Add Encrypted DNS providers table #1097
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1097
Loading…
Reference in New Issue
No description provided.
Delete Branch "add-dns-table"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Resolves: #1077
Resolves: #1068
Resolves: #1070
Deploy preview for privacytools-io ready!
Built with commit 115c8939815cc3fe87e34836a1244563833a6232
https://deploy-preview-1097--privacytools-io.netlify.com
Deploy preview for privacytools-io ready!
Built with commit
9f661d8caehttps://deploy-preview-1097--privacytools-io.netlify.com
@Mikaela I think we'll want to clarify criteria for adding a DNS provider to the list and also whether any that I've listed should be removed.
I love it, but have just a few change suggestions
In the future hopefully, but currently the sites you access get leaked by IP address and SNI. I think a better wording would be:
another benefit is that it could make tracking your activity by a LAN watcher a bit more difficult, but I don't know what is the state of the tools that monitor SNI and IP addresses connected to.
I would prefer saying
?orunknownorU/Kinstead ofN/Awhich I think gives the wrong impression.Another note, as you seem to list IPv4 and IPv6, it should be noted that those generally aren't encrypted if people happen to add them.
Note that their "insecure" DNS doesn't have DNSSEC either.
(see the DNSSEC comment)
Isn't this also some as with applied privacy or where do you set the border between Y and Some?
I am looking at https://appliedprivacy.net/privacy-policy/ and https://quad9.net/policy/
Could we defiate from the usual "Worth Mentioning" and instead be "Worth Mentioning and additional information"?
I think the "default" link should be https://support.google.com/android/answer/9089903 (
?hl=ento force language if you wish) instead as that blog doesn't even tell where to enable it.Oh and there isn't the note that we cannot verify that providers actually follow their privacy policies?I guess I was thinking of something more explicit.
What I am thinking about:
The server locations are again a question mark, should they be outside of 14 eyes? But I would argue that location matters with DNS servers as there is the question of speed (which may matter more to average user) and possibly CDN optimization. Then devices (especially phones/tablets) also travel which may be a bonus for anycast, but if I recall correctly OpenNIC is worried about that being centralization.
I think Quad9 currently has the widest anycast network and I wonder if delisting it would send traffic to
dns.googleorcloudflare-dns.com, but I respect your decision if you think it's better to delist it.Which actually leads to question, do you think Cloudflare DNS should be listed or is it established as too big by #374 and some comments in #785 ? I am aware that many people in /r/privacytoolsio and possibly elsewhere in the community are using it. And that leads to a question should there be a warning about Cloudflare in addition to Google?
I remembered ambiguosiity in filtering and wonder if it should be addressed more clearly.
Ads, trackers, malicious domains?
" Filtered some ads, trackers, malware", some wildcards domains and international non-ASCII domains which can be a problem.
I don't know how common they are, but I can think of two, I don't know if one of them still exists though, but they are likely more common in different countries.
Malicious domain filtering.
Ads depending on server choice? https://github.com/notracking/hosts-blocklists
@ -43,0 +59,4 @@</thead><tbody><tr><td data-value="AdGuard">I just remember that this should possibly be more explicitly explained in the table, what is being filtered?
Good point, I stole that alert from the VPN page 😅 I can change that to "but it will prevent DNS hijacking and spoofing."
Good catch; I think since this table is specifically for encrypted DNS I'll remove those from being included in the protocols.
I'm wondering if adding something like "We also cannot verify that the below providers actually follow their own privacy policies so use caution." is really needed? Wouldn't this apply then to most everything then? I'm not sure...
What about this:
We could also add to it a disclaimer at privacy policy validation but I'm not sure what the right wording would be at the moment.
Gotcha; ok, removed since it doesn't really make sense to include it in this table.
Good callout; I'll go with
?unless someone feels stronger about another method 😄@ -43,0 +59,4 @@</thead><tbody><tr><td data-value="AdGuard">Good catch! Okay, will update to "Ads, trackers, malicious domains" rather than a boolean.
