 149.112.112.11
sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczExLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## quad9-doh-ip4-port443-filter-pri
Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112
sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## quad9-doh-ip4-port443-nofilter-ecs-pri
Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12
sdns://AgYAAAAAAAAACDkuOS45LjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEyLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEyLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## quad9-doh-ip4-port443-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 - 149.112.112.10
sdns://AgYAAAAAAAAACDkuOS45LjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEwLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKE2RuczEwLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## quad9-doh-ip4-port5053-filter-ecs-pri
Quad9 (anycast) dnssec/no-log/filter/ecs 9.9.9.11 - 149.112.112.11
sdns://AgMAAAAAAAAACDkuOS45LjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADjE0OS4xMTIuMTEyLjExICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczExLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
## quad9-doh-ip4-port5053-filter-pri
Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 - 149.112.112.9 - 149.112.112.112
sdns://AgMAAAAAAAAABzkuOS45LjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjkgKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAADzE0OS4xMTIuMTEyLjExMiAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnMucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
## quad9-doh-ip4-port5053-nofilter-ecs-pri
Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 9.9.9.12 - 149.112.112.12
sdns://AgYAAAAAAAAACDkuOS45LjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEyLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEyICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEyLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
## quad9-doh-ip4-port5053-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10 - 149.112.112.10
sdns://AgYAAAAAAAAACDkuOS45LjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEwLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEwICoV9dastufAkBreTrvHQ7LM1IkDK0bhZC8Gk2gwASWKFGRuczEwLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
## quad9-doh-ip6-port443-filter-ecs-pri
Quad9 (anycast) dnssec/no-log/filter/ecs 2620:fe::11 - 2620:fe::fe:11
sdns://AgMAAAAAAAAADVsyNjIwOmZlOjoxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTEucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAAEFsyNjIwOmZlOjpmZToxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTEucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## quad9-doh-ip6-port443-filter-pri
Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe - 2620:fe::9 - 2620:fe::fe:9
sdns://AgMAAAAAAAAADVsyNjIwOmZlOjpmZV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoRZG5zLnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAADFsyNjIwOmZlOjo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihFkbnMucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgMAAAAAAAAAD1syNjIwOmZlOjpmZTo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## quad9-doh-ip6-port443-nofilter-ecs-pri
Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 2620:fe::12 - 2620:fe::fe:12
sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTIucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTIucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## quad9-doh-ip6-port443-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10 - 2620:fe::fe:10
sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTAucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoTZG5zMTAucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## quad9-doh-ip6-port5053-filter-ecs-pri
Quad9 (anycast) dnssec/no-log/filter/ecs 2620:fe::11 - 2620:fe::fe:11
sdns://AgMAAAAAAAAADVsyNjIwOmZlOjoxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTEucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAAEFsyNjIwOmZlOjpmZToxMV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTEucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
## quad9-doh-ip6-port5053-filter-pri
Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe - 2620:fe::9 - 2620:fe::fe:9
sdns://AgMAAAAAAAAADVsyNjIwOmZlOjpmZV0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoSZG5zLnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
sdns://AgMAAAAAAAAADFsyNjIwOmZlOjo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihJkbnMucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgMAAAAAAAAAD1syNjIwOmZlOjpmZTo5XSAqFfXWrLbnwJAa3k67x0OyzNSJAytG4WQvBpNoMAElihNkbnM5LnF1YWQ5Lm5ldDo1MDUzCi9kbnMtcXVlcnk
## quad9-doh-ip6-port5053-nofilter-ecs-pri
Quad9 (anycast) no-dnssec/no-log/no-filter/ecs 2620:fe::12 - 2620:fe::fe:12
sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTIucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMl0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTIucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
## quad9-doh-ip6-port5053-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10 - 2620:fe::fe:10
sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTAucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMF0gKhX11qy258CQGt5Ou8dDsszUiQMrRuFkLwaTaDABJYoUZG5zMTAucXVhZDkubmV0OjUwNTMKL2Rucy1xdWVyeQ
from adguard-wireguard-unbound-dnscrypt.
