Revamping the Encrypted DNS page (#767)

Co-authored-by: lexi <git@lx-is.lol>
This commit is contained in:
Daniel Gray 2022-03-25 04:58:34 +00:00
parent 40162218de
commit 78b49b2f4e
No known key found for this signature in database
GPG Key ID: 41911F722B0F9AE3
32 changed files with 776 additions and 194 deletions

View File

@ -1,9 +1,6 @@
title: AdGuard
homepage: 'https://adguard.com/en/adguard-dns/overview.html'
source: 'https://github.com/AdguardTeam/AdGuardDNS/'
anycast: true
locations:
- CY
privacy_policy:
link: 'https://adguard.com/en/privacy/dns.html'
type:
@ -17,14 +14,10 @@ logs:
We keep and store the database of domains requested in the last 24 hours. We need this information to identify and block new trackers and threats.
We also log how many times this or that tracker has been blocked. We need this information to remove outdated rules from our filters.
protocols:
- name: Cleartext
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
filtering: Based on server choice
providers:
- name: Choopa, LLC
link: 'https://www.choopa.com'
- name: Serveroid, LLC
link: 'https://flops.ru/en/about.html'
ecs:
status: false
filtering: Based on server choice. Filter list being used can be found here.

View File

@ -1,8 +1,5 @@
title: Cloudflare
homepage: 'https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/'
anycast: true
locations:
- US
privacy_policy:
link: 'https://www.cloudflare.com/privacypolicy/'
type:
@ -16,10 +13,9 @@ logs:
The 1.1.1.1 resolver service does not log personal data,
and the bulk of the limited non-personally identifiable query data is only stored for 25 hours."
protocols:
- name: Cleartext
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
ecs:
status: false
filtering: Based on server choice.
providers:
- name: Self

View File

@ -1,8 +1,5 @@
title: ControlD
homepage: 'https://controld.com/'
anycast: true
locations:
- CA
privacy_policy:
link: 'https://controld.com/privacy'
type:
@ -14,10 +11,9 @@ logs:
Neither free nor premium service have logging enabled by default. Premium users can enable logging/analytics at will.
color: info
protocols:
- name: Cleartext
- name: DoH
- name: DoT
dnssec: true
qname_minimization: true
ecs:
status: false
filtering: Based on server choice
providers:
- name: Self

17
_data/dns/mullvad.yml Normal file
View File

@ -0,0 +1,17 @@
title: MullvadDNS
homepage: 'https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/'
source: 'https://github.com/mullvad/dns-adblock'
privacy_policy:
link: 'https://mullvad.net/en/help/privacy-policy/'
tooltip: >-
"Our public DNS service offers DNS over HTTPS (DoH) and DNS over TLS (DoT), with QNAME minimization and basic ad blocking. It has been audited by the security experts at Assured. You can use this privacy-enhancing service even if you don't use Mullvad."
type:
name: Commercial
logs:
policy: false
protocols:
- name: DoH
- name: DoT
ecs:
status: false
filtering: Based on server choice. Filter list being used can be found here.

View File

@ -1,8 +1,5 @@
title: NextDNS
homepage: 'https://www.nextdns.io/'
anycast: true
locations:
- US
privacy_policy:
link: 'https://www.nextdns.io/privacy'
type:
@ -15,11 +12,11 @@ logs:
Users can choose retention times and log storage locations for any logs they choose to keep.
color: info
protocols:
- name: Cleartext
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
ecs:
status: true
text: Optional
filtering: Based on server choice
providers:
- name: Self

View File

@ -1,8 +1,5 @@
title: Quad9
homepage: 'https://quad9.net/'
anycast: 'https://www.quad9.net/locations/'
locations:
- CH
privacy_policy:
link: 'https://quad9.net/service/privacy'
type:
@ -10,17 +7,11 @@ type:
logs:
policy: false
protocols:
- name: Cleartext
- name: DoH
- name: DoT
- name: DNSCrypt
dnssec: true
qname_minimization: true
ecs:
status: true
text: Optional
filtering: Based on server choice, Malware blocking by default
providers:
- name: Self
- name: Packet Clearing House
link: 'https://www.pch.net/'
- name: i3D
link: 'https://www.i3d.net/'
- name: Global Secure Layer
link: 'https://globalsecurelayer.com/'

View File

@ -8,7 +8,7 @@ items:
- type: link
title: DNS Servers
icon: fad fa-map-signs
file: _pages/providers/dns.md
file: _evergreen/dns.md
- type: link
title: Email Providers
icon: fad fa-envelope

View File

@ -0,0 +1,15 @@
title: RethinkDNS
type: Recommendation
logo: /assets/img/android/rethinkdns.svg
logo_dark: /assets/img/android/rethinkdns-dark.svg
description: |
**RethinkDNS** is an open-source Android client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNS-over-TLS](/dns/#dns-over-tls-dot), [DNSCrypt](/dns/#dnscrypt) and DNS Proxy along with caching DNS responses, locally logging DNS queries and can be used as a firewall too.
website: 'https://rethinkdns.com'
privacy_policy: 'https://rethinkdns.com/privacy'
downloads:
- icon: fab fa-google-play
url: 'https://play.google.com/store/apps/details?id=com.celzero.bravedns'
- icon: pg-f-droid
url: 'https://f-droid.org/packages/com.celzero.bravedns'
- icon: fab fa-github
url: 'https://github.com/celzero/rethink-app'

View File

@ -0,0 +1,12 @@
title: DNSCloak
type: Recommendation
logo: /assets/img/ios/dnscloak.png
privacy_policy: 'https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view'
description: |
An open-source iOS client supporting [DNS-over-HTTPS](/dns/#dns-over-https-doh), [DNSCrypt](/dns/#dnscrypt), and [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy/wiki) options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can [add custom resolvers by DNS stamp](https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5).
website: 'https://github.com/s-s/dnscloak/blob/master/README.md'
downloads:
- icon: fab fa-app-store-ios
url: 'https://apps.apple.com/app/id1452162351'
- icon: fab fa-github
url: 'https://github.com/s-s/dnscloak'

View File

@ -0,0 +1,12 @@
title: dnscrypt-proxy
type: Recommendation
logo: /assets/img/dns/dnscrypt-proxy.svg
description: |
A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and [Anonymized DNS](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS).
## Note
The anonymized DNS feature does [**not**](/dns#why-shouldnt-i-use-encrypted-dns) anonymize other network traffic.
website: 'https://github.com/DNSCrypt/dnscrypt-proxy/wiki'
downloads:
- icon: fab fa-github
url: 'https://github.com/DNSCrypt/dnscrypt-proxy'

View File

@ -1,13 +1,9 @@
<tr>
<th data-sorted="true" data-sorted-direction="ascending">DNS Provider</th>
<th data-sortable="true">Server Locations</th>
<th data-sortable="false">Privacy Policy</th>
<th data-sortable="true">Type</th>
<th data-sortable="true">Protocols</th>
<th data-sortable="true">Logging</th>
<th data-sortable="true">DNSSEC</th>
<th data-sortable="true">QNAME Minimization</th>
<th data-sortable="true">ECS</th>
<th data-sortable="true">Filtering</th>
<th data-sortable="true">Source Code</th>
<th data-sortable="true">Hosting Provider</th>
</tr>

View File

@ -2,11 +2,6 @@
<th data-value="{{ data.title }}" class="align-middle">
<a href="{{ data.homepage }}">{{ data.title }}</a>
</th>
<td class="text-nowrap">{%- if data.anycast -%}<strong class="text-green-500">Anycast{% if data.anycast contains 'https://' %} (<a href="{{ data.anycast }}">Map</a>){%- endif -%}</strong>{%- endif -%}
<ul class="list-unstyled mb-0">{%- for location in data.locations -%}
<li>{%- include country.html cc=location -%} {%- if forloop.first == true and data.anycast -%}<span data-bs-toggle="tooltip" data-bs-placement="bottom" title='Service is incorporated or otherwise associated with this jurisdiction, however Anycast DNS providers may utilize many server providers in various regions worldwide.' class="fad fa-info-circle"></span>{%- endif -%}</li>
{%- endfor -%}</ul>
</td>
<td>
{% if data.privacy_policy.link %}<a
{% if data.privacy_policy.tooltip %}data-bs-toggle="tooltip" data-bs-placement="bottom" title='{{ data.privacy_policy.tooltip | escape }}'
@ -32,23 +27,12 @@
</span>{% else %}<td class="table-success">No{% endif %}
</td>
<td
{% unless data.dnssec %}data-value="No" class="table-danger"><span title="Does not validate DNSSEC" aria-hidden="true" class="fad text-red fa-times-circle"></span><span class="visually-hidden">No</span>{% else %}
data-value="Yes" class="table-success"><span title="Validates DNSSEC" aria-hidden="true" class="fad text-green fa-check-square"></span><span class="visually-hidden">Yes</span>{% endunless %}
</td>
<td
{% unless data.qname_minimization %}data-value="No" class="table-danger"><span title="Does not perform QNAME Minimization" aria-hidden="true" class="fad text-red fa-times-circle"></span><span class="visually-hidden">No</span>{% else %}
data-value="Yes" class="table-success"><span title="Performs QNAME Minimization" aria-hidden="true" class="fad text-green fa-check-square"></span><span class="visually-hidden">Yes</span>{% endunless %}
{% unless data.ecs.status %}data-value="No" class="table-success"> No <span title="Doesn't provide ECS" aria-hidden="true" class="fad text-red fa-times-circle"></span><span class="visually-hidden"></span>
{% else %}data-value="Yes" class="table-info"> {{ data.ecs.text }} <span title="Optionally provides ECS" aria-hidden="true" class="fad text-green fa-info-circle"></span><span class="visually-hidden"></span>{% endunless %}
</td>
<td>
{{ data.filtering | escape | default: '<em>Unknown?</em>' }}
</td>
<td>
{% if data.source %}<a href="{{ data.source }}">
<span class="fad fa-external-link"></span>
</a>{% endif %}
</td>
<td>
<ul class="list-unstyled mb-0">{%- for provider in data.providers -%}
<li class="text-nowrap">{% if provider.link %}<a href="{{ provider.link }}">{{ provider.name | escape }}</a>{% else %}{{ provider.name | escape }}{% endif %}</li>
{%- endfor -%}</ul>
</td>

View File

@ -0,0 +1,53 @@
<div id="dns-table" class="table-responsive">
<table class="table table-hover sortable-theme-bootstrap" >
<thead>
<tr>
<th scope="col">No.</th>
<th scope="col">Time</th>
<th scope="col">Source</th>
<th scope="col">Destination</th>
<th scope="col">Protocol</th>
<th scope="col">Length</th>
<th scope="col">Info</th>
</tr>
</thead>
<tbody>
<tr>
<th scope="row">1</th>
<td>0.000000</td>
<td>192.0.2.1</td>
<td>1.1.1.1</td>
<td>DNS</td>
<td>104</td>
<td>Standard query 0x58ba A privacyguides.org OPT</td>
</tr>
<tr>
<th scope="row">2</th>
<td>0.293395</td>
<td>1.1.1.1</td>
<td>192.0.2.1</td>
<td>DNS</td>
<td>108</td>
<td>Standard query response 0x58ba A privacyguides.org A 198.98.54.105 OPT</td>
</tr>
<tr>
<th scope="row">3</th>
<td>1.682109</td>
<td>192.0.2.1</td>
<td>8.8.8.8</td>
<td>DNS</td>
<td>104</td>
<td>Standard query 0xf1a9 A privacyguides.org OPT</td>
</tr>
<tr>
<th scope="row">4</th>
<td>2.154698</td>
<td>8.8.8.8</td>
<td>192.0.2.1</td>
<td>DNS</td>
<td>108</td>
<td>Standard query response 0xf1a9 A privacyguides.org A 198.98.54.105 OPT</td>
</tr>
</tbody>
</table>
</div>