Good catch! We can add a warning tooltip for this.
Good catch, you're right!
Nice, thanks!
You're right; will update to "some" for consistency.
Updated!
That makes sense; it would also disqualify UncensoredDNS since they only support DoT.
Yeah, I agree that "some" is fine in certain cases like Applied Privacy and Quad9. Based on their polices, Applied Privacy and Q9 both log and aggregate metrics based primarily on counts and not IP address (which they treat as PII).
Good callout. AdGuard relies on Cloudflare, Google, and OpenDNS as upstream DNS providers, I think, while both Cloudflare and Google provide DNSSEC, OpenDNS currently does not. So I guess in AdGuard's case it's "partial" DNSSEC support since theoretically a third of queries wouldn't be validated? This was also mentioned in a Reddit thread which AdGuard responded as:
Interestingly, a product manager from OpenDNS also replied on that thread:
If we still want to include AdGuard, I've added a tooltip to that table cell and updated the value to "Partial."
I wonder if rather than 'outside of 14 eyes' we'd go with what the VPN providers table uses, "outside of the US"? That would disqualify Quad9 though and others like Cloudflare.
From my perspective, I think if our criteria would allow "inside" the US (essentially no location criteria), we would be inclined to include Quad9 and Cloudflare (especially with Mozilla partnering with CF) (and maybe even nextdns). We need to decide where the balance and compromise is. I see value in including these US-based providers but understand if PTIO as a whole would rather have a minimum "outside of the US" rule.
I think regardless of including CF or not, we could add a snippet about Google in the top warning banner?
Sounds good, but I would add third party or something in front of spoofing as that is what the filtering DNS providers do and you have to trust them unless the zone is DNSSEC signed and you run a local DNSSEC validator (which I don't think is done by anyone on Android/iOS while it's somewhat rare also on desktops).
Sorry, I was thinking / more of as "or" here and I would be fine with UncensoredDNS as the readers are going to see clearly that it's DoT-only and not consider it for their DoH requirement, but might take it for Android, thanks to your table :)
What is the source for this? I find it worrying as I would expect DNS providers to perform name resolution by themselves querying the root servers when they don't know which are the authoritative nameservers. Was the word recurse?
I guess this is the best solution for now
I don't think it's a good solution, because there are a lot of people in the US who also need DNS (who doesn't need DNS?) and using foreign resolvers could lead to slower speeds and content delivery happening from foreign instead of local datacenters and causing slower speeds.
I guess we have to include them in that case. Can we at least have a warning "a big part of the internet is in Cloudflare's networks and it's a problem considering decentralization" or similar?
👍 I am not entirely sure on "your ISP" part as I think they are more reliable in some countries, but then again they don't currently support DoT/DoH, but I hope in the future they will and if they have a good privacy policy, I guess we can include them or link elsewhere for comparsion of them assuming they are going to only serve their own customers?
Sorry, I forgot to look at the code and preview after my previous comments, I think this will be great 👍
However reading the table I spotted that
DNSCryptis twice misspelled asDNScryptwhich makes it seem a bit unclear to me.Inconsistency, some parts say DNSCrypt some DNScrypt (note the
c/C), DNSCrypt appears to be the upstream spelling judging by https://dnscrypt.info/Inconsistency, some parts say DNSCrypt some DNScrypt (note the
c/C), DNSCrypt appears to be the upstream spelling judging by https://dnscrypt.info/@ -43,0 +56,4 @@<th data-sortable="true">Filtering</th><th data-sortable="true">Source Code</th></tr></thead>Now I also realized that we don't expand what do DoH/DoT/DNSCrypt mean? Maybe they should have a short paragraph in the additional information in the bottom.
Would we also need to give examples on what supports what? I guess the page already mentions DNSCrypt-proxy (possibly also as supporting DoH which it does) and Android 9 supports TLS, but would Firefox need to be mentioned or is it enough for #785 to refer to the table? I think it may be a non-issue.
