privacyguides/privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

WIP: Add icons

Browse Source
This commit is contained in:
nitrohorse
2020-05-08 19:32:45 -07:00
parent 28ca30d1c5
commit cebc5835d6
5 changed files with 88 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
_includes/sections/dns.html
View File

@ -1,4 +1,14 @@
<h1 id="dns" class="anchor"><a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Encrypted Domain Name System (DNS) Resolvers</h1> <h1 id="dns" class="anchor">
<a href="#dns"><i class="fas fa-link anchor-icon"></i></a> Encrypted Domain Name System (DNS) Resolvers
</h1>
<h4>Terms</h4>
<ul>
<li><strong>DNS-over-TLS (DoT)</strong> - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
<li><strong>DNS-over-HTTPS (DoH)</strong> - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."><a href="https://tools.ietf.org/html/rfc8484#section-8.2"><i class="fas fa-exclamation-triangle"></i></a></span></li>
<li><strong>DNSCrypt</strong> - An older yet robust method of encrypting DNS.</li>
</ul>
<div class="alert alert-warning" role="alert"> <div class="alert alert-warning" role="alert">
<strong>Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But, it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.</strong> <strong>Note: Using an encrypted DNS resolver will not make you anonymous, nor hide your internet traffic from your Internet Service Provider. But, it will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here.</strong>

BIN
assets/img/png/3rd-party/dnscloak.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
assets/img/png/3rd-party/nebulo.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

3
assets/img/svg/3rd-party/unbound.svg vendored Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="669px" height="153px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;"><g><g><path d="M87.5,6.548l0,86.4l-29.5,17c-0.597,0.299 -1.303,0.299 -1.9,0l-29.5,-17l0,-86.4l-20.9,12.1c-3.528,2.042 -5.706,5.824 -5.7,9.9l0,86.4c0.021,4.07 2.191,7.839 5.7,9.9l45.7,26.4c3.533,1.998 7.867,1.998 11.4,0l45.7,-26.4c3.528,-2.042 5.706,-5.824 5.7,-9.9l0,-86.4c-0.021,-4.07 -2.191,-7.839 -5.7,-9.9l-21,-12.1Z" style="fill:#2d2e83;fill-rule:nonzero;"/><path d="M87.5,6.548l0,86.4l-29.5,17c-0.597,0.299 -1.303,0.299 -1.9,0l-29.5,-17l0,-86.4l-20.9,12.1c-3.528,2.042 -5.706,5.824 -5.7,9.9l0,86.4c0.021,4.07 2.191,7.839 5.7,9.9l45.7,26.4c3.533,1.998 7.867,1.998 11.4,0l45.7,-26.4c3.528,-2.042 5.706,-5.824 5.7,-9.9l0,-86.4c-0.021,-4.07 -2.191,-7.839 -5.7,-9.9l-21,-12.1Z" style="fill:url(#_Linear1);fill-rule:nonzero;"/><path d="M114.2,28.548c-0.021,-4.07 -2.191,-7.839 -5.7,-9.9l-30.4,-17.6c-2.337,-1.398 -5.263,-1.398 -7.6,0c-2.354,1.359 -3.807,3.882 -3.8,6.6l0,66.6c0.021,4.07 2.191,7.839 5.7,9.9l36.1,20.9c3.528,2.042 5.706,5.824 5.7,9.9l0,-86.4Z" style="fill:#1fc2d7;fill-rule:nonzero;"/><path d="M0,28.548c0.021,-4.07 2.191,-7.839 5.7,-9.9l30.5,-17.6c2.337,-1.398 5.263,-1.398 7.6,0c2.354,1.359 3.807,3.882 3.8,6.6l0,66.6c-0.021,4.07 -2.191,7.839 -5.7,9.9l-36.1,20.9c-3.528,2.042 -5.706,5.824 -5.7,9.9l-0.1,-86.4Z" style="fill:#1fc2d7;fill-rule:nonzero;"/></g><g><path d="M221.9,44.348l0,64l-11.5,0l-0.6,-5c-7.6,3.9 -15.6,6.5 -22.6,6.5c-10.8,0 -18.7,-6.1 -18.6,-21.3l0,-44.2l12.8,0l0,42.4c0,9.1 3.4,11.8 9.3,11.8c4.8,0 11.5,-2 