A Survey of Public DNS over HTTPS Servers

In FDNS project we maintain a long list of non-logging and uncensored DoH servers. We call it The Little People Network since these are mostly non-corporate servers.

With new servers coming and going, we developed several testing tools to keep the list up to date. In this blog I will introduce one of them, and run it over this large DoH network. The information can help the user choose a DoH service based on multiple criteria: speed, bandwidth, TLS version etc. It can also help a server administrator optimize the service or debug various problems that might arise during operation.

Highlights

  • Don’t worry about speed, you have a bandwidth problem
  • HTTP headers, network traces, inactivity timer
  • H2O good, nginx bad
  • The Commercials are coming

Continue reading

Firejail BitTorrent Sandboxing Guide

When it comes to your security and privacy, it is always better to build your own. Like a chef cooking a meal. Good or bad, at least you know what you put in. Here’s our bittorrent recipe, deep-fried edition.

Ingredients

One browser… I guess you’ve seen this picture before. Only Downloads directory is real, and some miscellaneous configurations files.

Mozilla Firefox – sandboxed home directory

The bittorrent client is similar: only Downloads. Make sure you save the files in this directory, otherwise you lose them when you close the client.

Transmission-Qt – sandboxed home directory

Note: in general, network-facing applications in Firejail have a downloads-only home directory. We also make the home directory non-executable, and if AppArmor is running on your system we deploy our own profile and enforce it. The only rule is ALWAYS SAVE FILES IN DOWNLOADS!

Continue reading

Lifehacker: How to Enable DNS Over HTTPS in Your Web Browser

Mozilla has started rolling out DNS over HTTPS for all Firefox users, a solid security change that’s meant to address the issue of third parties spying on the websites you’re visiting. Normally, when you type a website into your browser’s address bar and hit Enter, your browser uses DNS to map the domain name to the actual IP address of the server you’re trying to reach—the one that hosts the website you’re looking to visit.

With DNS over HTTPS enabled, Mozilla writes, your browsing history should be much more hidden from potential attackers and companies that are trying to track what you’re up to online. But Firefox isn’t the only browser that can handle DNS over HTTPS. Here’s a quick look at how to enable DNS over HTTPS in all the major browsers—Mozilla’s included, if you’re impatient and don’t want to wait for the rollout to hit.

more

APNIC: How to Deploy DoT and DoH with dnsdist

DNS privacy is a major concern for many, and for good reasons. DNS requests contain fields that are considered private, which reveal sensitive information about someone’s browsing and Internet activities. To address these issues, two DNS privacy standards have grown in popularity over the last couple of years – DNS-over-TLS (RFC 7858) and DNS-over-HTTPS (RFC 8484).

DNS-over-TLS (or DoT) provides encrypted transport for DNS transactions. This is achieved by encrypting DNS traffic using TLS. DNS-over-HTTPS (DoH) provides another form of secure transport where DNS queries and responses are passed as HTTPS traffic. This also allows web applications to access DNS information using an API.

Below is a simple tutorial to implement these privacy standards. We will be using the Ubuntu 18.04 LTS (Bionic Beaver) server.

more