20
_sass/terminal.scss Normal file
View File

@ -0,0 +1,20 @@
* { margin: 0; padding: 0; }
.terminal {
font-size: 15px;
color: white;
background-color: black;
font-family: monospace;
overflow: scroll;
padding: 10px;
border-radius: 10px;
-ms-overflow-style: none; /* Internet Explorer 10+, make scrollbars invisible */
scrollbar-width: none; /* Firefox, make scrollbars invisible */
margin: 25px;
}
.terminal::-webkit-scrollbar { /* WebKit, make scrollbars invisible */
width: 0;
height: 0;
box-shadow: 0px 0px 10px rgba(0,0,0,.4)
}

View File

@ -8,6 +8,13 @@
@import "./node_modules/bootstrap/scss/mixins";
@import "./node_modules/bootstrap/scss/utilities";
.flowchart{
width: 40vmax;
float: center;
padding: 10px;
background-color: var(--bs-body-bg);
}
$dm-grays: (
"dm-white": $white,
"dm-100": $gray-100,
@ -76,6 +83,7 @@ h1, h2, h3:not(.h5), h4 {
@import "./node_modules/bootstrap/scss/bootstrap";
@import "pg-font";
@import "flag-icon";
@import "terminal";
.textColor {
fill: $dark;

View File

@ -20,6 +20,13 @@ $hr-border-color: $body-color;
@import "./node_modules/bootstrap/scss/variables";
@import "variables";
.flowchart{
width: 40vmax;
float: center;
padding: 10px;
background-color: var(--bs-body-bg);
}
$dm-grays: (
"dm-white": $black,
"dm-100": $gray-900,

View File

Before

Width:  |  Height:  |  Size: 728 B

After

Width:  |  Height:  |  Size: 728 B

View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g stroke-width=".034914"><circle id="main-circle-drop-shadow" cx="17.283" cy="17.283" r="16.584" fill-opacity=".1"/><circle id="main-circle" cx="16.584" cy="16.584" r="16.584" fill="#4f3663"/><path id="onion-drop-shadow" d="m32.732 20.111c0.11871-0.57958 0.20599-1.1766 0.26186-1.7911l-13.711-13.711-1.0893 1.0474-2.3986-2.3986-1.1626 2.856 1.7946 1.7946-7.5764 20.481 4.4446 4.4446c0.75066 0.14315 1.5048 0.23392 2.2764 0.27582 0.014 4e-3 0.0279 4e-3 0.0419 4e-3h0.014c0.29677 0.0175 0.57958 0.0244 0.8554 0.0244q0.0524 0 0.10474 0c0.35962 0 0.71575-0.0105 1.0509-0.0279 0.0873-3e-3 0.16759-0.0105 0.2444-0.014 0.70527-0.0489 1.3931-0.13966 2.0495-0.26884 0.27931-0.0524 0.55164-0.11522 0.81699-0.17806 2.8211-0.70877 5.314-2.1507 7.4961-4.3329 0.21298-0.21298 0.41898-0.42596 0.61101-0.63894 1.3931-1.5292 2.437-3.1982 3.1388-5.0102 0.31773-0.817 0.56562-1.6654 0.74368-2.5488z" fill-opacity=".2"/></g><g id="onion" transform="matrix(.034914 0 0 .034914 -1.2918 -1.2918)"><path id="first-layer" d="m433.1 252.1v13.4c-1.7 42.1-20 72.8-54.8 92.2-3 1.5-6.1 3-9.1 4.7-26.7 14.2-51.7 32.9-74.8 56-60.1 60.2-90.2 132.8-90.2 217.8 0 85.1 30.1 157.7 90.2 217.8 60.2 60.2 132.8 90.2 217.8 90.2h4.1v-64.4-614c-28.7-2.2-56.4-7.8-83.1-13.6z" fill="#fdfcdf"/><circle id="second-layer" cx="512" cy="645" r="235" fill="#eaeace"/><circle id="third-layer" cx="512" cy="648" r="162" fill="#d1d1b8"/><circle id="fourth-layer" cx="512" cy="650" r="94" fill="#bfbfa9"/><path id="half" d="m820.1 636.1q0-127.6-90.2-217.8c-23.8-23.8-49.7-43-77.8-57.5-38.1-17.6-58.4-50.5-61-98.6-25.7 4.9-50.6 5.4-74.9 3.6v678.5c83.5-1 154.6-31.1 213.7-90.2 60.2-60.1 90.2-132.7 90.2-217.8z" fill="#735a93"/><path id="leafs" d="m443.4 84.4c-0.3 1.3-0.7 2.6-0.9 3.7q-31 121.9 65.2 161.7c18.8-62.2-0.9-116-59.3-161.7-1.4-1.1-3.1-2.4-4.8-3.7zm81 165.4c-5.4-40.8 16.3-67.9 64.9-80.8-5.3 44.9-26.9 71.8-64.9 80.8" fill="#78af52"/></g></svg>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g stroke-width=".034914"><circle id="main-circle-drop-shadow" cx="17.283" cy="17.283" r="16.584" fill-opacity=".1"/><circle id="main-circle" cx="16.584" cy="16.584" r="16.584" fill="#4f3663"/><path id="onion-drop-shadow" d="m32.732 20.111c0.11871-0.57958 0.20599-1.1766 0.26186-1.7911l-13.711-13.711-1.0893 1.0474-2.3986-2.3986-1.1626 2.856 1.7946 1.7946-7.5764 20.481 4.4446 4.4446c0.75066 0.14315 1.5048 0.23392 2.2764 0.27582 0.014 4e-3 0.0279 4e-3 0.0419 4e-3h0.014c0.29677 0.0175 0.57958 0.0244 0.8554 0.0244q0.0524 0 0.10474 0c0.35962 0 0.71575-0.0105 1.0509-0.0279 0.0873-3e-3 0.16759-0.0105 0.2444-0.014 0.70527-0.0489 1.3931-0.13966 2.0495-0.26884 0.27931-0.0524 0.55164-0.11522 0.81699-0.17806 2.8211-0.70877 5.314-2.1507 7.4961-4.3329 0.21298-0.21298 0.41898-0.42596 0.61101-0.63894 1.3931-1.5292 2.437-3.1982 3.1388-5.0102 0.31773-0.817 0.56562-1.6654 0.74368-2.5488z" fill-opacity=".2"/></g><g id="onion" transform="matrix(.034914 0 0 .034914 -1.2918 -1.2918)"><path id="first-layer" d="m433.1 252.1v13.4c-1.7 42.1-20 72.8-54.8 92.2-3 1.5-6.1 3-9.1 4.7-26.7 14.2-51.7 32.9-74.8 56-60.1 60.2-90.2 132.8-90.2 217.8 0 85.1 30.1 157.7 90.2 217.8 60.2 60.2 132.8 90.2 217.8 90.2h4.1v-678.4c-28.7-2.2-56.4-7.8-83.1-13.6z" fill="#fdfcdf"/><circle id="second-layer" cx="512" cy="645" r="235" fill="#eaeace"/><circle id="third-layer" cx="512" cy="648" r="162" fill="#d1d1b8"/><circle id="fourth-layer" cx="512" cy="650" r="94" fill="#bfbfa9"/><path id="half" d="m820.1 636.1q0-127.6-90.2-217.8c-23.8-23.8-49.7-43-77.8-57.5-38.1-17.6-58.4-50.5-61-98.6-25.7 4.9-50.6 5.4-74.9 3.6v678.5c83.5-1 154.6-31.1 213.7-90.2 60.2-60.1 90.2-132.7 90.2-217.8z" fill="#735a93"/><path id="leafs" d="m443.4 84.4c-0.3 1.3-0.7 2.6-0.9 3.7q-31 121.9 65.2 161.7c18.8-62.2-0.9-116-59.3-161.7-1.4-1.1-3.1-2.4-4.8-3.7zm81 165.4c-5.4-40.8 16.3-67.9 64.9-80.8-5.3 44.9-26.9 71.8-64.9 80.8" fill="#78af52"/></g></svg>

Before

Width:  |  Height:  |  Size: 2.0 KiB

After

Width:  |  Height:  |  Size: 2.0 KiB

View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.0033803 0 0 -.0033803 1.64 34.376)" fill="#fff"><path d="m4055 10121c-77-27-205-73-285-101-80-29-188-67-240-85-52-19-140-50-195-70s-181-65-280-100c-201-71-427-151-615-218-69-25-210-75-315-111-104-37-226-80-270-96s-138-50-210-75c-169-59-383-136-415-148-14-6-29-11-35-13-5-1-80-27-165-57-415-146-540-191-595-212-33-12-112-41-176-64-132-48-185-88-222-168l-22-48v-925c0-938 2-992 41-1380 49-488 156-1011 309-1504 61-197 184-532 247-676 40-90 47-106 78-180 28-65 215-447 248-505 164-290 298-511 397-652 27-40 73-105 100-145 28-39 84-116 125-171s84-112 95-127c31-40 95-120 135-166 19-22 44-52 54-65 115-147 475-524 706-739 173-161 542-466 675-557 22-16 45-33 50-39 6-5 28-22 50-37 22-14 60-41 85-58 164-118 524-346 681-433 72-39 133-52 202-42 37 6 177 79 346 181 9 6 34 21 56 34 51 31 415 272 435 288 8 7 71 54 139 104 135 101 174 145 197 226 35 122-34 257-161 315-67 30-169 30-240-1-27-12-52-26-55-30-20-28-395-285-626-429-145-91-135-89-224-34-235 147-373 242-610 416-405 298-905 768-1246 1171-180 213-362 457-536 720-84 127-238 380-238 391 0 3-8 18-19 32-71 101-297 577-415 875-273 690-422 1354-487 2172-12 157-22 1694-11 1710 4 6 23 16 42 22s98 34 175 61c217 79 590 211 695 247 52 19 140 50 195 70s150 54 210 75c61 21 162 57 225 80s165 59 225 80c61 21 232 82 380 135 149 53 295 105 325 115s138 48 240 85 228 82 280 100 217 76 365 130c207 74 278 96 305 92 19-2 78-20 130-40 52-19 178-65 280-101s194-70 205-75c18-8 269-98 470-168 39-13 221-78 405-145 184-66 389-140 455-164 66-23 210-75 320-114 110-40 256-92 325-117 69-24 154-55 190-68s148-54 250-90 214-76 250-89c36-14 128-47 205-74l140-50 3-579c7-1319-49-1851-278-2653-26-91-22-157 13-227 65-126 206-182 355-138 58 17 137 83 164 137 18 36 75 234 83 288 0 3 3 10 6 15 4 6 14 46 24 90s28 125 41 180c45 194 113 598 134 805 42 399 42 420 47 1375 5 933 4 940-16 995-24 63-88 135-141 158-37 16-252 94-545 197-99 35-232 82-295 105s-126 45-140 50-81 29-150 53c-69 25-141 51-160 57-19 7-82 29-140 50-58 22-188 68-290 104-349 122-415 146-435 155-11 5-60 23-110 40-49 16-142 49-205 72-63 22-164 58-225 79-60 21-162 57-225 80s-158 57-210 75c-86 30-275 97-665 237-273 98-272 98-470 29z"/><path d="m5923 5035c-66-20-126-59-191-125-228-228-401-724-437-1256l-7-102-81-16c-222-44-429-202-556-421-154-268-146-616 18-788 154-163 428-122 685 103 31 27 60 50 64 50s20-25 36-56c37-70 123-148 193-174 128-48 256-9 495 149 119 78 108 79 123-9 8-52 43-116 72-136 68-44 163-34 212 22 17 19 118 209 226 423 107 214 199 393 205 396 21 13 22-4 6-122-49-348-21-595 78-698 42-44 44-45 108-45 113 0 260 57 398 154l65 45 14-27c51-100 156-164 300-184 259-36 689 83 998 275l82 51 3 155c2 86 2 159 0 163-1 3-26-10-55-29-60-41-448-234-457-228-4 2-10 57-13 122-4 65-15 152-26 193-79 303-80 276 4 376 97 117 117 149 122 196 5 57-13 88-67 116-61 30-147 30-215-1-63-30-115-87-286-312-204-270-257-332-370-430-169-146-225-206-233-248-12-66-109-94-152-44-64 75-60 268 16 654 17 84 30 170 30 191 0 89-48 180-107 203-73 28-191-8-250-76-21-24-96-152-167-284-98-185-133-241-147-241-23 0-24-16 6 173 34 218 39 284 26 334-17 62-48 93-98 100-89 12-161-26-198-103-22-47-69-279-95-474-27-202-30-223-37-217-3 3-32-16-65-44-83-69-198-145-271-180-151-71-217-15-217 186 0 153 22 223 189 592 260 577 352 894 353 1223 0 69-5 153-12 185-40 196-163 289-317 240zm46-334c68-68 19-447-106-821-58-175-203-540-214-540-21 0-2 357 32 630 55 444 136 701 233 740 30 13 34 12 55-9zm-668-1524c0-84 4-195 8-247l8-95-38-81c-74-156-146-224-240-224-103 0-153 56-152 171 1 163 80 346 213 491 64 71 174 153 191 142 5-3 9-74 10-157zm2870-299c39-161 28-307-29-372-47-52-146-70-217-37-45 20-155 116-155 136 0 14 354 365 368 365 6 0 20-42 33-92z"/></g></svg>