18.4,-5.5l0,-48.7l12.8,0Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M296.9,64.148l0,44.2l-12.8,0l0,-42.4c0,-9.1 -3.5,-11.8 -9.8,-11.8c-5.5,0 -12.9,2 -20.9,5.7l0,48.6l-12.8,0l0,-64l11.5,0l0.6,5.1c8.7,-4.1 17.5,-6.6 24.8,-6.6c11.4,0 19.4,6 19.4,21.2Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M349.7,42.948c19.3,0 24.5,12.8 24.6,33.6c0.1,20.8 -5.2,33.4 -24.5,33.4c-7.1,0 -12.8,-1.7 -21.9,-6.8l-0.6,5.4l-11.5,0l0,-90.6l12.8,0l0,31.6c8.5,-4.9 14.1,-6.6 21.1,-6.6Zm-3.5,55.7c11.8,0 14.9,-6.3 15,-22.2c0.1,-15.9 -3.1,-22.2 -14.9,-22.2c-5,0 -9.1,1.1 -17.7,5.9l0,32.7c8.6,4.7 12.7,5.8 17.6,5.8Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M448.6,76.348c0,21.3 -7.2,33.5 -29.8,33.5c-22.6,0 -29.8,-12.2 -29.8,-33.5c0,-21.3 7.2,-33.5 29.8,-33.5c22.6,0 29.8,12.3 29.8,33.5Zm-46.4,0c0,16 3.8,22.2 16.6,22.2c12.8,0 16.6,-6.2 16.6,-22.2c0,-16 -3.8,-22.2 -16.6,-22.2c-12.8,0 -16.6,6.2 -16.6,22.2Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M518.2,44.348l0,64l-11.5,0l-0.6,-5c-7.6,3.9 -15.6,6.5 -22.6,6.5c-10.8,0 -18.7,-6.1 -18.6,-21.3l0,-44.2l12.8,0l0,42.4c0,9.1 3.4,11.8 9.3,11.8c4.8,0 11.5,-2 18.4,-5.5l0,-48.7l12.8,0Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M593.2,64.148l0,44.2l-12.8,0l0,-42.4c0,-9.1 -3.5,-11.8 -9.8,-11.8c-5.5,0 -12.9,2 -20.9,5.7l0,48.6l-12.8,0l0,-64l11.5,0l0.6,5.1c8.7,-4.1 17.5,-6.6 24.8,-6.6c11.4,0 19.4,6 19.4,21.2Z" style="fill:#0d0d27;fill-rule:nonzero;"/><path d="M656.9,108.448l-0.6,-5.4c-9,5 -14.6,6.8 -21.9,6.8c-19.3,0 -24.5,-12.7 -24.5,-33.4c0,-20.7 5.2,-33.6 24.5,-33.6c7.1,0 12.6,1.7 21.2,6.5l0,-31.6l12.8,0l0,90.6l-11.5,0.1Zm-33.9,-32.1c0,15.9 3.2,22.2 15,22.2c5,0 9,-1.1 17.6,-5.9l0,-32.7c-8.8,-4.8 -12.8,-5.9 -17.6,-5.9c-11.8,0.1 -15,6.4 -15,22.3Z" style="fill:#0d0d27;fill-rule:nonzero;"/></g></g><defs><linearGradient id="_Linear1" x1="0" y1="0" x2="1" y2="0" gradientUnits="userSpaceOnUse" gradientTransform="matrix(114.2,0,0,114.2,1.23648e-05,79.6485)"><stop offset="0" style="stop-color:#0d0d27;stop-opacity:1"/><stop offset="0.02" style="stop-color:#10102f;stop-opacity:1"/><stop offset="0.1" style="stop-color:#1a1b4d;stop-opacity:1"/><stop offset="0.19" style="stop-color:#232365;stop-opacity:1"/><stop offset="0.28" style="stop-color:#282976;stop-opacity:1"/><stop offset="0.38" style="stop-color:#2c2d80;stop-opacity:1"/><stop offset="0.5" style="stop-color:#2d2e83;stop-opacity:1"/><stop offset="0.62" style="stop-color:#2c2d80;stop-opacity:1"/><stop offset="0.72" style="stop-color:#282976;stop-opacity:1"/><stop offset="0.81" style="stop-color:#232365;stop-opacity:1"/><stop offset="0.9" style="stop-color:#1a1b4d;stop-opacity:1"/><stop offset="0.98" style="stop-color:#10102f;stop-opacity:1"/><stop offset="1" style="stop-color:#0d0d27;stop-opacity:1"/></linearGradient></defs></svg>
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

147
pages/providers/dns.html
View File

@ -8,81 +8,82 @@ breadcrumb: "DNS"
{% include sections/dns.html %} {% include sections/dns.html %}
<h4>Terms</h4> <h1 id="dns-desktop-clients" class="anchor">
<a href="#dns-desktop-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for Desktop
</h1>
<ul> {%
<li>DNS-over-TLS (DoT) - A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls. DoT has two modes:</li> include cardv2.html
<ul> title="Firefox's built-in DNS-over-HTTPS resolver"
