[HN Gopher] Show HN: Which DNS servers are you pointing to?
___________________________________________________________________
Show HN: Which DNS servers are you pointing to?
Author : Fileformat
Score : 184 points
Date : 2020-10-25 13:32 UTC (9 hours ago)
(HTM) web link (which.nameserve.rs)
(TXT) w3m dump (which.nameserve.rs)
| compsciphd wrote:
| I'm using 8.8.8.8 and its coming up as cloudflarenet not whatever
| google should presumably be?
| treis wrote:
| Me too. Can someone explain why Cloudflare shows up when (as
| far as I know) I don't use Cloudflare.
| dheera wrote:
| Gosh, I feel old, how do I set DNS servers in Linux these days?
|
| I used to just edit /etc/resolv.conf and add 8.8.8.8 to it but
| now recent distros have "Do not edit." in resolv.conf and don't
| tell you what to actually edit. Why do they have to do this to
| us ... things used to be simple.
| Godel_unicode wrote:
| I don't think resolvectl is less simple, just different. It
| makes it much easier to realize you've typo'd something, for
| instance. It also makes it easier to understand what the
| running config is, as opposed to the old "read a bunch of
| text files and hope they haven't been edited since the daemon
| was hup'd".
|
| https://wiki.archlinux.org/index.php/Systemd-
| resolved#Settin...
| teddyh wrote:
| It depends on whether you are using NetworkManager or
| systemd-resolved, or something else.
| Denvercoder9 wrote:
| You can still edit /etc/resolv.conf. If it has a "Do not
| edit" comment in it, it's probably a symlink to some file
| that's dynamically managed (most likely to automatically use
| or fallback to the DNS server advertised on the network, as
| needed for e.g. captive portals). Just replace the symlink
| with a text file with your prefered DNS server in there.
| vetinari wrote:
| Because it is not adequate to use cases today.
|
| Today, you can set up DNS per interface and designate, which
| DNS accessible via which interface can resolve which zones.
| So your intranet.company.com can go through specific VPN
| connection and the rest via your default route, for example.
|
| You can't do that with simple /etc/resolv.conf.
| gilrain wrote:
| Are you using Firefox?
|
| https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs...
| compsciphd wrote:
| that explains it. chrome comes up as google. However, I'm not
| located in the US.... (a good 10k kilometers away)
| justsomedood wrote:
| Wow, this is such a useful tool and a clever way of finding out
| the DNS server. Great job!
| bt1a wrote:
| Agreed, the unique site prefix is one of those 'aha' ideas (im
| sorry not good with words)
| lucb1e wrote:
| If Mozilla silently enabled DOH-via-CloudFlare for you, it would
| show up here right? Because if yes, this would make it quite easy
| to find whether you have the right settings without having to
| find it somewhere in a configuration screen or trying to find out
| which users' throats Mozilla ended up deciding to force this
| down.
| Fileformat wrote:
| Sort of: it doesn't differentiate between DoH and normal
| resolution (it only does IPv4 TCP & UDP resolution). This means
| that it will return Cloudflare (i.e. ASN of CLOUDFLARENET), but
| probably the same Cloudflare as if you are using Cloudflare's
| public DNS servers.
|
| Tip: You can check a specific DNS server with dig and curl:
| UUID=$(uuidgen) dig ${UUID}.which.nameserve.rs @1.1.1.1
| curl --silent https://which.nameserve.rs/debug.txt | grep
| ${UUID}
|
| and then do a ASN lookup on the IP address
|
| Note: the debug page is unofficial, and may change, so don't
| bake this into anything.
| teknologist wrote:
| I often use dnsleaktest.com for this; it runs multiple rounds so
| you see all the ones you might be using.
| WarOnPrivacy wrote:
| Very nice. I don't think I've used them before.
| rosstex wrote:
| Super useful, thanks!
| tsjq wrote:
| Good one. Thanks
| Cantbekhan wrote:
| Nextdns.io and cloudflare externally. Pi-hole pointing to those
| internally. Preferably encrypted. Preferably with Firefox due to
| esni support.
| leokennis wrote:
| Very satisfied NextDNS user here. Easy to set up, and it's a
| surprise for me how much nicer ad and tracker blocking is over
| my entire network (all laptops, phones, smart TV etc.) than
| just using a blocker in my web browser.
| captn3m0 wrote:
| In my case NextDNS shows up as Google, both here and on
| https://www.dnsleaktest.com/ since they are using GCP.
| WarOnPrivacy wrote:
| I have a local DNS server that forwards over TLS (DoT) to
| Cloudflare & Quad9, round-robin.
|
| Page alternately returns WOODYNET @ rrdns.pch.net and
| CLOUDFLARENET. I like the pch.net info - it's something about
| Quad9 I didn't know.