After

Width:  |  Height:  |  Size: 3.7 KiB

View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" version="1.1" viewBox="0 0 33.867 33.867" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.0033803 0 0 -.0033803 1.64 34.376)"><path d="m4055 10121c-77-27-205-73-285-101-80-29-188-67-240-85-52-19-140-50-195-70s-181-65-280-100c-201-71-427-151-615-218-69-25-210-75-315-111-104-37-226-80-270-96s-138-50-210-75c-169-59-383-136-415-148-14-6-29-11-35-13-5-1-80-27-165-57-415-146-540-191-595-212-33-12-112-41-176-64-132-48-185-88-222-168l-22-48v-925c0-938 2-992 41-1380 49-488 156-1011 309-1504 61-197 184-532 247-676 40-90 47-106 78-180 28-65 215-447 248-505 164-290 298-511 397-652 27-40 73-105 100-145 28-39 84-116 125-171s84-112 95-127c31-40 95-120 135-166 19-22 44-52 54-65 115-147 475-524 706-739 173-161 542-466 675-557 22-16 45-33 50-39 6-5 28-22 50-37 22-14 60-41 85-58 164-118 524-346 681-433 72-39 133-52 202-42 37 6 177 79 346 181 9 6 34 21 56 34 51 31 415 272 435 288 8 7 71 54 139 104 135 101 174 145 197 226 35 122-34 257-161 315-67 30-169 30-240-1-27-12-52-26-55-30-20-28-395-285-626-429-145-91-135-89-224-34-235 147-373 242-610 416-405 298-905 768-1246 1171-180 213-362 457-536 720-84 127-238 380-238 391 0 3-8 18-19 32-71 101-297 577-415 875-273 690-422 1354-487 2172-12 157-22 1694-11 1710 4 6 23 16 42 22s98 34 175 61c217 79 590 211 695 247 52 19 140 50 195 70s150 54 210 75c61 21 162 57 225 80s165 59 225 80c61 21 232 82 380 135 149 53 295 105 325 115s138 48 240 85 228 82 280 100 217 76 365 130c207 74 278 96 305 92 19-2 78-20 130-40 52-19 178-65 280-101s194-70 205-75c18-8 269-98 470-168 39-13 221-78 405-145 184-66 389-140 455-164 66-23 210-75 320-114 110-40 256-92 325-117 69-24 154-55 190-68s148-54 250-90 214-76 250-89c36-14 128-47 205-74l140-50 3-579c7-1319-49-1851-278-2653-26-91-22-157 13-227 65-126 206-182 355-138 58 17 137 83 164 137 18 36 75 234 83 288 0 3 3 10 6 15 4 6 14 46 24 90s28 125 41 180c45 194 113 598 134 805 42 399 42 420 47 1375 5 933 4 940-16 995-24 63-88 135-141 158-37 16-252 94-545 197-99 35-232 82-295 105s-126 45-140 50-81 29-150 53c-69 25-141 51-160 57-19 7-82 29-140 50-58 22-188 68-290 104-349 122-415 146-435 155-11 5-60 23-110 40-49 16-142 49-205 72-63 22-164 58-225 79-60 21-162 57-225 80s-158 57-210 75c-86 30-275 97-665 237-273 98-272 98-470 29z"/><path d="m5923 5035c-66-20-126-59-191-125-228-228-401-724-437-1256l-7-102-81-16c-222-44-429-202-556-421-154-268-146-616 18-788 154-163 428-122 685 103 31 27 60 50 64 50s20-25 36-56c37-70 123-148 193-174 128-48 256-9 495 149 119 78 108 79 123-9 8-52 43-116 72-136 68-44 163-34 212 22 17 19 118 209 226 423 107 214 199 393 205 396 21 13 22-4 6-122-49-348-21-595 78-698 42-44 44-45 108-45 113 0 260 57 398 154l65 45 14-27c51-100 156-164 300-184 259-36 689 83 998 275l82 51 3 155c2 86 2 159 0 163-1 3-26-10-55-29-60-41-448-234-457-228-4 2-10 57-13 122-4 65-15 152-26 193-79 303-80 276 4 376 97 117 117 149 122 196 5 57-13 88-67 116-61 30-147 30-215-1-63-30-115-87-286-312-204-270-257-332-370-430-169-146-225-206-233-248-12-66-109-94-152-44-64 75-60 268 16 654 17 84 30 170 30 191 0 89-48 180-107 203-73 28-191-8-250-76-21-24-96-152-167-284-98-185-133-241-147-241-23 0-24-16 6 173 34 218 39 284 26 334-17 62-48 93-98 100-89 12-161-26-198-103-22-47-69-279-95-474-27-202-30-223-37-217-3 3-32-16-65-44-83-69-198-145-271-180-151-71-217-15-217 186 0 153 22 223 189 592 260 577 352 894 353 1223 0 69-5 153-12 185-40 196-163 289-317 240zm46-334c68-68 19-447-106-821-58-175-203-540-214-540-21 0-2 357 32 630 55 444 136 701 233 740 30 13 34 12 55-9zm-668-1524c0-84 4-195 8-247l8-95-38-81c-74-156-146-224-240-224-103 0-153 56-152 171 1 163 80 346 213 491 64 71 174 153 191 142 5-3 9-74 10-157zm2870-299c39-161 28-307-29-372-47-52-146-70-217-37-45 20-155 116-155 136 0 14 354 365 368 365 6 0 20-42 33-92z"/></g></svg>