<li>Oppurtunistic mode: the client attempts to form a DNS-over-TLS connection to the server on port 853 without performing certificate validation. If it fails, it will use unencrypted DNS. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="In other words automatic mode leaves your DNS traffic vulnerable to SSL strip and MITM attacks"><i class="fas fa-exclamation-triangle"></i></span></li> image="/assets/img/svg/3rd-party/firefox_browser.svg"
<li>Strict mode: the client connects to a specific hostname and performs certificate validation for it. If it fails, no DNS queries are made until it succeeds.</li> description='Firefox comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver.'
</ul> labels="warning:<a href=//developers.cloudflare.com/1.1.1.1/privacy/firefox>Warning</a>:Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."
<li>DNS-over-HTTPS (DoH) - Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server."><a href="https://tools.ietf.org/html/rfc8484#section-8.2"><i class="fas fa-exclamation-triangle"></i></a></span></li> website="//support.mozilla.org/en-US/kb/firefox-dns-over-https#w_about-dns-over-https"
<li>DNSCrypt - An older yet robust method of encrypting DNS.</li> privacy-policy="//wiki.mozilla.org/Security/DOH-resolver-policy"
</ul> forum="TBD"
%}
<h4>How to verify DNS is encrypted</h4> {%
include cardv2.html
title="dnscrypt-proxy"
image="/assets/img/svg/3rd-party/dnscrypt-proxy.svg"
description='A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and <a href="//github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>.'
website="//dnscrypt.info/"
forum="TBD"
github="//github.com/DNSCrypt/dnscrypt-proxy"
%}
<ul> {%
<li>DoH / DoT include cardv2.html
<ul> title="Unbound"
<li>Check <a href="https://www.dnsleaktest.com/">DNSLeakTest.com</a>. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title="Your DNS provider may not appear with their own name, so compare the responses to what you know or can find about your DNS provider. Just ensure you don't see your ISP or old unencrypted DNS provider."><i class="fas fa-exclamation-triangle"></i></span></li> image="/assets/img/svg/3rd-party/unbound.svg"
<li>Check the website of your DNS provider. They may have a page for telling "you are using our DNS." Examples include <a href="https://adguard.com/en/adguard-dns/overview.html">AdGuard</a> and <a href="https://1.1.1.1/help">Cloudflare</a>.</li> description='Unbound is a validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="//ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
<li>If using Firefox's trusted recursive resolver (TRR), navigate to <code>about:networking#dns</code>. If the TRR column says "true" for some fields, you are using DoH. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='Some fields will say "false" depending on the the value of network.trr.mode in about:config'><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver"><i class="fas fa-exclamation-triangle"></i></a></span></li> website="//nlnetlabs.nl/projects/unbound/about/"
</ul> forum="TBD"
</li> github="//github.com/NLnetLabs/unbound"
<li>dnscrypt-proxy - Check <a href="https://github.com/jedisct1/dnscrypt-proxy/wiki/Checking">dnscrypt-proxy's wiki on how to verify that your DNS is encrypted</a>.</li> %}
<li>DNSSEC - Check <a href="https://dnssec.vs.uni-due.de/">DNSSEC Resolver Test by Matthäus Wander</a>.</li>