@jo20201 where you got servers Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1
from ?
from adguard-wireguard-unbound-dnscrypt.
@jo20201 where you got servers
Quad9-main1', 'Quad9-ecs1', 'Quad9-main2', 'Quad9-ecs2', 'Quad9-doh1', 'Quad9-doh2', 'Quad9-doh-ecs1', 'Quad9-doh-ecs1
from ?these just name and the stamp is the same for main server
[static.'Quad9-main1'] stamp = 'sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0'
dnscrypt-ip4-filter-pri Quad9 (anycast) dnssec/no-log/filter 9.9.9.9 sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
right i see where you got this reference from https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Configuration-Sources. just wanted to find it.
I think i should not use this feature in basic setup to confuse some people lives lol but have it as a advanced feature redirecting to a discussion.
from adguard-wireguard-unbound-dnscrypt.
i will use standard servers server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
without dnscrypt servers and with it = server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
for example steup
from adguard-wireguard-unbound-dnscrypt.
i will use standard servers
server_names = ['quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
without dnscrypt servers and with it =server_names = ['quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-doh-ip4-port5053-filter-ecs-pri', 'quad9-doh-ip6-port5053-filter-ecs-pri']
for example steupas I mention, i did that for me to short names
yes i might not have noticed this feature for i like to keep repo simple .. but you will make it in discussion later on.. I have to adjust alot of stuff in repo now and make it as less complex and overwhelming as possible
from adguard-wireguard-unbound-dnscrypt.
@jo20201 @T145 I adjusted repo
I want to change name .. Any suggestions ?
from adguard-wireguard-unbound-dnscrypt.
Overwired
It's short and sweet.
from adguard-wireguard-unbound-dnscrypt.
overwired.. like override network.. interesting 🤔
from adguard-wireguard-unbound-dnscrypt.
CLOUDFLARED_OPTS=--port 5053 --upstream https://94.140.14.14/dns-query --upstream https://94.140.15.15/dns-query --upstream https://dns.adguard.com/dns-query
should we using non-filtering since we do filter through the app itself?
from adguard-wireguard-unbound-dnscrypt.
@jo20201 is used
CLOUDFLARED_OPTS=--port 5053 --upstream https://9.9.9.9/dns-query --upstream https://149.112.112.112/dns-query --upstream https://dns.quad9.net/dns-query
from adguard-wireguard-unbound-dnscrypt.
@jo20201 @T145 one thing i am not sure about with cloudflared tunnel when using --upstream https://9.9.9.9/dns-query
according to https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/. But in https://adguard-dns.io/kb/general/dns-providers/#quad9-dns provides DNS-over-HTTPS - https://dns.quad9.net/dns-query
or cloudflared https://dns.cloudflare.com/dns-query
Is https://9.9.9.9/dns-query
and https://dns.quad9.net/dns-query
in cloudflared tunnel resolves two ways to DoH servers or is it just the same or does both have a unique DoH resoving method ?
from adguard-wireguard-unbound-dnscrypt.
one thing about https://dns.quad9.net/dns-query it uses both ipv4 and ipv6 ..
from adguard-wireguard-unbound-dnscrypt.
nice i see how to add ipv6 .. i will fix later
from adguard-wireguard-unbound-dnscrypt.
nice i see how to add ipv6 .. i will fix later
for cloudflared i use this as unlimited
--max-upstream-conns 0
hmm i forgot about this . i remember reading about it , i think default is 3
from adguard-wireguard-unbound-dnscrypt.
this reminds me.. when I started repo. I did not set some things for resolving on local host like ipv6..
also I did not realize you can add bootstrap in Cloudflared tunnel to resolve on local host.. nice one @jo20201
from adguard-wireguard-unbound-dnscrypt.
@jo20201 i think i now remember why i never really cared for resolving on local host .. i choose in adguard listen interface pi's ip and not all interfaces . so correct me if im wrong, all interface will listen on 127.0.0.1 on linux system in result of resolving on local host
At the time i taught it would be more simple to resolve the host itself by just using it through its DNS servers externally (add system ip addess in dns servers) .. is that ethical?
from adguard-wireguard-unbound-dnscrypt.