Sorry, my head isn't still working that well and I am not sure if this works as a base for you to improve.
Sorry, another small nitpick, but is there a particular reason for old.reddit.com privacy-wise or are you one of those people who are used to it and want to resist the change? I am just thinking on how the new interface is better on small screens (phones)?
Feedback from friends:
We have issues for the later already, #1055 and privacytoolsio/guides.privacytools.io#9
The sorting is weird, if you sort by Protocol, it's alphabetic and DoH, DoT should rank higher than just DoH. When sorted by filtering, ? should rank the same as N.
I don't know if that is easy to fix?
Edit:
https://i.reddit.com has the least amount of trackers with ‘old’ next and then the new UI having the most. “i” looks horrible on desktops so maybe we just stick with the new UI since it’s more user-friendly to all devices?
Ah, yeah, that makes sense 👍
Huh, this is interesting. From some testing a month or two ago DNS results would return resolvers for Cloudflare/Google/OpenDNS which AdGuard after filtering, forwards requests to. But checking now, it looks like that isn't happening anymore; I'm connecting to a single Anycast resolver hosted on Vultr with DNSSEC support. I also can't find any official documentation in their FAQ regarding their upstream providers, so I'm inclined to change their DNSSEC value to
Yand remove the warning.Yeah, I agree with you; I think there's value in removing the location criteria for DNS.
Yeah, I think that'd be good. I can add a new row for Cloudflare with a warning. What do you think of nextdns? It's fairly new, but arguably on par with a "hobby project" at the moment I guess which wouldn't disqualify it in that regard. It's unique though in that it markets itself as "Cloudflare + Pi-hole capabilities."
Yeah, good callout, I can remove the ISP part unless someone things otherwise.
I think since there doesn't appear to be partial support but rather full support for DNSSEC now we can just remove this.
@ -43,0 +56,4 @@<th data-sortable="true">Filtering</th><th data-sortable="true">Source Code</th></tr></thead>Great callout -- what do you think about something like this for the terms (viewable also from the preview deployment: https://deploy-preview-1097--privacytools-io.netlify.com/)
And something like this for mentioning clients?
I think we should call out Firefox supporting DoH but am wondering how you think something like this would be.
@ -43,0 +111,4 @@<td>Anycast (based in <span class="flag-icon flag-icon-us"></span> US)</td><td><a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.cloudflare.com/privacypolicy/" href="https://www.cloudflare.com/privacypolicy/"><img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">@Mikaela you'll notice I've added CF + nextdns for discussion here.
Hmm, that's a good point... let's save that for later; we should address that though.
Okay, I resolved the
?/Noddity so they're treated the same. I can't figure out right now how to custom sort by length and then alphanumerically but I have a hack in place where I give only "DoT" values, "DoH" as the sort value... 😓I don't have hard comments on the rest.
1.1.1.1 is IPv4-only and I don't think we should hardcode it as there are already some IPv6-only networks in the world even if there are transition mechanisms.
(now I also finally learned to make suggestions)
But where do they actually document the DoT and DoH addresses?
Is it also enabled by default already?
@ -43,0 +56,4 @@<th data-sortable="true">Filtering</th><th data-sortable="true">Source Code</th></tr></thead>👍 looks good
@ -43,0 +191,4 @@<td>Anycast (based in <span class="flag-icon flag-icon-us"></span> US)</td><td><a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.nextdns.io/privacy" href="https://www.nextdns.io/privacy"><img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">I have a small problem with them, but apparently my problem doesn't even apply with encrypted DNS, so I have no problem :)
@ -43,0 +111,4 @@<td>Anycast (based in <span class="flag-icon flag-icon-us"></span> US)</td><td><a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.cloudflare.com/privacypolicy/" href="https://www.cloudflare.com/privacypolicy/"><img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">Todo: add warning
@ -43,0 +111,4 @@<td>Anycast (based in <span class="flag-icon flag-icon-us"></span> US)</td><td><a data-toggle="tooltip" data-placement="bottom" data-original-title="https://www.cloudflare.com/privacypolicy/" href="https://www.cloudflare.com/privacypolicy/"><img alt="WWW" src="/assets/img/layout/www.png" width="35" height="35">Updated and linked to https://codeberg.org/crimeflare/cloudflare-tor/ which looks more up-to-date compared to https://notabug.org/themusicgod1/cloudflare-tor/src/master.