<li>QNAME Minimization - Run <code>dig +short txt qnamemintest.internet.nl</code> from the command-line (taken from <a href="https://nlnetlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf">this NLnet Labs presentation</a>). If you are on Windows 10, run <code>Resolve-DnsName -Type TXT -Name qnamemintest.internet.nl</code> from the PowerShell. You should see this display: <code>"HOORAY - QNAME minimisation is enabled on your resolver :)!"</code></li>
</ul>
<h3 id="clients">Software suggestions and Additional Information</h3> <h1 id="dns-android-clients" class="anchor">
<a href="#dns-android-clients">
<i class="fas fa-link anchor-icon"></i>
</a> Encrypted DNS Client Recommendations for Android
</h1>
<ul> {%
<li><strong>Encrypted DNS clients for desktop:</strong> include cardv2.html
<ul> title="Android 9's built-in DNS-over-TLS resolver"
<li><em>Firefox</em> comes with built-in DoH support with Cloudflare set as the default resolver, but can be configured to use any DoH resolver. <span class="badge badge-warning" data-toggle="tooltip" data-placement="bottom" data-original-title='"Cloudflare has agreed to collect only a limited amount of data about the DNS requests that are sent to the Cloudflare Resolver for Firefox via the Firefox browser."'><a href="https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/"><i class="fas fa-exclamation-triangle"></i></a></span> Currently Mozilla is <a href="https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/">conducting studies</a> before enabling DoH by default for all US-based Firefox users.</li> image=""
<ul> description='Android 9 (Pie) comes with built-in DNS-over-TLS support.'
<li>DNS over HTTPS can be enabled in Menu -> Preferences (<code>about:preferences</code>) -> Network Settings -> Enable DNS over HTTPS. Set "Use Provider" to "Custom", and enter your DoH provider's address.</li> labels="warning:<a href=//android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html>Warning</a>:However, apps that perform their own DNS queries, instead of using the system's APIs, must ensure that they do not send insecure DNS queries when the system has a secure connection."
<li>Advanced users may enable it in <code>about:config</code> by setting <code>network.trr.custom_uri</code> and <code>network.trr.uri</code> as the address you find from the documentation of your DoH provider and <code>network.trr.mode</code> as <code>2</code>. It may also be desirable to set <code>network.security.esni.enabled</code> to <code>True</code> in order to enable encrypted SNI and make sites supporting ESNI a bit more difficult to track.</li> %}
</ul>
</ul> {%
</li> include cardv2.html
<li><strong>Encrypted DNS clients for mobile:</strong> title="Nebulo"
<ul> image="/assets/img/png/3rd-party/nebulo.png"
<li><em>Android 9</em> comes with a DoT client by <a href="https://support.google.com/android/answer/9089903">default</a>. <span class="badge badge-warning" data-toggle="tooltip" data-original-title="...but with some caveats"><a href="https://www.quad9.net/private-dns-quad9-android9/"><i class="fas fa-exclamation-triangle"></i></a></span></li> description='An open-source application for Android supporting DNS-over-HTTPS and DNS-over-TLS. It also supports caching DNS responses and locally logging DNS queries.'
