[HN Gopher] Show HN: Which DNS servers are you pointing to? ___________________________________________________________________ Show HN: Which DNS servers are you pointing to? Author : Fileformat Score : 184 points Date : 2020-10-25 13:32 UTC (9 hours ago) (HTM) web link (which.nameserve.rs) (TXT) w3m dump (which.nameserve.rs) | compsciphd wrote: | I'm using 8.8.8.8 and its coming up as cloudflarenet not whatever | google should presumably be? | treis wrote: | Me too. Can someone explain why Cloudflare shows up when (as | far as I know) I don't use Cloudflare. | dheera wrote: | Gosh, I feel old, how do I set DNS servers in Linux these days? | | I used to just edit /etc/resolv.conf and add 8.8.8.8 to it but | now recent distros have "Do not edit." in resolv.conf and don't | tell you what to actually edit. Why do they have to do this to | us ... things used to be simple. | Godel_unicode wrote: | I don't think resolvectl is less simple, just different. It | makes it much easier to realize you've typo'd something, for | instance. It also makes it easier to understand what the | running config is, as opposed to the old "read a bunch of | text files and hope they haven't been edited since the daemon | was hup'd". | | https://wiki.archlinux.org/index.php/Systemd- | resolved#Settin... | teddyh wrote: | It depends on whether you are using NetworkManager or | systemd-resolved, or something else. | Denvercoder9 wrote: | You can still edit /etc/resolv.conf. If it has a "Do not | edit" comment in it, it's probably a symlink to some file | that's dynamically managed (most likely to automatically use | or fallback to the DNS server advertised on the network, as | needed for e.g. captive portals). Just replace the symlink | with a text file with your prefered DNS server in there. | vetinari wrote: | Because it is not adequate to use cases today. | | Today, you can set up DNS per interface and designate, which | DNS accessible via which interface can resolve which zones. | So your intranet.company.com can go through specific VPN | connection and the rest via your default route, for example. | | You can't do that with simple /etc/resolv.conf. | gilrain wrote: | Are you using Firefox? | | https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs... | compsciphd wrote: | that explains it. chrome comes up as google. However, I'm not | located in the US.... (a good 10k kilometers away) | justsomedood wrote: | Wow, this is such a useful tool and a clever way of finding out | the DNS server. Great job! | bt1a wrote: | Agreed, the unique site prefix is one of those 'aha' ideas (im | sorry not good with words) | lucb1e wrote: | If Mozilla silently enabled DOH-via-CloudFlare for you, it would | show up here right? Because if yes, this would make it quite easy | to find whether you have the right settings without having to | find it somewhere in a configuration screen or trying to find out | which users' throats Mozilla ended up deciding to force this | down. | Fileformat wrote: | Sort of: it doesn't differentiate between DoH and normal | resolution (it only does IPv4 TCP & UDP resolution). This means | that it will return Cloudflare (i.e. ASN of CLOUDFLARENET), but | probably the same Cloudflare as if you are using Cloudflare's | public DNS servers. | | Tip: You can check a specific DNS server with dig and curl: | UUID=$(uuidgen) dig ${UUID}.which.nameserve.rs @1.1.1.1 | curl --silent https://which.nameserve.rs/debug.txt | grep | ${UUID} | | and then do a ASN lookup on the IP address | | Note: the debug page is unofficial, and may change, so don't | bake this into anything. | teknologist wrote: | I often use dnsleaktest.com for this; it runs multiple rounds so | you see all the ones you might be using. | WarOnPrivacy wrote: | Very nice. I don't think I've used them before. | rosstex wrote: | Super useful, thanks! | tsjq wrote: | Good one. Thanks | Cantbekhan wrote: | Nextdns.io and cloudflare externally. Pi-hole pointing to those | internally. Preferably encrypted. Preferably with Firefox due to | esni support. | leokennis wrote: | Very satisfied NextDNS user here. Easy to set up, and it's a | surprise for me how much nicer ad and tracker blocking is over | my entire network (all laptops, phones, smart TV etc.) than | just using a blocker in my web browser. | captn3m0 wrote: | In my case NextDNS shows up as Google, both here and on | https://www.dnsleaktest.com/ since they are using GCP. | WarOnPrivacy wrote: | I have a local DNS server that forwards over TLS (DoT) to | Cloudflare & Quad9, round-robin. | | Page alternately returns WOODYNET @ rrdns.pch.net and | CLOUDFLARENET. I like the pch.net info - it's something about | Quad9 I didn't know. | daneel_w wrote: | This was a surprise to me as well. For anyone else reading this | it means that Quad9, _not your system_ , is relaying DNS | traffic to WoodyNet. | ilikepi