After

Width:  |  Height:  |  Size: 3.7 KiB

166
assets/img/dns/dns-dark.svg Normal file
View File

@ -0,0 +1,166 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.48.0 (0)
-->
<!-- Title: DNS Pages: 1 -->
<svg width="630pt" height="935pt"
viewBox="0.00 0.00 630.00 935.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 899)">
<title>DNS</title>
<!-- Start -->
<g id="node1" class="node">
<title>Start</title>
<path fill="#d4bbd2" stroke="#d4bbd2" d="M89,-863C89,-863 55,-863 55,-863 49,-863 43,-857 43,-851 43,-851 43,-839 43,-839 43,-833 49,-827 55,-827 55,-827 89,-827 89,-827 95,-827 101,-833 101,-839 101,-839 101,-851 101,-851 101,-857 95,-863 89,-863"/>
<text text-anchor="middle" x="72" y="-841.3" font-family="monospace" font-size="14.00">Start</text>
</g>
<!-- anonymous -->
<g id="node3" class="node">
<title>anonymous</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-791 0,-733.5 72,-676 144,-733.5 72,-791"/>
<text text-anchor="middle" x="72" y="-737.3" font-family="monospace" font-size="14.00">Trying to be</text>
<text text-anchor="middle" x="72" y="-722.3" font-family="monospace" font-size="14.00"> anonymous?</text>
</g>
<!-- Start&#45;&gt;anonymous -->
<g id="edge1" class="edge">
<title>Start&#45;&gt;anonymous</title>
<path fill="none" stroke="white" d="M72,-826.59C72,-826.59 72,-801.45 72,-801.45"/>
<polygon fill="white" stroke="white" points="72,-791.45 76.5,-801.45 72,-796.45 72,-801.45 72,-801.45 72,-801.45 72,-796.45 67.5,-801.45 72,-791.45 72,-791.45"/>
</g>
<!-- nothing -->
<g id="node2" class="node">
<title>nothing</title>
<path fill="#d4bbd2" stroke="#d4bbd2" d="M249.5,-36C249.5,-36 174.5,-36 174.5,-36 168.5,-36 162.5,-30 162.5,-24 162.5,-24 162.5,-12 162.5,-12 162.5,-6 168.5,0 174.5,0 174.5,0 249.5,0 249.5,0 255.5,0 261.5,-6 261.5,-12 261.5,-12 261.5,-24 261.5,-24 261.5,-30 255.5,-36 249.5,-36"/>
<text text-anchor="middle" x="212" y="-14.3" font-family="monospace" font-size="14.00">Do nothing</text>
</g>
<!-- censorship -->
<g id="node4" class="node">
<title>censorship</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-640 0,-582.5 72,-525 144,-582.5 72,-640"/>
<text text-anchor="middle" x="72" y="-586.3" font-family="monospace" font-size="14.00">Avoiding</text>
<text text-anchor="middle" x="72" y="-571.3" font-family="monospace" font-size="14.00"> censorship?</text>
</g>
<!-- anonymous&#45;&gt;censorship -->
<g id="edge3" class="edge">
<title>anonymous&#45;&gt;censorship</title>
<path fill="none" stroke="white" d="M72,-675.98C72,-675.98 72,-650.11 72,-650.11"/>
<polygon fill="white" stroke="white" points="72,-640.11 76.5,-650.11 72,-645.11 72,-650.11 72,-650.11 72,-650.11 72,-645.11 67.5,-650.11 72,-640.11 72,-640.11"/>
<text text-anchor="middle" x="63.5" y="-651.85" font-family="monospace" font-size="14.00" fill="white">No</text>
</g>
<!-- tor -->
<g id="node8" class="node">
<title>tor</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M300,-697.5C300,-697.5 406,-697.5 406,-697.5 412,-697.5 418,-703.5 418,-709.5 418,-709.5 418,-757.5 418,-757.5 418,-763.5 412,-769.5 406,-769.5 406,-769.5 300,-769.5 300,-769.5 294,-769.5 288,-763.5 288,-757.5 288,-757.5 288,-709.5 288,-709.5 288,-703.5 294,-697.5 300,-697.5"/>
<text text-anchor="middle" x="353" y="-729.8" font-family="monospace" font-size="14.00">Use Tor</text>
</g>
<!-- anonymous&#45;&gt;tor -->
<g id="edge2" class="edge">
<title>anonymous&#45;&gt;tor</title>
<path fill="none" stroke="white" d="M143.64,-733C143.64,-733 277.75,-733 277.75,-733"/>
<polygon fill="white" stroke="white" points="287.75,-733 277.75,-737.5 282.75,-733 277.75,-733 277.75,-733 277.75,-733 282.75,-733 277.75,-728.5 287.75,-733 287.75,-733"/>
<text text-anchor="middle" x="198.19" y="-736.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
</g>
<!-- privacy -->
<g id="node5" class="node">
<title>privacy</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-489 140,-431.5 212,-374 284,-431.5 212,-489"/>
<text text-anchor="middle" x="212" y="-435.3" font-family="monospace" font-size="14.00">Want privacy</text>
<text text-anchor="middle" x="212" y="-420.3" font-family="monospace" font-size="14.00"> from ISP?</text>
</g>
<!-- censorship&#45;&gt;privacy -->
<g id="edge5" class="edge">
<title>censorship&#45;&gt;privacy</title>
<path fill="none" stroke="white" d="M84.7,-535C115.31,-535 190.67,-535 190.67,-535 190.67,-535 190.67,-482.11 190.67,-482.11"/>
<polygon fill="white" stroke="white" points="190.67,-472.11 195.17,-482.11 190.67,-477.11 190.67,-482.11 190.67,-482.11 190.67,-482.11 190.67,-477.11 186.17,-482.11 190.67,-472.11 190.67,-472.11"/>
<text text-anchor="middle" x="155.63" y="-538.8" font-family="monospace" font-size="14.00" fill="white">No</text>
</g>
<!-- vpnOrTor -->
<g id="node9" class="node">
<title>vpnOrTor</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M300,-546.5C300,-546.5 406,-546.5 406,-546.5 412,-546.5 418,-552.5 418,-558.5 418,-558.5 418,-606.5 418,-606.5 418,-612.5 412,-618.5 406,-618.5 406,-618.5 300,-618.5 300,-618.5 294,-618.5 288,-612.5 288,-606.5 288,-606.5 288,-558.5 288,-558.5 288,-552.5 294,-546.5 300,-546.5"/>
<text text-anchor="middle" x="353" y="-586.3" font-family="monospace" font-size="14.00">Use VPN</text>
<text text-anchor="middle" x="353" y="-571.3" font-family="monospace" font-size="14.00"> or Tor</text>
</g>
<!-- censorship&#45;&gt;vpnOrTor -->
<g id="edge4" class="edge">
<title>censorship&#45;&gt;vpnOrTor</title>
<path fill="none" stroke="white" d="M129.88,-594C129.88,-594 277.82,-594 277.82,-594"/>
<polygon fill="white" stroke="white" points="287.82,-594 277.82,-598.5 282.82,-594 277.82,-594 277.82,-594 277.82,-594 282.82,-594 277.82,-589.5 287.82,-594 287.82,-594"/>
<text text-anchor="middle" x="191.35" y="-597.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
</g>
<!-- obnoxious -->
<g id="node6" class="node">
<title>obnoxious</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-338 140,-280.5 212,-223 284,-280.5 212,-338"/>
<text text-anchor="middle" x="212" y="-291.8" font-family="monospace" font-size="14.00">ISP makes</text>
<text text-anchor="middle" x="212" y="-276.8" font-family="monospace" font-size="14.00"> obnoxious</text>
<text text-anchor="middle" x="212" y="-261.8" font-family="monospace" font-size="14.00"> redirects?</text>
</g>
<!-- privacy&#45;&gt;obnoxious -->
<g id="edge7" class="edge">
<title>privacy&#45;&gt;obnoxious</title>
<path fill="none" stroke="white" d="M212,-373.98C212,-373.98 212,-348.11 212,-348.11"/>
<polygon fill="white" stroke="white" points="212,-338.11 216.5,-348.11 212,-343.11 212,-348.11 212,-348.11 212,-348.11 212,-343.11 207.5,-348.11 212,-338.11 212,-338.11"/>
<text text-anchor="middle" x="203.5" y="-349.85" font-family="monospace" font-size="14.00" fill="white">No</text>
</g>
<!-- privacy&#45;&gt;vpnOrTor -->
<g id="edge6" class="edge">
<title>privacy&#45;&gt;vpnOrTor</title>
<path fill="none" stroke="white" d="M237.33,-468.98C237.33,-510 237.33,-570 237.33,-570 237.33,-570 277.73,-570 277.73,-570"/>
<polygon fill="white" stroke="white" points="287.73,-570 277.73,-574.5 282.73,-570 277.73,-570 277.73,-570 277.73,-570 282.73,-570 277.73,-565.5 287.73,-570 287.73,-570"/>
<text text-anchor="middle" x="224.83" y="-543.49" font-family="monospace" font-size="14.00" fill="white">Yes</text>
</g>
<!-- ispDNS -->
<g id="node7" class="node">
<title>ispDNS</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-187 140,-129.5 212,-72 284,-129.5 212,-187"/>
<text text-anchor="middle" x="212" y="-148.3" font-family="monospace" font-size="14.00">Does ISP</text>
<text text-anchor="middle" x="212" y="-133.3" font-family="monospace" font-size="14.00"> support</text>
<text text-anchor="middle" x="212" y="-118.3" font-family="monospace" font-size="14.00"> encrypted</text>
<text text-anchor="middle" x="212" y="-103.3" font-family="monospace" font-size="14.00"> DNS?</text>
</g>
<!-- obnoxious&#45;&gt;ispDNS -->
<g id="edge9" class="edge">
<title>obnoxious&#45;&gt;ispDNS</title>
<path fill="none" stroke="white" d="M212,-222.98C212,-222.98 212,-197.11 212,-197.11"/>
<polygon fill="white" stroke="white" points="212,-187.11 216.5,-197.11 212,-192.11 212,-197.11 212,-197.11 212,-197.11 212,-192.11 207.5,-197.11 212,-187.11 212,-187.11"/>
<text text-anchor="middle" x="203.5" y="-198.85" font-family="monospace" font-size="14.00" fill="white">No</text>
</g>
<!-- encryptedDNS -->
<g id="node10" class="node">
<title>encryptedDNS</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M440,-244.5C440,-244.5 546,-244.5 546,-244.5 552,-244.5 558,-250.5 558,-256.5 558,-256.5 558,-304.5 558,-304.5 558,-310.5 552,-316.5 546,-316.5 546,-316.5 440,-316.5 440,-316.5 434,-316.5 428,-310.5 428,-304.5 428,-304.5 428,-256.5 428,-256.5 428,-250.5 434,-244.5 440,-244.5"/>
<text text-anchor="middle" x="493" y="-291.8" font-family="monospace" font-size="14.00">Use encrypted</text>
<text text-anchor="middle" x="493" y="-276.8" font-family="monospace" font-size="14.00"> DNS with 3rd</text>
<text text-anchor="middle" x="493" y="-261.8" font-family="monospace" font-size="14.00"> party</text>
</g>
<!-- obnoxious&#45;&gt;encryptedDNS -->
<g id="edge8" class="edge">
<title>obnoxious&#45;&gt;encryptedDNS</title>
<path fill="none" stroke="white" d="M283.64,-280C283.64,-280 417.75,-280 417.75,-280"/>
<polygon fill="white" stroke="white" points="427.75,-280 417.75,-284.5 422.75,-280 417.75,-280 417.75,-280 417.75,-280 422.75,-280 417.75,-275.5 427.75,-280 427.75,-280"/>
<text text-anchor="middle" x="338.19" y="-283.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
</g>
<!-- ispDNS&#45;&gt;nothing -->
<g id="edge11" class="edge">
<title>ispDNS&#45;&gt;nothing</title>
<path fill="none" stroke="white" d="M212,-71.79C212,-71.79 212,-46.13 212,-46.13"/>
<polygon fill="white" stroke="white" points="212,-36.13 216.5,-46.13 212,-41.13 212,-46.13 212,-46.13 212,-46.13 212,-41.13 207.5,-46.13 212,-36.13 212,-36.13"/>
<text text-anchor="middle" x="203.5" y="-47.76" font-family="monospace" font-size="14.00" fill="white">No</text>
</g>
<!-- useISP -->
<g id="node11" class="node">
<title>useISP</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M440,-93.5C440,-93.5 546,-93.5 546,-93.5 552,-93.5 558,-99.5 558,-105.5 558,-105.5 558,-153.5 558,-153.5 558,-159.5 552,-165.5 546,-165.5 546,-165.5 440,-165.5 440,-165.5 434,-165.5 428,-159.5 428,-153.5 428,-153.5 428,-105.5 428,-105.5 428,-99.5 434,-93.5 440,-93.5"/>
<text text-anchor="middle" x="493" y="-133.3" font-family="monospace" font-size="14.00">Use encrypted</text>
<text text-anchor="middle" x="493" y="-118.3" font-family="monospace" font-size="14.00"> DNS with ISP</text>
</g>
<!-- ispDNS&#45;&gt;useISP -->
<g id="edge10" class="edge">
<title>ispDNS&#45;&gt;useISP</title>
<path fill="none" stroke="white" d="M283.64,-129C283.64,-129 417.75,-129 417.75,-129"/>
<polygon fill="white" stroke="white" points="427.75,-129 417.75,-133.5 422.75,-129 417.75,-129 417.75,-129 417.75,-129 422.75,-129 417.75,-124.5 427.75,-129 427.75,-129"/>
<text text-anchor="middle" x="338.19" y="-132.8" font-family="monospace" font-size="14.00" fill="white">Yes</text>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 11 KiB