| daneel_w wrote:
| This was a surprise to me as well. For anyone else reading this
| it means that Quad9, _not your system_ , is relaying DNS
| traffic to WoodyNet.
| ilikepi wrote:
| PCH provides the infrastructure for Quad9...so I don't think
| it makes sense to say that Quad9 is "relaying" DNS traffic to
| PCH/WoodyNet. There isn't some organizational boundary that's
| being crossed.
| Fileformat wrote:
| I kept running into DNS issues, and needed to triple-check that I
| was pointing to the right DNS servers, so I made this utility
| website that does exactly that: which-dns [1]
|
| This isn't a new idea ([2]), but mine supports https (hat tip to
| Matt Holt's certmagic [3]), is ad-free, and the source is
| available [4].
|
| Let me know what you think!
|
| [1] https://which.nameserve.rs
|
| [2] http://www.whatsmydnsserver.com/
|
| [3] https://github.com/caddyserver/certmagic
|
| [4] AGPL. It is my first foray into golang.
| https://github.com/redirect2me/which-dns
| sleavey wrote:
| I just read the GitHub readme:
|
| > How does it work? You make a request to a hostname with a
| unique prefix. All hostnames resolve to the same IP, but the
| DNS server records which IP address the query came from. The
| webserver looks for this record and returns it.
|
| That's a smart way of detecting a user's DNS server - well
| done!
|
| Is there a way to "fail" the first request and try to force the
| user's secondary DNS to kick in so that it can be detected too?
| Fileformat wrote:
| It would be really nice to detect the user's secondary DNS.
|
| I'm not sure failing will do that, but it might reveal
| interesting things anyway. I'll add it to the to-do list.
| dgl wrote:
| The extended test on https://www.dnsleaktest.com/ does that.
| There's also various tests that reveal EDNS subnet leakage.
|
| It's pretty easy to implement; somehow don't respond to a
| request, but do respond to a second. (If you're clever you
| can probably do it without server side state, e.g. encode a
| deadline in the custom hostname.)
| kortex wrote:
| I find this really useful! I seem to frequently run into dns
| weirdness. Does it work internally e.g. diagnosing dns queries
| on a local net?
| Fileformat wrote:
| It only sees the "last hop" of recursive DNS resolution [1].
| If you have internal DNS servers, you would need to run a
| copy of which-dns internally, and your internal DNS servers
| would need have the which-dns entries added.
|
| If you want to see if a local workstation is pointing to a
| different public/external DNS server than the rest of your
| network, it should work.
|
| [1] https://www.cloudflare.com/learning/dns/what-is-
| recursive-dn...
| arminiusreturns wrote:
| This is really cool, especially because I can just 'wget -qO-
| $RANDOM.which.nameserve.rs/api.json?callback=myfunction' which
| means I can use this in scripts. (For example an added field to
| scripts that grab from ifconfig.co)
| jwilk wrote:
| Note that $RANDOM is just 15 bits of entropy. You should use
| something more random.
| Symbiote wrote:
| $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM should be fine :-)
| Fileformat wrote:
| Thanks, I use it like this for some of my pages.
|
| But please, only light, non-commercial use! It is on the
| cheapest static IP that I could find with no failover or
| anything.
|
| It is really easy to run your own copy if you need it for a
| commercial project.
| arminiusreturns wrote:
| Duly noted. It's ok, most of my scripts just pile up the
| cobwebs and never get used anyway, and they are all personal,
| not commercial. I would of course consider standing up my own
| for any real use. Good work!
|
| Now you have me thinking about the economics of api as a
| service... another rabbit hole.
| bloopernova wrote:
| This is great, thank you for creating it and sharing it. I'll be
| sharing this with all my colleagues!
| makeworld wrote:
| I run my own DNS resolver at home, and it's coming up with my own
| public IP address, with my ISP as the name. Neat.
| afkqs wrote:
| What are the best practices/choices today when choosing your DNS
| servers when it comes to privacy?
| surround wrote:
| I recommend running your own DNS resolver, so that you don't
| have to trust any 3rd party server with your DNS traffic.
|
| I run Unbound (a DNS resolver) alongside Pi-hole on a dedicated
| raspberry pi for my home network.
| javajosh wrote:
| This is a good solution. Another much lighter-weight solution
| is to simply add a static name/ip association in your local
| /etc/hosts file. It's a bit brittle, but honestly for a lot
| of websites its a lot less brittle than you think (and it's
| even _more_ efficient than a Pi-hole). The biggest drawback
| is that you 'll have another thing to trouble-shoot if
| something goes wrong. But that's true for any privacy-
| preserving DNS solution.
| znpy wrote:
| I run my own DNS servers at home. I have a small virtualization
| cluster and run a small DNS vm on each physical host.
|
| My resolvers perform queries against the root servers directly
| and cache results.
|
| It's refreshing to skip all the DNS fuckery that's going on
| nowadays.
