On Mar 31, 2025, Didier Kryn wrote:
> Le 30/03/2025 à 21:22, Marjorie Roome via Dng a écrit :
> > Yes my Resolv.conf is fixed because it simply points to dnscrypt-proxy
> > (127.0.0:1:53) which is a DNS proxy running on my own machine and that
> > then uses a choice of DNS resolvers which are dynamic.
> >
> > It finds DNS servers from a list that you can control.
> > You can have a fixed list and a fallback, such as 9.9.9.9 but it
> > normally looks for nearby DNS servers, that in my cases are limited to
> > ones that are non-logging, are dnssec, use doh or dnscrypt (so lookup
> > is encrypted in transit) and then load balances between the quickest
> > few based on latency, so not all queries are sent to one resolver
> > anyway.
>
>     May I ask where one can find a list of close-by DNS servers and
> how they work ?

"lists" in the sense of "I want to use OpenDNS, Google, CloudFlare,
etc. as my upstream provider(s)", and then dnscrypt-proxy does the
legwork of figuring out who is closest "right now".

This is probably more important for a machine that is mobile, than one
that never leaves the house.

>
>     I understand DOH is a good protection from malignant hackers, but,
> AFAIU, if links to Google or Amazon servers, which I consider malignant as
> well. Or is there a way to avoid or fool them?

DOH is just "DNS over HTTPS" (likewise DOT being DNS over TLS) --
"where" the server is hosted isn't directly related to the service
itself (although, yes, Google/Amazon do seem to run DOH/DOT-capable
resolvers).

>
>     It was common, about 20 years ago to be redirected to porn sites when a
> DNS request failed, but it seems to me that this issue has completely
> disapeared, at least in my country. OTOH I can understand that, under some
> political regimes, people may prefer to be monitored by Google rather than
> their own government.

Less that the request failed, and more that "<misspelt-domain-here>" was
simply a registered domain / CNAME for porn-site.com
>
> > On my fixed PC I only refresh these latencies and hence preferred
> > resolvers every 4 hours but you might want to do something different on
> > a laptop that moves around.
> >
> > Dnscrypt-proxy also caches queries.
> >
> > And I can and do also choose from a selection of blocklists that block
> > the usual subjects. I can override these with an allowlist in the event
> > there is a website I need that would otherwise not work.
>
>     So, if I understand correctly, your goal is to protect yourself from
> having your requests monitored and/or redirected by malignant hackers,
> which is not the same goal as people who want essentially to protect
> themself against ads.

"Block the usual subjects" in this case referring to ad-providers, least
insofar as I'm reading it.

>
>     We then have two motivations to run one's own DNS server, though
> I'm not sure it's possible to achieve both; is it?

Achieve "both" ... what?

1. "Ad Blocking" and
2. "hackers(tm)"

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860