Hmm... I'm not 100% sure but I think not yet -- they're still conducting studies: https://blog.mozilla.org/futurereleases/2019/07/31/dns-over-https-doh-update-detecting-managed-networks-and-user-choice/
Hmm good point! Need to find that...
I guess both are documented here? https://developers.cloudflare.com/1.1.1.1/dns-over-https/
You think that should be added here, that it's not enabled by default right now?
@Mikaela would you be able to double-check that they don’t support QNAME Min?
Not as easily as the previous one as it's not listed in DNSCrypt-proxy, but I can reconfigure my Unbound, I guess.
I receive
when I configure Unbound with
and have commented qname-minimization.conf
wait, that is entirely different DNS provider I just tested? Let's try this again
I forgot that the studies exist and I am not sure, maybe mention that Mozilla is testing it with small subset of users?
No, it's the same DNS provider, but they just confusingly use different domain for their anycast DoT than website.
I am not sure if the source_code file needs updating in this case as you already linked sources everywhere.
https://deploy-preview-1097--privacytools-io.netlify.com/classic/#icanndns also seems to work directly as it wasn't a new page that was added.
based on your comment I missed for a page that actually documents where to find DoT/DoH without being so much of an advertisement.
to prevent accidental merge befre everything is talked about and @nitrohorse feels confident. I will also set the WIP-do-not-merge-label for him to remove
Thank you!
#1111 reminded me, what is the difference between an association and non-profit?
Yeah, from my understanding in CZ.NIC’s context, it’s not technically a non-profit but rather a formal type of collective? https://en.m.wikipedia.org/wiki/Voluntary_association
Hmm what do you think about:
Updated to cloudflare-dns.com/dns 👍
What do you think about:
Found their docs:
I wonder if https://cloudflare-dns.com/dns/ is good enough to link here? Isn't super helpful though because users have to dig into their docs to find these.
Added DNS-over-Tor.
@Mikaela - now that Cloudflare and the Foundation of Applied Privacy include DNS-over-Tor, (for consistency I changed Applied Privacy's "DNS-over-Onion" to "Tor"), I've added this new term description. Thoughts?
I am otherwise fine, but a small issue is that the filtering may be done by the provider and even intentionally if the user is after adblocking.
👍
but where does "US-based Firefox users" come from? I don't think I have heard of that criteria before connected to this issue.from your link.
I don't think it's good enough to link here as they advertise their own app instead of the open source apps we suggest (including Android 9+'s native support) and they don't even tell the addresses. The only link to DoT again is in "how to integrate" section which I think is more aimed at device manufacturers or something in my opinion.
I think it would be OK to link at if we didn't have a focus on encrypted DNS, but the plain DNS makes no sense in my opinion as it could be hijacked, read and everything making it unfit as a privacy tool.
I think Cloudflare and Foundation of Applied Privacy mean different things with it.
For Cloudflare it's a normal DoH resolver which has a valid EV certificate.
For FoAP
I think Firefox at least is not going to accept it as it requires a valid certificate for DoH and only .onions can have a EV certificate, so I wonder if it would be better to not mention DNS-over-Tor at all as it currently seems to be restricted only for bigger players, but I guess it's interesting to follow in case the situation improves in the future.
Do you know what kind of software would take the FoAP link? I know Firefox/TorBrowser are fine with Cloudflare's and dnscrypt-proxy has a support for it.
I understand the initiative, but it doesn't make sense under the current state of DNS.