166
assets/img/dns/dns.svg Normal file
View File

@ -0,0 +1,166 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.48.0 (0)
-->
<!-- Title: DNS Pages: 1 -->
<svg width="630pt" height="935pt"
viewBox="0.00 0.00 630.00 935.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(36 899)">
<title>DNS</title>
<!-- Start -->
<g id="node1" class="node">
<title>Start</title>
<path fill="#d4bbd2" stroke="#d4bbd2" d="M89,-863C89,-863 55,-863 55,-863 49,-863 43,-857 43,-851 43,-851 43,-839 43,-839 43,-833 49,-827 55,-827 55,-827 89,-827 89,-827 95,-827 101,-833 101,-839 101,-839 101,-851 101,-851 101,-857 95,-863 89,-863"/>
<text text-anchor="middle" x="72" y="-841.3" font-family="monospace" font-size="14.00">Start</text>
</g>
<!-- anonymous -->
<g id="node3" class="node">
<title>anonymous</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-791 0,-733.5 72,-676 144,-733.5 72,-791"/>
<text text-anchor="middle" x="72" y="-737.3" font-family="monospace" font-size="14.00">Trying to be</text>
<text text-anchor="middle" x="72" y="-722.3" font-family="monospace" font-size="14.00"> anonymous?</text>
</g>
<!-- Start&#45;&gt;anonymous -->
<g id="edge1" class="edge">
<title>Start&#45;&gt;anonymous</title>
<path fill="none" stroke="black" d="M72,-826.59C72,-826.59 72,-801.45 72,-801.45"/>
<polygon fill="black" stroke="black" points="72,-791.45 76.5,-801.45 72,-796.45 72,-801.45 72,-801.45 72,-801.45 72,-796.45 67.5,-801.45 72,-791.45 72,-791.45"/>
</g>
<!-- nothing -->
<g id="node2" class="node">
<title>nothing</title>
<path fill="#d4bbd2" stroke="#d4bbd2" d="M249.5,-36C249.5,-36 174.5,-36 174.5,-36 168.5,-36 162.5,-30 162.5,-24 162.5,-24 162.5,-12 162.5,-12 162.5,-6 168.5,0 174.5,0 174.5,0 249.5,0 249.5,0 255.5,0 261.5,-6 261.5,-12 261.5,-12 261.5,-24 261.5,-24 261.5,-30 255.5,-36 249.5,-36"/>
<text text-anchor="middle" x="212" y="-14.3" font-family="monospace" font-size="14.00">Do nothing</text>
</g>
<!-- censorship -->
<g id="node4" class="node">
<title>censorship</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="72,-640 0,-582.5 72,-525 144,-582.5 72,-640"/>
<text text-anchor="middle" x="72" y="-586.3" font-family="monospace" font-size="14.00">Avoiding</text>
<text text-anchor="middle" x="72" y="-571.3" font-family="monospace" font-size="14.00"> censorship?</text>
</g>
<!-- anonymous&#45;&gt;censorship -->
<g id="edge3" class="edge">
<title>anonymous&#45;&gt;censorship</title>
<path fill="none" stroke="black" d="M72,-675.98C72,-675.98 72,-650.11 72,-650.11"/>
<polygon fill="black" stroke="black" points="72,-640.11 76.5,-650.11 72,-645.11 72,-650.11 72,-650.11 72,-650.11 72,-645.11 67.5,-650.11 72,-640.11 72,-640.11"/>
<text text-anchor="middle" x="63.5" y="-651.85" font-family="monospace" font-size="14.00">No</text>
</g>
<!-- tor -->
<g id="node8" class="node">
<title>tor</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M300,-697.5C300,-697.5 406,-697.5 406,-697.5 412,-697.5 418,-703.5 418,-709.5 418,-709.5 418,-757.5 418,-757.5 418,-763.5 412,-769.5 406,-769.5 406,-769.5 300,-769.5 300,-769.5 294,-769.5 288,-763.5 288,-757.5 288,-757.5 288,-709.5 288,-709.5 288,-703.5 294,-697.5 300,-697.5"/>
<text text-anchor="middle" x="353" y="-729.8" font-family="monospace" font-size="14.00">Use Tor</text>
</g>
<!-- anonymous&#45;&gt;tor -->
<g id="edge2" class="edge">
<title>anonymous&#45;&gt;tor</title>
<path fill="none" stroke="black" d="M143.64,-733C143.64,-733 277.75,-733 277.75,-733"/>
<polygon fill="black" stroke="black" points="287.75,-733 277.75,-737.5 282.75,-733 277.75,-733 277.75,-733 277.75,-733 282.75,-733 277.75,-728.5 287.75,-733 287.75,-733"/>
<text text-anchor="middle" x="198.19" y="-736.8" font-family="monospace" font-size="14.00">Yes</text>
</g>
<!-- privacy -->
<g id="node5" class="node">
<title>privacy</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-489 140,-431.5 212,-374 284,-431.5 212,-489"/>
<text text-anchor="middle" x="212" y="-435.3" font-family="monospace" font-size="14.00">Want privacy</text>
<text text-anchor="middle" x="212" y="-420.3" font-family="monospace" font-size="14.00"> from ISP?</text>
</g>
<!-- censorship&#45;&gt;privacy -->
<g id="edge5" class="edge">
<title>censorship&#45;&gt;privacy</title>
<path fill="none" stroke="black" d="M84.7,-535C115.31,-535 190.67,-535 190.67,-535 190.67,-535 190.67,-482.11 190.67,-482.11"/>
<polygon fill="black" stroke="black" points="190.67,-472.11 195.17,-482.11 190.67,-477.11 190.67,-482.11 190.67,-482.11 190.67,-482.11 190.67,-477.11 186.17,-482.11 190.67,-472.11 190.67,-472.11"/>
<text text-anchor="middle" x="155.63" y="-538.8" font-family="monospace" font-size="14.00">No</text>
</g>
<!-- vpnOrTor -->
<g id="node9" class="node">
<title>vpnOrTor</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M300,-546.5C300,-546.5 406,-546.5 406,-546.5 412,-546.5 418,-552.5 418,-558.5 418,-558.5 418,-606.5 418,-606.5 418,-612.5 412,-618.5 406,-618.5 406,-618.5 300,-618.5 300,-618.5 294,-618.5 288,-612.5 288,-606.5 288,-606.5 288,-558.5 288,-558.5 288,-552.5 294,-546.5 300,-546.5"/>
<text text-anchor="middle" x="353" y="-586.3" font-family="monospace" font-size="14.00">Use VPN</text>
<text text-anchor="middle" x="353" y="-571.3" font-family="monospace" font-size="14.00"> or Tor</text>
</g>
<!-- censorship&#45;&gt;vpnOrTor -->
<g id="edge4" class="edge">
<title>censorship&#45;&gt;vpnOrTor</title>
<path fill="none" stroke="black" d="M129.88,-594C129.88,-594 277.82,-594 277.82,-594"/>
<polygon fill="black" stroke="black" points="287.82,-594 277.82,-598.5 282.82,-594 277.82,-594 277.82,-594 277.82,-594 282.82,-594 277.82,-589.5 287.82,-594 287.82,-594"/>
<text text-anchor="middle" x="191.35" y="-597.8" font-family="monospace" font-size="14.00">Yes</text>
</g>
<!-- obnoxious -->
<g id="node6" class="node">
<title>obnoxious</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-338 140,-280.5 212,-223 284,-280.5 212,-338"/>
<text text-anchor="middle" x="212" y="-291.8" font-family="monospace" font-size="14.00">ISP makes</text>
<text text-anchor="middle" x="212" y="-276.8" font-family="monospace" font-size="14.00"> obnoxious</text>
<text text-anchor="middle" x="212" y="-261.8" font-family="monospace" font-size="14.00"> redirects?</text>
</g>
<!-- privacy&#45;&gt;obnoxious -->
<g id="edge7" class="edge">
<title>privacy&#45;&gt;obnoxious</title>
<path fill="none" stroke="black" d="M212,-373.98C212,-373.98 212,-348.11 212,-348.11"/>
<polygon fill="black" stroke="black" points="212,-338.11 216.5,-348.11 212,-343.11 212,-348.11 212,-348.11 212,-348.11 212,-343.11 207.5,-348.11 212,-338.11 212,-338.11"/>
<text text-anchor="middle" x="203.5" y="-349.85" font-family="monospace" font-size="14.00">No</text>
</g>
<!-- privacy&#45;&gt;vpnOrTor -->
<g id="edge6" class="edge">
<title>privacy&#45;&gt;vpnOrTor</title>
<path fill="none" stroke="black" d="M237.33,-468.98C237.33,-510 237.33,-570 237.33,-570 237.33,-570 277.73,-570 277.73,-570"/>
<polygon fill="black" stroke="black" points="287.73,-570 277.73,-574.5 282.73,-570 277.73,-570 277.73,-570 277.73,-570 282.73,-570 277.73,-565.5 287.73,-570 287.73,-570"/>
<text text-anchor="middle" x="224.83" y="-543.49" font-family="monospace" font-size="14.00">Yes</text>
</g>
<!-- ispDNS -->
<g id="node7" class="node">
<title>ispDNS</title>
<polygon fill="#ffebc2" stroke="#ffebc2" points="212,-187 140,-129.5 212,-72 284,-129.5 212,-187"/>
<text text-anchor="middle" x="212" y="-148.3" font-family="monospace" font-size="14.00">Does ISP</text>
<text text-anchor="middle" x="212" y="-133.3" font-family="monospace" font-size="14.00"> support</text>
<text text-anchor="middle" x="212" y="-118.3" font-family="monospace" font-size="14.00"> encrypted</text>
<text text-anchor="middle" x="212" y="-103.3" font-family="monospace" font-size="14.00"> DNS?</text>
</g>
<!-- obnoxious&#45;&gt;ispDNS -->
<g id="edge9" class="edge">
<title>obnoxious&#45;&gt;ispDNS</title>
<path fill="none" stroke="black" d="M212,-222.98C212,-222.98 212,-197.11 212,-197.11"/>
<polygon fill="black" stroke="black" points="212,-187.11 216.5,-197.11 212,-192.11 212,-197.11 212,-197.11 212,-197.11 212,-192.11 207.5,-197.11 212,-187.11 212,-187.11"/>
<text text-anchor="middle" x="203.5" y="-198.85" font-family="monospace" font-size="14.00">No</text>
</g>
<!-- encryptedDNS -->
<g id="node10" class="node">
<title>encryptedDNS</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M440,-244.5C440,-244.5 546,-244.5 546,-244.5 552,-244.5 558,-250.5 558,-256.5 558,-256.5 558,-304.5 558,-304.5 558,-310.5 552,-316.5 546,-316.5 546,-316.5 440,-316.5 440,-316.5 434,-316.5 428,-310.5 428,-304.5 428,-304.5 428,-256.5 428,-256.5 428,-250.5 434,-244.5 440,-244.5"/>
<text text-anchor="middle" x="493" y="-291.8" font-family="monospace" font-size="14.00">Use encrypted</text>
<text text-anchor="middle" x="493" y="-276.8" font-family="monospace" font-size="14.00"> DNS with 3rd</text>
<text text-anchor="middle" x="493" y="-261.8" font-family="monospace" font-size="14.00"> party</text>
</g>
<!-- obnoxious&#45;&gt;encryptedDNS -->
<g id="edge8" class="edge">
<title>obnoxious&#45;&gt;encryptedDNS</title>
<path fill="none" stroke="black" d="M283.64,-280C283.64,-280 417.75,-280 417.75,-280"/>
<polygon fill="black" stroke="black" points="427.75,-280 417.75,-284.5 422.75,-280 417.75,-280 417.75,-280 417.75,-280 422.75,-280 417.75,-275.5 427.75,-280 427.75,-280"/>
<text text-anchor="middle" x="338.19" y="-283.8" font-family="monospace" font-size="14.00">Yes</text>
</g>
<!-- ispDNS&#45;&gt;nothing -->
<g id="edge11" class="edge">
<title>ispDNS&#45;&gt;nothing</title>
<path fill="none" stroke="black" d="M212,-71.79C212,-71.79 212,-46.13 212,-46.13"/>
<polygon fill="black" stroke="black" points="212,-36.13 216.5,-46.13 212,-41.13 212,-46.13 212,-46.13 212,-46.13 212,-41.13 207.5,-46.13 212,-36.13 212,-36.13"/>
<text text-anchor="middle" x="203.5" y="-47.76" font-family="monospace" font-size="14.00">No</text>
</g>
<!-- useISP -->
<g id="node11" class="node">
<title>useISP</title>
<path fill="#7aa0da" stroke="#7aa0da" d="M440,-93.5C440,-93.5 546,-93.5 546,-93.5 552,-93.5 558,-99.5 558,-105.5 558,-105.5 558,-153.5 558,-153.5 558,-159.5 552,-165.5 546,-165.5 546,-165.5 440,-165.5 440,-165.5 434,-165.5 428,-159.5 428,-153.5 428,-153.5 428,-105.5 428,-105.5 428,-99.5 434,-93.5 440,-93.5"/>
<text text-anchor="middle" x="493" y="-133.3" font-family="monospace" font-size="14.00">Use encrypted</text>
<text text-anchor="middle" x="493" y="-118.3" font-family="monospace" font-size="14.00"> DNS with ISP</text>
</g>
<!-- ispDNS&#45;&gt;useISP -->
<g id="edge10" class="edge">
<title>ispDNS&#45;&gt;useISP</title>
<path fill="none" stroke="black" d="M283.64,-129C283.64,-129 417.75,-129 417.75,-129"/>
<polygon fill="black" stroke="black" points="427.75,-129 417.75,-133.5 422.75,-129 417.75,-129 417.75,-129 417.75,-129 422.75,-129 417.75,-124.5 427.75,-129 427.75,-129"/>
<text text-anchor="middle" x="338.19" y="-132.8" font-family="monospace" font-size="14.00">Yes</text>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 11 KiB