| imglorp wrote:
| Except for certain applications that want to do their own DNS,
| eg DOH...
| Arnavion wrote:
| Not the person you responded to, but I too run my own
| resolver on my router. I also have the router configured to
| drop [1] all outgoing packets to any DoH IPs; there are a
| bunch of lists for those, like
| https://github.com/Sekhan/TheGreatWall
|
| [1]: Specifically, to reject them, which means sending a TCP
| reset / ICMP unreachable response back rather than
| blackholing them.
| minerjoe wrote:
| I do the same, but I read that that is also sending your IP all
| around the internet, which can have repercussions? The
| alternative is to not use a recursive resolver, but just punt
| to one of the "safer" ones such as 1.1.1.1?
|
| edit: downvoting honest questions?
| jlgaddis wrote:
| What, exactly, does "sending your IP all around the internet"
| even mean?
| minerjoe wrote:
| Meaning, if you don't want people to know you are searching
| for snm.donkeyporn.com than going out to the nameserver
| that donkeyporn is using is not exactly keeping the
| information private.
| viraptor wrote:
| In practice with 1.1.1.1 you're trading the parties who
| know about your access from:
|
| Donkeyporn's DNS provider, com's DNS provider (0.1%
| chance it's not already cached), your ISP, transit
| providers, donkeyporn's ISP, donkeyporn service
|
| To: cloudflare, your ISP, transit providers, donkeyporn's
| ISP, donkeyporn service
|
| It's not a huge change and it's really about whether you
| trust CloudFlare more than the service donkeyporn has
| chosen.
| minerjoe wrote:
| I though correctly switching to cloudflare should just be
| me -> cloudflare via an encrypted channel?
| viraptor wrote:
| If you're talking about clouflare warp, then yes... kind
| of. If you mean only the DNS, them no, there are still
| many connections matching you to the destination.
| Arnavion wrote:
| You are correct that if you run your own resolver, then
| all the DNS traffic from your resolver to other
| nameservers is in cleartext. DoH and DoT only get used by
| forwarders.
| jelv wrote:
| You can check your best available dns server via this easy tool
| https://www.grc.com/dns/benchmark.htm (win and wine)
| Fileformat wrote:
| Thanks, that's a really interesting tool.
| chimen wrote:
| Did one for my project that discovers more servers [1] Not an
| easy task I tell you that.
|
| [1] https://dnsadblock.com/dns-leak-test/
| fwr wrote:
| Neat, this helped me realize I haven't switched away from my
| provider's default DNS when I moved in, which is something I
| usually do.
|
| How to choose a DNS server? I usually just go with
| 8.8.8.8/8.8.4.4, I used to always test this with Namebench
| (https://en.wikipedia.org/wiki/Namebench) and these always turned
| out as the fastest - but it looks like it hasn't been updated
| since 2010 - are there any better tools for this, or any
| considerations in general? I prefer performance over privacy
| here, I think privacy should be on a different layer.
| formerly_proven wrote:
| Just run your own recursive resolver, it's very easy and
| reliable (e.g. knot-resolver).
| dheerajvs wrote:
| > I think privacy should be on a different layer.
|
| Can you elaborate which layer?
| Fileformat wrote:
| Someone else in this thread suggested GRC's benchmark utility
| [1]. It sounds pretty comprehensive, but I haven't tried it
| yet.
|
| [1] https://www.grc.com/dns/benchmark.htm
| CircoDesktop wrote:
| Great tool !
| Fnoord wrote:
| Doesn't show IPv6 for me.
|
| I always use IPleak.net [1]. Works for public IPv4, IPv6, DNS
| server, Tor/AirVPN exit node, BitTorrent, geolocation, and all
| kind of browser metadata.
|
| Browsing through comments shows this can do some things
| IPleak.net can't do such using wget/curl with API.
|
| [1] https://ipleak.net
| Fileformat wrote:
| It looks like ipleak.net does have an API [1]. Website is a bit
| "information overload" though.
|
| [1] https://airvpn.org/forums/topic/14737-api/
| armSixtyFour wrote:
| It would be neat if this also recognized that you're hosting your
| own dns, instead of spitting your own IP back at you. I didn't
| recognize my IP at first.
| Fileformat wrote:
| Nice idea, and it should be pretty easy to do. Added to the to-
| do list!
| babuskov wrote:
| Unrelated, but I found a typo on this page:
|
| https://resolve.rs/http/myheaders.html
|
| It says:
|
| > These are the HTTP headers that are being sent my your browser.
|
| Great set of tools, BTW.
| Fileformat wrote:
| Thanks! Typo fixed too.
| gslin wrote:
| Akamai also provides something similar:
|
| * https://developer.akamai.com/blog/2018/05/10/introducing-new...
___________________________________________________________________
(page generated 2020-10-25 23:01 UTC)