Here are some notes:
Only 2 support DNS-Over TOR: Only Cloudflare and Foundation for Applied Privacy use TOR.
None use I2p: None of the recommendations use, i2p.
Maybe not a huge issue, but I would like to see more of this.
Only OpenNic has a larger list of TLDs:
Only OpenNic supports uncommon TLDs like .bit.
https://www.wikipedia.org/wiki/OpenNIC#OpenNIC_namespaces
In my opinion, the current state of DNS sucks.
IMO, we need to inform them by adding tabs like
supports i2p,Supports TOR,Uses Free Software, andSupports NameCoin. Preferably, requiring them to at least use/support one of these.Edit: Why isn't OpenNic listed?
What might be a better idea is to instead have a sortable table of
no loggingOpenNic Servers.Basically anybody can host a OpenNic server, so it is very democratic. :)
And the two that do support DNS over Tor mean two different things by it (https://github.com/privacytoolsIO/privacytools.io/pull/1097/#discussion_r311923362) and the original DNS over Tor would mean
from
man torrc.Do you have any recommendations that support DNS over I2P? I am not aware of any and I think Nitrohorse would have suggested them if he knew.
This is a separate issue, but do those have valid SSL certitificates or are they all plain text? We are already recommending OpenNIC on the top of the page though.
I guess there is always room for improvement.
I don't see additional value of them.
Because it's already listed. https://www.privacytools.io/providers/dns/#dns
OpenNIC doesn't fullfil our requirement of supporting DNS over TLS or DNS over HTTPS, I have opened an issue at https://github.com/opennic/opennic-web/issues/68. OpenNIC servers are also already listed at https://servers.opennic.org/ (see also the previous link).
Hmm that's true... the wording is a bit misleading since filtering can be by choice or not. Will think of something a bit clearer.
Not sure if that makes it a bit clearer?
Yeah, it's kind of annoying that there isn't a general page with both DoH and DoT endpoints listed that's also bookmark-able; I think the best we could link to would be the DoH page: https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/
Users would then see the DoT page available on the left sidebar 😕
Yeah, I think that'd be best for now until we decide a more consistent way to list it without confusing users (including me 😅). Thanks for catching this!
Thanks for the suggestions, @ghbjklhv1! I don't think a table with this criteria should override this table. Rather be in addition to possibly (or in the future add additional columns)? We'll need to iterate over and clarify DNS-over-Tor/I2P + NameCoin support more (I'm still learning), and I think having this table for encrypted ICANN DNS resolvers that support DoH/DoT/DNSCrypt is valuable for PTIO users now (and also a good launching point for enhancing the DNS page overall).
Removed for now.
Ah, good catch -- I don't mind; I think it'll be useful to add 👍
I've updated the code with this change for easier previewing.
Updated Cloudflare's link to point to https://developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/ until we figure out something better.
I have some small comments, but am impatient to get this merged. How about you @blacklight447-ptio ?
I think sharing implies consent and there is nothing that could prevent the DNS resolver from sharing it to third parties (except their policies, but some like Quad9 do say to share anonymized data).
I guess this line is not going to be perfect, so I would be fine with merging like this too.
Should this say?
data-value=doh DoT?
@ -272,2 +274,3 @@- NoTrack: https://github.com/quidsup/notrackNamecoin: https://github.com/namecoin- Namecoin: https://github.com/namecoinYou missed https://github.com/s-s/dnscloak ?
I'm fine with the merge, on the cloudflare thing, most critisms seem to be mostly speculation. I dislike them for captchaing tor users, but they do seem to improve the situation by design alt SVC onions. They also do a lot of other good stuff like rolling out encrypted sni.
Going to stay with https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ 👍
Good point! Updated to:
Good catch! Will update.
Yeah, this is the "hack" I mentioned for "DoT" values when sorted to be grouped with "DoH" values. Don't really like it myself but it's what I could figure out for now.
👍