View File

Before

Width:  |  Height:  |  Size: 5.9 KiB

After

Width:  |  Height:  |  Size: 5.9 KiB

View File

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 86 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 10 KiB

View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="128" height="128" clip-rule="evenodd" fill-rule="evenodd" stroke-linejoin="round" stroke-miterlimit="1.4142" version="1.1" xml:space="preserve" xmlns="http://www.w3.org/2000/svg"><g transform="matrix(.83711 0 0 .83711 16.201 .088026)" stroke-width="1.1946"><g stroke-width="1.1946"><g fill-rule="nonzero" stroke-width="1.1946"><path d="m87.5 6.548v86.4l-29.5 17c-0.597 0.299-1.303 0.299-1.9 0l-29.5-17v-86.4l-20.9 12.1c-3.528 2.042-5.706 5.824-5.7 9.9v86.4c0.021 4.07 2.191 7.839 5.7 9.9l45.7 26.4c3.533 1.998 7.867 1.998 11.4 0l45.7-26.4c3.528-2.042 5.706-5.824 5.7-9.9v-86.4c-0.021-4.07-2.191-7.839-5.7-9.9z" fill="#2d2e83"/><path d="m87.5 6.548v86.4l-29.5 17c-0.597 0.299-1.303 0.299-1.9 0l-29.5-17v-86.4l-20.9 12.1c-3.528 2.042-5.706 5.824-5.7 9.9v86.4c0.021 4.07 2.191 7.839 5.7 9.9l45.7 26.4c3.533 1.998 7.867 1.998 11.4 0l45.7-26.4c3.528-2.042 5.706-5.824 5.7-9.9v-86.4c-0.021-4.07-2.191-7.839-5.7-9.9z" fill="url(#_Linear1)"/><path d="m114.2 28.548c-0.021-4.07-2.191-7.839-5.7-9.9l-30.4-17.6c-2.337-1.398-5.263-1.398-7.6 0-2.354 1.359-3.807 3.882-3.8 6.6v66.6c0.021 4.07 2.191 7.839 5.7 9.9l36.1 20.9c3.528 2.042 5.706 5.824 5.7 9.9z" fill="#1fc2d7"/><path d="m0 28.548c0.021-4.07 2.191-7.839 5.7-9.9l30.5-17.6c2.337-1.398 5.263-1.398 7.6 0 2.354 1.359 3.807 3.882 3.8 6.6v66.6c-0.021 4.07-2.191 7.839-5.7 9.9l-36.1 20.9c-3.528 2.042-5.706 5.824-5.7 9.9z" fill="#1fc2d7"/></g></g></g><defs><linearGradient id="_Linear1" x2="1" gradientTransform="matrix(136.42 0 0 136.42 -19.353 95.041)" gradientUnits="userSpaceOnUse"><stop stop-color="#0d0d27" offset="0"/><stop stop-color="#10102f" offset=".02"/><stop stop-color="#1a1b4d" offset=".1"/><stop stop-color="#232365" offset=".19"/><stop stop-color="#282976" offset=".28"/><stop stop-color="#2c2d80" offset=".38"/><stop stop-color="#2d2e83" offset=".5"/><stop stop-color="#2c2d80" offset=".62"/><stop stop-color="#282976" offset=".72"/><stop stop-color="#232365" offset=".81"/><stop stop-color="#1a1b4d" offset=".9"/><stop stop-color="#10102f" offset=".98"/><stop stop-color="#0d0d27" offset="1"/></linearGradient></defs></svg>

Before

Width:  |  Height:  |  Size: 2.1 KiB

View File

@ -60,7 +60,7 @@ Modern Android devices have global toggles for disabling [Bluetooth](https://en.
### Avoid Root
[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful [Verified Boot](https://source.android.com/security/verifiedboot). Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) policy bypasses.
Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/providers/dns) or [VPN](/providers/vpn/) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
Adblockers (AdAway) which modify the [hosts file](https://en.wikipedia.org/wiki/Hosts_(file)) and firewalls (AFWall+) which require root access persistently are dangerous and should not be used. They are also not the correct way to solve their intended purposes. For Adblocking we suggest encrypted [DNS](/dns) or [VPN](/providers/vpn/) server blocking solutions instead. RethinkDNS, TrackerControl and AdAway in non-root mode will take up the VPN slot (by using a local loopback VPN) preventing you from using privacy enhancing services such as Orbot or a real VPN server.
AFWall+ works based on the [packet filtering](https://en.wikipedia.org/wiki/Firewall_(computing)#Packet_filter) approach and may be bypassable in some situations.