wrote: | PCH provides the infrastructure for Quad9...so I don't think | it makes sense to say that Quad9 is "relaying" DNS traffic to | PCH/WoodyNet. There isn't some organizational boundary that's | being crossed. | Fileformat wrote: | I kept running into DNS issues, and needed to triple-check that I | was pointing to the right DNS servers, so I made this utility | website that does exactly that: which-dns [1] | | This isn't a new idea ([2]), but mine supports https (hat tip to | Matt Holt's certmagic [3]), is ad-free, and the source is | available [4]. | | Let me know what you think! | | [1] https://which.nameserve.rs | | [2] http://www.whatsmydnsserver.com/ | | [3] https://github.com/caddyserver/certmagic | | [4] AGPL. It is my first foray into golang. | https://github.com/redirect2me/which-dns | sleavey wrote: | I just read the GitHub readme: | | > How does it work? You make a request to a hostname with a | unique prefix. All hostnames resolve to the same IP, but the | DNS server records which IP address the query came from. The | webserver looks for this record and returns it. | | That's a smart way of detecting a user's DNS server - well | done! | | Is there a way to "fail" the first request and try to force the | user's secondary DNS to kick in so that it can be detected too? | Fileformat wrote: | It would be really nice to detect the user's secondary DNS. | | I'm not sure failing will do that, but it might reveal | interesting things anyway. I'll add it to the to-do list. | dgl wrote: | The extended test on https://www.dnsleaktest.com/ does that. | There's also various tests that reveal EDNS subnet leakage. | | It's pretty easy to implement; somehow don't respond to a | request, but do respond to a second. (If you're clever you | can probably do it without server side state, e.g. encode a | deadline in the custom hostname.) | kortex wrote: | I find this really useful! I seem to frequently run into dns | weirdness. Does it work internally e.g. diagnosing dns queries | on a local net? | Fileformat wrote: | It only sees the "last hop" of recursive DNS resolution [1]. | If you have internal DNS servers, you would need to run a | copy of which-dns internally, and your internal DNS servers | would need have the which-dns entries added. | | If you want to see if a local workstation is pointing to a | different public/external DNS server than the rest of your | network, it should work. | | [1] https://www.cloudflare.com/learning/dns/what-is- | recursive-dn... | arminiusreturns wrote: | This is really cool, especially because I can just 'wget -qO- | $RANDOM.which.nameserve.rs/api.json?callback=myfunction' which | means I can use this in scripts. (For example an added field to | scripts that grab from ifconfig.co) | jwilk wrote: | Note that $RANDOM is just 15 bits of entropy. You should use | something more random. | Symbiote wrote: | $RANDOM$RANDOM$RANDOM$RANDOM$RANDOM should be fine :-) | Fileformat wrote: | Thanks, I use it like this for some of my pages. | | But please, only light, non-commercial use! It is on the | cheapest static IP that I could find with no failover or | anything. | | It is really easy to run your own copy if you need it for a | commercial project. | arminiusreturns wrote: | Duly noted. It's ok, most of my scripts just pile up the | cobwebs and never get used anyway, and they are all personal, | not commercial. I would of course consider standing up my own | for any real use. Good work! | | Now you have me thinking about the economics of api as a | service... another rabbit hole. | bloopernova wrote: | This is great, thank you for creating it and sharing it. I'll be | sharing this with all my colleagues! | makeworld wrote: | I run my own DNS resolver at home, and it's coming up with my own | public IP address, with my ISP as the name. Neat. | afkqs wrote: | What are the best practices/choices today when choosing your DNS | servers when it comes to privacy? | surround wrote: | I recommend running your own DNS resolver, so that you don't | have to trust any 3rd party server with your DNS traffic. | | I run Unbound (a DNS resolver) alongside Pi-hole on a dedicated | raspberry pi for my home network. | javajosh wrote: | This is a good solution. Another much lighter-weight solution | is to simply add a static name/ip association in your local | /etc/hosts file. It's a bit brittle, but honestly for a lot | of websites its a lot less brittle than you think (and it's | even _more_ efficient than a Pi-hole). The biggest drawback | is that you 'll have another thing to trouble-shoot if | something goes wrong. But that's true for any privacy- | preserving DNS solution. | znpy wrote: | I run my own DNS servers at home. I have a small virtualization | cluster and run a small DNS vm on each physical host. | | My resolvers perform queries against the root servers directly | and cache results. | | It's refreshing to skip all the DNS fuckery that's going on | nowadays. | imglorp wrote: | Except for certain applications that want to do their own DNS, | eg DOH... | Arnavion wrote: | Not the person you responded to, but I too run my own | resolver on my router. I also have the router configured to | drop [1] all outgoing packets to any DoH IPs; there are a | bunch of lists for those, like | https://github.com/Sekhan/TheGreatWall | | [1]: Specifically, to reject them, which means sending a TCP | reset / ICMP unreachable response back rather than | blackholing them. | minerjoe wrote: | I do the same, but I read that that is also sending your IP all | around the internet, which can have repercussions? The | alternative is to not use a recursive resolver, but just punt | to one of the "safer" ones such as 1.1.1.1? | | edit: downvoting honest questions? | jlgaddis wrote: | What, exactly, does "sending your IP all around the internet" | even mean? | minerjoe wrote: | Meaning, if you don't want people to know you are searching | for snm.donkeyporn.com than going out to the nameserver | that donkeyporn is using is not exactly keeping the | information private. | viraptor wrote: | In practice with 1.1.1.1 you're trading the parties who | know about your access from: | | Donkeyporn's DNS provider, com's DNS provider (0.1% | chance it's not already cached), your ISP, transit | providers, donkeyporn's ISP, donkeyporn service | | To: cloudflare, your ISP, transit providers, donkeyporn's | ISP, donkeyporn service | | It's not a huge change and it's really about whether you | trust CloudFlare more than the service donkeyporn has | chosen. | minerjoe wrote: | I though correctly switching to cloudflare should just be | me -> cloudflare via an encrypted channel? | viraptor wrote: | If you're talking about clouflare warp, then yes... kind | of. If you mean only the DNS, them no, there are still | many connections matching you to the destination. | Arnavion wrote: | You are correct that if you run your own resolver, then | all the DNS traffic from your resolver to other | nameservers is in cleartext. DoH and DoT only get used by | forwarders. | jelv wrote: | You can check your best available dns server via this easy tool | https://www.grc.com/dns/benchmark.htm (win and wine) | Fileformat wrote: | Thanks, that's a really interesting tool. | chimen wrote: | Did one for my project that discovers more servers [1] Not an | easy task I tell you that. | | [1] https://dnsadblock.com/dns-leak-test/ | fwr wrote: | Neat, this helped me realize I haven't switched away from my | provider's default DNS when I moved in, which is something I | usually do. | | How to choose a DNS server? I usually just go with | 8.8.8.8/8.8.4.4, I used to always test this with Namebench | (https://en.wikipedia.org/wiki/Namebench) and these always turned | out as the fastest - but it looks like it hasn't been updated | since 2010 - are there any better tools for this, or any | considerations in general? I prefer performance over privacy | here, I think privacy should be on a different layer. | formerly_proven wrote: | Just run your own recursive resolver, it's very easy and | reliable (e.g. knot-resolver). | dheerajvs wrote: | > I think privacy should be on a different layer. | | Can you elaborate which layer? | Fileformat wrote: | Someone else in this thread suggested GRC's benchmark utility | [1]. It sounds pretty comprehensive, but I haven't tried it | yet. | | [1] https://www.grc.com/dns/benchmark.htm | CircoDesktop wrote: | Great tool ! | Fnoord wrote: | Doesn't show IPv6 for me. | | I always use IPleak.net [1]. Works for public IPv4, IPv6, DNS | server, Tor/AirVPN exit node, BitTorrent, geolocation, and all | kind of browser metadata. | | Browsing through comments shows this can do some things | IPleak.net can't do such using wget/curl with API. | | [1] https://ipleak.net | Fileformat wrote: | It looks like ipleak.net does have an API [1]. Website is a bit | "information overload" though. | | [1] https://airvpn.org/forums/topic/14737-api/ | armSixtyFour wrote: | It would be neat if this also recognized that you're hosting your | own dns, instead of spitting your own IP back at you. I didn't | recognize my IP at first. | Fileformat wrote: | Nice idea, and it should be pretty easy to do. Added to the to- | do list! | babuskov wrote: | Unrelated, but I found a typo on this page: | | https://resolve.rs/http/myheaders.html | | It says: | | > These are the HTTP headers that are being sent my your browser. | | Great set of tools, BTW. | Fileformat wrote: | Thanks! Typo fixed too. | gslin wrote: | Akamai also provides something similar: | | * https://developer.akamai.com/blog/2018/05/10/introducing-new... ___________________________________________________________________ (page generated 2020-10-25 23:01 UTC)