<ul> website="//git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
<li>We recommend selecting <em>Private DNS provider hostname</em> and entering the DoT address from documentation of your DoT provider to enable strict mode (see Terms above). <span class="badge badge-warning" data-toggle="tooltip" data-original-title="If you are on a network blocking access to port 853, Android will error about the network not having internet connectivity."><i class="fas fa-exclamation-triangle"></i></span></li> privacy-policy="//smokescreen.app/privacypolicy"
</ul> forum="TBD"
<li><em><a href="https://apps.apple.com/app/id1452162351">DNSCloak</a></em> - An <a href="https://github.com/s-s/dnscloak">open-source</a> DNSCrypt and DoH client for iOS by <td><a data-toggle="tooltip" data-placement="bottom" data-original-title='"A charitable non-profit host organization for international Free Software projects."' href="https://techcultivation.org/">the Center for the Cultivation of Technology gemeinnuetzige GmbH</a>.</li> source="//git.frostnerd.com/PublicAndroidApps/smokescreen"
<li><em><a href="https://git.frostnerd.com/PublicAndroidApps/smokescreen/blob/master/README.md">Nebulo</a></em> - An open-source application for Android supporting DoH and DoT. It also supports caching DNS responses and locally logging DNS queries.</li> %}
</ul>
</li> <h1 id="dns-ios-clients" class="anchor">
<li><strong>Local DNS servers:</strong> <a href="#dns-ios-clients">
<ul> <i class="fas fa-link anchor-icon"></i>
<li><em><a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby">Stubby</a></em> - An open-source application for Linux, macOS, and Windows that acts as a local DNS Privacy stub resolver using DoT.</li> </a> Encrypted DNS Client Recommendations for iOS
<li><em><a href="https://nlnetlabs.nl/projects/unbound/about/">Unbound</a></em> - a validating, recursive, caching DNS resolver. It can also be ran network-wide and has supported DNS-over-TLS since version 1.7.3.</li> </h1>
<ul>
<li>See also <a href="https://www.ctrl.blog/entry/unbound-tls-forwarding.html">Actually secure DNS over TLS in Unbound on ctrl.blog</a>.</li> {%
</ul> include cardv2.html
</ul> title="DNSCloak"
</li> image="/assets/img/png/3rd-party/dnscloak.png"
<li><strong>Network wide DNS servers:</strong> description='An open-source DNSCrypt and DNS-over-HTTPS client by <a data-toggle="tooltip" data-placement="bottom" data-original-title="A charitable non-profit host organization for international Free Software projects." href="//techcultivation.org/">the Center for the Cultivation of Technology gemeinnuetzige GmbH</a>. Can be described as <a href="//github.com/DNSCrypt/dnscrypt-proxy">dnscrypt-proxy</a> for iOS.'
<ul> website="https://github.com/s-s/dnscloak/blob/master/README.md"
<li><em><a href="https://pi-hole.net/">Pi-hole</a></em> - A network-wide DNS server mainly for the Raspberry Pi. Blocks ads, tracking, and malicious domains for all devices on your network.</li> privacy-policy="//drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
<li><em><a href="https://gitlab.com/quidsup/notrack">NoTrack</a></em> - A network-wide DNS server like Pi-hole for blocking ads, tracking, and malicious domains.</li> github="//github.com/s-s/dnscloak"
</ul> %}
</li>
<li><strong>Further reading:</strong> <h2 id="dns-further-reading">Further Reading</h2>
<ul>
<li>On Firefox, DoH and ESNI</li>
<ul>
<li><a href="https://wiki.mozilla.org/Trusted_Recursive_Resolver">Trusted Recursive Resolver (DoH) on MozillaWiki</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1500289">Firefox bug report requesting the ability to use ESNI without DoH</a></li>
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1542754">Firefox bug report requesting the ability to use Android 9+'s Private DNS (DoT) and benefit from encrypted SNI without having to enable DoH</a></li>
<li><a href="https://blog.cloudflare.com/encrypted-sni/">Encrypt it or lose it: how encrypted SNI works on Cloudflare blog</a></li>
</ul>
<li><a href="https://www.isc.org/blogs/qname-minimization-and-privacy/">QNAME Minimization and Your Privacy</a> by the Internet Systems Consortium (ISC)</li>
<li><a href="https://www.isc.org/dnssec/">DNSSEC and BIND 9</a> by the ISC</li>
</ul>
</li>
</ul>