View File

@ -0,0 +1,266 @@
---
layout: page
title: "DNS Resolvers"
description: "The [Domain Name System (DNS)](https://en.wikipedia.org/wiki/Domain_Name_System) is the 'phonebook of the Internet'. DNS translates domain names to [IP](https://en.wikipedia.org/wiki/Internet_Protocol) addresses so browsers and other services can load Internet resources, through a decentralized network of servers."
---
## What is DNS?
When you visit a website, a numerical address is returned. For example, when you visit `privacyguides.org`, the address `192.98.54.105` is returned.
DNS has existed since the [early days](https://en.wikipedia.org/wiki/Domain_Name_System#History) of the Internet. DNS requests made to and from DNS servers are **not** generally encrypted. In a residential setting, a customer is given servers by the [ISP](https://en.wikipedia.org/wiki/Internet_service_provider) via [Dynamic Host Configuration Protocol (DHCP)](https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol).
Unencrypted DNS requests are able to be easily **surveilled** and **modified** in transit. In some parts of the world ISPs are ordered to do primitive [DNS filtering](https://en.wikipedia.org/wiki/DNS_blocking). When a user requests the IP of a domain that is blocked, the server may not respond or may respond with a different IP address. As the DNS protocol is not encrypted, the ISP (or any network operator) can use [deep packet inspection (DPI)](https://en.wikipedia.org/wiki/Deep_packet_inspection) to monitor requests. ISPs can also block requests based on common characteristics, regardless of which DNS server is used. Unencrypted DNS always uses [port](https://en.wikipedia.org/wiki/Port_(computer_networking)) 53 and always uses the [User Datagram Protocol (UDP)](https://en.wikipedia.org/wiki/User_Datagram_Protocol).
Below we discuss what an outside observer may see using regular unencrypted DNS, and [encrypted DNS](/dns/#what-is-encrypted-dns).
### Unencrypted DNS
1. Using [`tshark`](https://www.wireshark.org/docs/man-pages/tshark.html) (part of the [Wireshark](https://en.wikipedia.org/wiki/Wireshark) project) we can monitor and record internet packet flow. This command records packets that meet the rules specified:
<pre class=terminal>tshark -w /tmp/dns.pcap udp port 53 and host 1.1.1.1 or host 8.8.8.8</pre>
2. We can then use [`dig`](https://en.wikipedia.org/wiki/Dig_(command)) to send the DNS lookup to both servers. Software such as web browsers do these lookups automatically unless they are configured to use [encrypted DNS](/dns/#what-is-encrypted-dns).
<pre class=terminal>
dig +noall +answer privacyguides.org @1.1.1.1
dig +noall +answer privacyguides.org @8.8.8.8
</pre>
or [`nslookup`](https://en.wikipedia.org/wiki/Nslookup) on Windows:
<pre class=terminal>
nslookup privacyguides.org 1.1.1.1
nslookup privacyguides.org 8.8.8.8
</pre>
3. Next we want to [analyse](https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs) the results:
<pre class=terminal>wireshark -r /tmp/dns.pcap</pre>
or:
<pre class=terminal>tshark -r /tmp/dns.pcap</pre>
If you ran the Wireguard command above the top pane shows the "[frames](https://en.wikipedia.org/wiki/Ethernet_frame)", and the bottom pane shows all the data about the selected frame. Enterprise filtering and monitoring solutions (such as those purchased by governments) can do the process automatically, without human interaction and can aggregate those frames to produce statistical data useful to the network observer.
{% include table-unencrypted-dns.html %}
An observer could modify any of these packets.
## What is "encrypted DNS"?
Encrypted DNS can refer to one of a number of protocols, the most common ones being:
### DNSCrypt
[**DNSCrypt**](https://en.wikipedia.org/wiki/DNSCrypt) was one of the first methods of encrypting DNS queries. The [protocol](https://en.wikipedia.org/wiki/DNSCrypt#Protocol) operates on [port 443](https://en.wikipedia.org/wiki/Well-known_ports) and works with both the [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) or [UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) transport protocols. DNSCrypt has never been submitted to the [Internet Engineering Task Force (IETF)](https://en.wikipedia.org/wiki/Internet_Engineering_Task_Force) nor has it gone through the [Request for Comments (RFC)](https://en.wikipedia.org/wiki/Request_for_Comments) process, so it has not been used widely outside of a few [implementations](https://dnscrypt.info/implementations). As a result, it has been largely replaced by the more popular [DNS over HTTPS (DoH)](/dns/#dns-over-https-doh).
### DNS over TLS (DoT)
[**DNS over TLS (DoT)**](https://en.wikipedia.org/wiki/DNS_over_TLS) is another method for encrypting DNS communication that is defined in [RFC 7858](https://datatracker.ietf.org/doc/html/rfc7858). Support was first implemented in [Android 9](https://en.wikipedia.org/wiki/Android_Pie), [iOS 14](https://en.wikipedia.org/wiki/IOS_14) and on Linux in [systemd-resolved](https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSOverTLS=) in version 237. Preference in the industry has been moving away from DoT to [DNS over HTTPS](/dns/#dns-over-https-doh) in recent years as DoT is a [complex protocol](https://dnscrypt.info/faq/) and has varying compliance to the RFC across the implementations that exist. DoT also operates on a dedicated port 853 and that can be blocked easily by restrictive firewalls.
### DNS over HTTPS (DoH)
[**DNS over HTTPS**](https://en.wikipedia.org/wiki/DNS_over_HTTPS) as defined in [RFC 8484](https://datatracker.ietf.org/doc/html/rfc8484) packages queries in the [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) protocol and provides security with [HTTPS](https://en.wikipedia.org/wiki/HTTPS). Support was first added in web browsers such as [Firefox 60](https://support.mozilla.org/en-US/kb/firefox-dns-over-https) and [Chrome 83](https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html).
Native implementations showed up in [iOS 14](https://en.wikipedia.org/wiki/IOS_14), [macOS 11](https://en.wikipedia.org/wiki/MacOS_11), [Microsoft Windows](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support), and Android 13 (however it won't be enabled [by default](https://android-review.googlesource.com/c/platform/packages/modules/DnsResolver/+/1833144)). General Linux desktop support is waiting on the systemd [implementation](https://github.com/systemd/systemd/issues/8639) so installing third party software is still required as described [below](/dns/#linux).
## What can an outside party see?
In this example we will record what happens when we make a DoH request:
1. Firstly start `tshark`:
<pre class=terminal>
tshark -w /tmp/dns_doh.pcap -f "tcp port https and host 1.1.1.1"
</pre>
2. Secondly make a request with `curl`:
<pre class=terminal>
curl -vI --doh-url https://1.1.1.1/dns-query https://privacyguides.org
</pre>
3. After making the request, we can stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
4. Analyse the results in Wireshark:
<pre class=terminal>wireshark -r /tmp/dns_doh.pcap</pre>
We can see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment) and [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) that occurs with any encrypted connection. When looking at the "application data" packets that follow, none of them contain the domain we requested or the IP address returned.
## Why **shouldn't** I use encrypted DNS?
In locations where there is internet filtering (or censorship), visiting forbidden resources may have its own consequences which you should consider in your [threat model](/threat-modeling/). We do **not** suggest the use of encrypted DNS for this purpose. Use [Tor](https://torproject.org), or a [VPN](/providers/vpn/) instead. If you're using a VPN, you should use your VPN's DNS servers. When using a VPN you are already trusting them with all your network activity. We made this flow chart to describe when you *should* use "encrypted DNS":
<picture>
<source srcset="/assets/img/dns/dns-dark.svg" media="(prefers-color-scheme: dark)">
<img class="flowchart" src="/assets/img/dns/dns.svg" alt="DNS flowchart">
</picture>
When we do a DNS lookup, it's generally because we want to access a resource. Below we will discuss some of the methods that may disclose your browsing activities even when using encrypted DNS:
### IP Address
The simplest way to determine browsing activity might be to look at the IP addresses your devices are accessing. For example, if the observer knows that `privacyguides.org` is at `198.98.54.105`, and your device is requesting data from `198.98.54.105`, there is a good chance you're visiting Privacy Guides.
This method is only useful when the IP address belongs to a server that only hosts few websites. It's also not very useful if the site is hosted on a shared platform, (e.g. Github Pages, Cloudflare Pages, Netlify, Wordpress, Blogger etc). It also isn't very useful if the server is hosted behind a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy), which is very common on the modern Internet.
### Server Name Indication (SNI)
Server Name Indication, is typically used when a IP address hosts many websites. This could be a service like Cloudflare, or some other [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack) protection.
1. Start capturing again with `tshark`. We've added a filter with our IP address so you don't capture many packets:
<pre class=terminal>
tshark -w /tmp/pg.pcap port 443 and host 198.98.54.105
</pre>
2. Then we visit [https://privacyguides.org](https://privacyguides.org).
3. After visiting the website, we what to stop the packet capture with <kbd>CTRL</kbd> + <kbd>C</kbd>.
4. Next we want to analyze the results:
<pre class=terminal>wireshark -r /tmp/pg.pcap</pre>
We will see the [connection establishment](https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment), followed by the [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) for the Privacy Guides website. Around frame 5. you'll see a "Client Hello".
5. Expand the triangle &#9656; next to each field:
<pre class=terminal>
▸ Transport Layer Security
▸ TLSv1.3 Record Layer: Handshake Protocol: Client Hello
▸ Handshake Protocol: Client Hello
▸ Extension: server_name (len=22)
▸ Server Name Indication extension
</pre>
6. We can see the [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication) value which discloses the website we are visiting. The `tshark` command can give you the value directly for all packets containing a SNI value:
<pre class=terminal>
tshark -r /tmp/pg.pcap -Tfields -Y tls.handshake.extensions_server_name -e tls.handshake.extensions_server_name
</pre>
This means even if we are using "Encrypted DNS" servers, the domain will likely be disclosed through SNI. The [TLS v1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) protocol brings with it [Encrypted Client Hello](https://blog.cloudflare.com/encrypted-client-hello/) which prevents this kind of leak.
Governments, in particular [China](https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/) and [Russia](https://www.zdnet.com/article/russia-wants-to-ban-the-use-of-secure-protocols-such-as-tls-1-3-doh-dot-esni/), have either already [started blocking](https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello) it or expressed a desire to do so. Recently Russia has [started blocking foreign websites](https://github.com/net4people/bbs/issues/108) that use the [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) standard. This is because the [QUIC](https://en.wikipedia.org/wiki/QUIC) protocol that is a part of HTTP/3 requires that `ClientHello` be also encrypted.
### Online Certificate Status Protocol (OCSP)
Another way your browser can disclose your browsing activities is with the [Online Certificate Status Protocol](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol). When visiting a [HTTPS](https://en.wikipedia.org/wiki/HTTPS) website, the browser might check to see if the [X.509](https://en.wikipedia.org/wiki/X.509) [certificate](https://en.wikipedia.org/wiki/Public_key_certificate) has been [revoked](https://en.wikipedia.org/wiki/Certificate_revocation_list). This is generally done through the [HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) protocol, meaning it is **not** encrypted.
The OCSP request contains the certificate "[serial number](https://en.wikipedia.org/wiki/Public_key_certificate#Common_fields)", which is unique. It is sent to the "OCSP responder" in order to check its status.
We can simulate what a browser would do using the [`openssl`](https://en.wikipedia.org/wiki/OpenSSL) command.
1. Get the server certificate and use [`sed`](https://en.wikipedia.org/wiki/Sed) to keep just the important part and write it out to a file:
<pre class=terminal>
openssl s_client -connect privacyguides.org:443 < /dev/null 2>&1 |
sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_server.cert
</pre>
2. Get the intermediate certificate. [Certificate Authorities (CA)](https://en.wikipedia.org/wiki/Certificate_authority) normally don't sign a certificate directly; they use what is known as an "intermediate" certificate.
<pre class=terminal>
openssl s_client -showcerts -connect privacyguides.org:443 < /dev/null 2>&1 |
sed -n '/^-*BEGIN/,/^-*END/p' > /tmp/pg_and_intermediate.cert
</pre>
3. The first certificate in `pg_and_intermediate.cert`, is actually the server certificate from step 1. We can use `sed` again to delete until the first instance of END:
<pre class=terminal>
sed -n '/^-*END CERTIFICATE-*$/!d;:a n;p;ba' \
/tmp/pg_and_intermediate.cert > /tmp/intermediate_chain.cert
</pre>
4. Get the OCSP responder for the server certificate:
<pre class=terminal>openssl x509 -noout -ocsp_uri -in /tmp/pg_server.cert</pre>
If we want to see all the details of the certificate we can use:
<pre class=terminal>openssl x509 -text -noout -in /tmp/pg_server.cert</pre>
Our certificate shows the Lets Encrypt certificate responder.
5. Start the packet capture:
<pre class=terminal>
tshark -w /tmp/pg_ocsp.pcap -f "tcp port http"
</pre>
6. Make the OCSP request:
<pre class=terminal>
openssl ocsp -issuer /tmp/intermediate_chain.cert \
-cert /tmp/pg_server.cert \
-text \
-url http://r3.o.lencr.org
</pre>
6. Open the capture:
<pre class=terminal>
wireshark -r /tmp/pg_ocsp.pcap
</pre>
There will be two packets with the "OCSP" protocol; a "Request" and a "Response". For the "Request" we can see the "serial number" by expanding the triangle &#9656; next to each field:
<pre class=terminal>
▸ Online Certificate Status Protocol
▸ tbsRequest
▸ requestList: 1 item
▸ Request
▸ reqCert
serialNumber
</pre>
For the "Response" we can also see the "serial number":
<pre class=terminal>
▸ Online Certificate Status Protocol
▸ responseBytes
▸ BasicOCSPResponse
▸ tbsResponseData
▸ responses: 1 item
▸ SingleResponse
▸ certID
serialNumber
</pre>
7. Or use `tshark` to filter the packets for the Serial Number:
<pre class=terminal>
tshark -r /tmp/pg_ocsp.pcap -Tfields -Y ocsp.serialNumber -e ocsp.serialNumber
</pre>
If the network observer has the public certificate, which is publicly available, they can match the serial number with that certificate and therefore determine the site you're visiting from that. The process can be automated and can associate IP addresses with serial numbers. It is also possible to check [Certificate Transparency](https://en.wikipedia.org/wiki/Certificate_Transparency) logs for the serial number.
## Why should I use encrypted DNS?
You should only use DNS if your [threat model](/threat-modeling/) doesn't require you to hide any of your browsing activity. Encrypted DNS should only be used to get around basic [DNS blocking](https://en.wikipedia.org/wiki/DNS_blocking) when you can be sure there won't be any consequences.
Encrypted DNS can also help if your ISP obnoxiously redirects you to other websites. These are our recommendations for servers:
{% include recommendation-table.html data='dns' %}
The criteria for servers for this table are:
* Must support [DNSSEC](/dns/#what-is-dnssec-and-when-is-it-used)
* Must have [anycast](https://en.wikipedia.org/wiki/Anycast#Addressing_methods) support
* [QNAME Minimization](/dns/#what-is-qname-minimization)
## What is DNSSEC and when is it used?
[Domain Name System Security Extensions (DNSSEC)](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) is used to provide authenticity to the records being fetched from upstream DNS servers. It doesn't provide confidentiality, for that we use one of the [encrypted DNS](/dns#what-is-encrypted-dns) protocols discussed above.
## What is QNAME minimization?
A QNAME is a "qualified name", for example `privacyguides.org`. QNAME minimisation reduces the amount of information sent from the DNS server to the [authoritative name server](https://en.wikipedia.org/wiki/Name_server#Authoritative_name_server).
Instead of sending the whole domain `privacyguides.org`, QNAME minimization means the DNS server will ask for all the records that end in `.org`. Further technical description is defined in [RFC 7816](https://datatracker.ietf.org/doc/html/rfc7816).
## What is EDNS Client Subnet (ECS)?
The [EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet) is a method for a recursive DNS resolver to specify a [subnetwork](https://en.wikipedia.org/wiki/Subnetwork) for the [host or client](https://en.wikipedia.org/wiki/Client_(computing)) which is making the DNS query.
It's intended to "speed up" delivery of data by giving the client an answer that belongs to a server that is close to them such as a [content delivery network (CDN)](https://en.wikipedia.org/wiki/Content_delivery_network), which are often used in video streaming and serving JavaScript web apps.
This feature does come at a privacy cost, as it tells the DNS server some information about the client's location.
## Native Operating System Support
### Android
Android 9 and above support DNS over TLS. Android 13 will support DNS over HTTPS. The settings can be found in: *Settings* &rarr; *Network & Internet* &rarr; *Private DNS*.
### Apple Devices
The latest versions of iOS, iPadOS, tvOS, and macOS, support both DoT and DoH. Both protocols are supported natively via [configuration profiles](https://support.apple.com/guide/security/configuration-profile-enforcement-secf6fb9f053/web) or through the [DNS Settings API](https://developer.apple.com/documentation/networkextension/dns_settings).
After installation of either a configuration profile or an app that utilizes the DNS Settings API, the DNS configuration can be selected. If a VPN is active, resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings.
* **iOS/iPadOS:** *Settings &rarr; General &rarr; VPN, DNS, & Device Management &rarr; DNS*
* **macOS:** *System Preferences &rarr; Network*
Apple does not provide a native interface for creating encrypted DNS profiles. [Secure DNS profile creator](https://dns.notjakob.com/tool.html) is an unofficial tool for creating your own encrypted DNS profiles, however they will not be signed. Signed profiles are preferred; signing validates a profile's origin and helps to ensure the integrity of the profiles. A green "Verified" label is given to signed configuration profiles. For more information on code signing, see [About Code Signing](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html).
* **Signed profiles** are offered by [AdGuard](https://adguard.com/en/blog/encrypted-dns-ios-14.html), [ControlD](https://kb.controld.com/en/tutorials), [NextDNS](https://apple.nextdns.io), [Quad9](https://www.quad9.net/news/blog/ios-mobile-provisioning-profiles/).
### Windows
Windows users can [turn on DoH](https://docs.microsoft.com/en-us/windows-server/networking/dns/doh-client-support), by accessing Windows settings in the control panel.
Select *Settings* &rarr; *Network & Internet* &rarr; *Ethernet* or *WiFi*, &rarr; *Edit DNS Settings* &rarr; Preferred DNS encryption &rarr; *Encrypted only (DNS over HTTPS)*.
### Linux
`systemd-resolved` doesn't [yet support](https://github.com/systemd/systemd/issues/8639), which many Linux distributions use to do their DNS lookups. This means you need to install a proxy like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy) and [configure it](https://wiki.archlinux.org/title/Dnscrypt-proxy) to take all the DNS queries from your system resolver and forward them over HTTPS.
### Encrypted DNS Proxies
This software provides third-party encrypted DNS support by pointing the [unencrypted dns](/dns/#unencrypted-dns) resolver to a local [encrypted dns](/dns/#what-is-encrypted-dns) proxy.
{% for item_hash in site.data.software.dns-apps %}
{% assign item = item_hash[1] %}
{% if item.type == "Recommendation" %}
{% include recommendation-card.html %}
{% endif %}
{% endfor %}