Regarding the Cloudflared Tunnel mentioned earlier, I just wouldn't use it all. The homepage seems to necessitate Cloudflare service usage, which again defeats the purpose of this whole exercise. As for EDNS, if you value privacy as advertised I'd disable it.
from adguard-wireguard-unbound-dnscrypt.
Regarding the Cloudflared Tunnel mentioned earlier, I just wouldn't use it all. The homepage seems to necessitate Cloudflare service usage, which again defeats the purpose of this whole exercise. As for EDNS, if you value privacy as advertised I'd disable it.
For real, they show usage in docs on there website https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/. 🤷♂️ cloudflare info is so scattered lol
from adguard-wireguard-unbound-dnscrypt.
OverGuard-SecureNetwork
sound ?
from adguard-wireguard-unbound-dnscrypt.
Keep it simple. You guys keep having a literal word salad as your title. People remember something short and sweet. "Overwired" is unique and simple.
from adguard-wireguard-unbound-dnscrypt.
@T145 what about CZ-NIC-NET as upstream
I'm not familiar w/ the project details, so I can't give a definitive answer. If you're referring to what I think you are, then I'd discourage it.
from adguard-wireguard-unbound-dnscrypt.
@jo20201 i was going to add interface: ::1
in unbound and knot but listen interface is just to communicate with network , and also read "Its the loopback address in ipv6, equal to 127.0.0.1 in ipv4."
So upstream dns queries from ipv6 servers is all that is needed if want ipv6 protection..
from adguard-wireguard-unbound-dnscrypt.
@jo20201 in knot config you have
-- Forward queries to CloudFlare
policy.add(policy.all(policy.FORWARD({'1.1.1.1', '1.0.0.1'})))
Forward cache-miss queries to specified IP addresses (without encryption), DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers.
according to docs it looks you do not need this if using tls forwading. Its a variant method from regular Forward queries method
A variant which uses encrypted DNS-over-TLS transport is called policy.TLS_FORWARD(), please see section Forwarding over TLS protocol (DNS-over-TLS).
Queries affected by policy.TLS_FORWARD() will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail.
from adguard-wireguard-unbound-dnscrypt.
2 things I want.
1.compare dns stats side by side with pics or video with Wireshark or what ever else software best for dns leaks
2. a diagram how these network security works.. I use Adobe illustration, maybe Some1 can draw it by hand and I'll create the art work with AI
from adguard-wireguard-unbound-dnscrypt.
It's best to not ever use browser DNS tests b/c your web browser can start its own DNS journey. Use dig
, drill
, nslookup
, etc. and you should see no DNS leakage.
from adguard-wireguard-unbound-dnscrypt.
Related Issues (20)
- Auto update for pi HOT 2
- DoT not working with own public domain and SSL certificate HOT 2
- [feature]: Leverage Black Mirror to handle general blacklisting HOT 4
- Turn off DNSStubListener
- Raspberry Pi OS doesn't seem to adhere to DoH but clients do? HOT 21
- AdGuard - CloudFlare - DoH sporadically Yes via 1.1.1.1/help HOT 23
- warning: so-rcvbuf HOT 2
- AdGuard Home memory issue HOT 1
- How to: Make AdGuard UI and DNS service ports only accessible via VPN HOT 1
- More complete tutorial for Adguard+Wireguard+Knot+DnsCrypt(oDoH) HOT 4
- Got error about Unbound (so-rcvbuf and so-sendbuf) HOT 5
- Adguard home all interface HOT 26
- Default Provided Unbound Config Does Not Work With DnsCrypt HOT 35
- Website stops loading due to DNS HOT 5
- DOH not working and not showing on cloudfare website. HOT 35
- SERVFAIL ISSUES HOT 8
- Unbound self-compiling from latest source HOT 10
- How can i setup netmaker + adguard + unbound HOT 3
- Updating block lists HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adguard-wireguard-unbound-dnscrypt.