View File

@ -255,9 +255,9 @@ There is also further hardening to [PAM](https://en.wikipedia.org/wiki/Linux_PAM
On Red Hat distributions you can use [`authselect`](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel) to configure this e.g.:
```
<pre class=terminal>
sudo authselect select <profile_id, default: sssd> with-faillock without-nullok with-pamaccess
```
</pre>
On systems where [`pam_faillock`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) is not available, consider using [`pam_tally2`](https://man7.org/linux/man-pages/man8/pam_tally.8.html) instead.

View File

@ -1,115 +0,0 @@
---
layout: page
title: "Encrypted DNS Resolvers"
description: "Don't let Google see all your DNS traffic. Discover privacy-centric alternatives to the traditional DNS providers."
---
<div class="alert alert-warning" role="alert">
DNS-over-HTTPS, DNS-over-TLS, and DNSCrypt resolvers will not make you anonymous. Using Anonymized DNSCrypt hides <em>only</em> your DNS traffic from your Internet Service Provider. However, using any of these protocols will prevent DNS hijacking, and make your DNS requests harder for third parties to eavesdrop on and tamper with. If you are currently using Google's DNS resolver, you should pick an alternative here. See the <a href="#definitions">definitions</a> below.
</div>
{% include recommendation-table.html data='dns' %}
## Encrypted DNS Clients for Desktop
{%
include legacy/cardv2.html
title="Unbound"
image="/assets/img/legacy_svg/3rd-party/unbound.svg"
description='A validating, recursive, caching DNS resolver, supporting DNS-over-TLS, and has been <a href="https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/">independently audited</a>.'
website="https://nlnetlabs.nl/projects/unbound/about/"
github="https://github.com/NLnetLabs/unbound"
%}
{%
include legacy/cardv2.html
title="dnscrypt-proxy"
image="/assets/img/legacy_svg/3rd-party/dnscrypt-proxy.svg"
description='A DNS proxy with support for DNSCrypt, DNS-over-HTTPS, and <a href="https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt">Anonymized DNSCrypt</a>, a <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">relay-based protocol that the hides client IP address.</a>'
website="https://github.com/DNSCrypt/dnscrypt-proxy/wiki"
github="https://github.com/DNSCrypt/dnscrypt-proxy"
%}
{%
include legacy/cardv2.html
title="Stubby"
image="/assets/img/legacy_png/3rd-party/stubby.png"
description='An application that acts as a local DNS-over-TLS stub resolver. Stubby can be used in <a href="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination">combination with Unbound</a> by managing the upstream TLS connections (since Unbound cannot yet re-use TCP/TLS connections) with Unbound providing a local cache.'
website="https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby"
github="https://github.com/getdnsapi/stubby"
%}
{%
include legacy/cardv2.html
title="Firefox's built-in DNS-over-HTTPS resolver"
image="/assets/img/legacy_svg/3rd-party/firefox_browser.svg"
description='Firefox comes with built-in DNS-over-HTTPS support for <a href="https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/">NextDNS and Cloudflare</a> but users can manually use any other DoH resolver.'
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.cloudflare.com/1.1.1.1/privacy/cloudflare-resolver-firefox#what-information-does-the-cloudflare-resolver-for-firefox-collect::text==Warning::tooltip==Cloudflare stores personally identifiable information such as user IP addresses and query information for up to 24 hours, and retains some bulk anonymized data indefinitely."
website="https://support.mozilla.org/en-US/kb/firefox-dns-over-https"
privacy-policy="https://wiki.mozilla.org/Security/DOH-resolver-policy"
%}
## Encrypted DNS Clients for Android
{%
include legacy/cardv2.html
title="Android 9's built-in DNS-over-TLS resolver"
image="/assets/img/legacy_svg/3rd-party/android.svg"
description="Android 9 (Pie) comes with built-in DNS-over-TLS support without the need for a 3rd-party application."
labels="color==warning::icon==fas fa-exclamation-triangle::link==https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_later::text==Warning::tooltip==Android 9's DoT settings have no effect when used concurrently with VPN-based apps which override the DNS."
website="https://support.google.com/android/answer/9089903#private_dns"
%}
{%
include legacy/cardv2.html
title="Nebulo"
image="/assets/img/legacy_png/3rd-party/nebulo.png"
description='An open-source Android client supporting DNS-over-HTTPS and DNS-over-TLS, caching DNS responses, and locally logging DNS queries.'
website="https://git.frostnerd.com/PublicAndroidApps/smokescreen/-/blob/master/README.md"
privacy-policy="https://smokescreen.app/privacypolicy"
fdroid="https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid"
googleplay="https://play.google.com/store/apps/details?id=com.frostnerd.smokescreen"
source="https://git.frostnerd.com/PublicAndroidApps/smokescreen"
%}
## Encrypted DNS Clients for iOS
{%
include legacy/cardv2.html
title="DNSCloak"
image="/assets/img/legacy_png/3rd-party/dnscloak.png"
description='An open-source iOS client supporting DNS-over-HTTPS, DNSCrypt, and <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki">dnscrypt-proxy</a> options such as caching DNS responses, locally logging DNS queries, and custom block lists. Users can <a href="https://medium.com/privacyguides/adding-custom-dns-over-https-resolvers-to-dnscloak-20ff5845f4b5">add custom resolvers by DNS stamp</a>.'
website="https://github.com/s-s/dnscloak/blob/master/README.md"
privacy-policy="https://drive.google.com/file/d/1050No_pU74CAWUS5-BwQWyO2x_aiMzWc/view"
ios="https://apps.apple.com/app/id1452162351"
github="https://github.com/s-s/dnscloak"
%}
## Native Operating System Support
<p>
In iOS, iPadOS, tvOS 14 and macOS 11, DoT and DoH were introduced. DoT and DoH are supported natively by installation of profiles (through mobileconfig files opened in <em>Safari</em>).
After installation, the encrypted DNS server can be selected in <em>Settings &rarr; General &rarr; VPN and Network &rarr; DNS</em>.
</p>
<ul>
<li><strong>Signed profiles</strong> are offered by <a href="https://adguard.com/en/blog/encrypted-dns-ios-14.html">AdGuard</a> and <a href="https://apple.nextdns.io/">NextDNS</a>.</li>
</ul>
## Definitions
<p><strong>DNS-over-TLS (DoT):</strong>
A security protocol for encrypted DNS on a dedicated port 853. Some providers support port 443 which generally works everywhere while port 853 is often blocked by restrictive firewalls.
</p>
<p><strong>DNS-over-HTTPS (DoH):</strong>
Similar to DoT, but uses HTTPS instead, being indistinguishable from "normal" HTTPS traffic on port 443 and more difficult to block. {% include badge.html color="warning" text="Warning" tooltip="DoH contains metadata such as user-agent (which may include system information) that is sent to the DNS server." link="https://tools.ietf.org/html/rfc8484#section-8.2" icon="fas fa-exclamation-triangle" %}
</p>
<p><strong>DNSCrypt:</strong>
With an <a href="https://dnscrypt.info/protocol/">open specification</a>, DNSCrypt is an older, yet robust method for encrypting DNS.
</p>
<p><strong>Anonymized DNSCrypt:</strong>
A <a href="https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS">lightweight protocol</a> that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by <a href="#dns-desktop-clients">dnscrypt-proxy</a> and a limited number of <a href="https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md">relays</a>.
</p>

View File

@ -42,7 +42,7 @@ Encrypted DNS takes many forms: DNS over HTTPS (DoH), DNS over TLS, DNSCrypt, et
![Screenshot of the Enable DNS over HTTPS box checked, with Cloudflare selected in the provider dropdown.](/assets/img/blog/firefox-privacy-1.png){:.img-fluid .w-75 .mx-auto .d-block}
Keep in mind that by using DoH you're sending all your queries to a single provider, probably Cloudflare unless you choose [another provider](https://privacyguides.org/providers/dns/) that supports DNS over HTTPS. While it may add some privacy protection from your ISP, you're only shifting that trust to the DoH provider. Make sure that's something you want to do.
Keep in mind that by using DoH you're sending all your queries to a single provider, probably Cloudflare unless you choose [another provider](https://privacyguides.org/dns) that supports DNS over HTTPS. While it may add some privacy protection from your ISP, you're only shifting that trust to the DoH provider. Make sure that's something you want to do.
It should also be noted that even with DoH, your ISP will still be able to see what domain you're connecting to because of a technology called Server Name Indication (SNI). Until SNI is encrypted as well, there's no getting around it. Encrypted SNI (eSNI) is in the works — and can actually be [enabled on Firefox](https://blog.cloudflare.com/encrypt-that-sni-firefox-edition/) today — but it only works with a small number of servers, mainly ones operated by Cloudflare, so its use is limited currently. Therefore, while DoH provides some additional privacy and integrity protections, its use as a privacy tool is limited until other supplemental tools like eSNI and [DNSSEC](https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en) are finalized and implemented.