Subj : FidoGazette Vol 12 no 14 Page: 3 To : Janis Kracht From : mark lewis Date : Thu Apr 05 2018 23:30:48 On 2018 Apr 04 14:27:02, you wrote to All: JK> "If you switch [your DNS (jk)] to 1.1.1.1, then that ledger of where JK> you're going online is not being kept by your ISP," Matthew Prince, JK> CEO of Cloudflare, said in an interview. that's so wrong it is almost too funny to even laugh at... anyone in the path between your system and 1.1.1.1 can easily sniff the traffic flowing through and gather the information on what domain you're looking up and the return response from the DNS server... DNS is all in the clear and the only way for it to not be is to use some sort of encrypted tunnel from one end to the other... JK> With 1.1.1.1, internet users can let Cloudflare take over the process JK> of resolving requests to the Domain Name System, also known as DNS. JK> That's the crucial process of matching up a URL -- like facebook.com JK> -- with a website's true location on the internet, called an IP JK> address (for Facebook, that's 157.240.18.35). that depends on where you are and how/if they are doing round robin... over here, right now, we're seeing this... $ nslookup facebook.com Server: 192.168.xxx.1 Address: 192.168.xxx.1#53 Non-authoritative answer: Name: facebook.com Address: 31.13.65.36 our 192.168.xxx.1 system is using google's 8.8.8.8 and 8.8.4.4 DNS servers... our ISP screwed the monkey some time back when they started intercepting failed DNS lookups and sending folks to a search landing page so they could reap $$$ for advertising from your failed searches... JK> Usually your internet service provider takes care of DNS for you. This JK> also happens to be a great way to log every website you visit. Taking JK> that out of your ISP's hands, then, makes it harder for the company to JK> collect your browsing history. no, not "usually"... that's only for folks that don't know any better... well, maybe that is "usually" since most folks really do not know any better ;) JK> But wait, if Cloudflare is directing your website queries, then can't JK> it collect your browsing history for itself? Actually, they're not JK> going to keep that data at all, Prince said. JK> "At no time will we record the list of where everyone is going JK> online," Prince said. "That's creepy." so they have configured their DNS servers to all log to /dev/null then? how will they know that there's a problem when one pops up? interesting delima... JK> Cloudflare is working with third-party auditors at KPMG to examine JK> their systems and guarantee they're not actually collecting your data. JK> That privacy commitment, Prince said, is what separates Cloudflare's JK> 1.1.1.1 from other DNS services that are free and open to the public. "KPMG is a professional service company and one of the Big Four auditors, along with Deloitte, Ernst & Young (EY), and PricewaterhouseCoopers (PwC). "Seated in Amstelveen, the Netherlands, KPMG employs 189,000 people and has three lines of services: financial audit, tax, and advisory. Its tax and advisory services are further divided into various service groups." -- wikipedia JK> Cloudflare is hoping to help solve that problem, too. It's promoting JK> the implementation of a system called DNS over HTTPS, which encrypts JK> that data about your web browsing as it flows online. why don't they just invent DNSS to go along with HTTPS and FTPS and all the other *S encrypted services? ;) JK> Lest you think this is an April Fools' joke too good to be true, JK> Prince said there's something in it for Cloudflare, too. The JK> company's main business is making its customers' websites run JK> fast. While Cloudflare has an array of services to make this JK> happen, Prince said, he realized that creating a free DNS JK> service could speed things up on the user's end. cloudfare is really nothing more than a huge caching reverse proxy... what they do is to access your site when requests come in... they then cache that so they can server it faster at all of their POPs that folks are connecting to... there's some DNS games going on there, too, because they know your site's real IP but DNS is told it is one of CF's IPs instead... there's a lot of other butter and smoke being used, too, but that's the raw basics... JK> Instructions for Ubuntu: JK> These steps are for Ubuntu. Most Linux distributions configure JK> DNS settings through the Network Manager. As you probably JK> remember, your DNS settings can be specified in /etc/resolv.conf JK> using an editor like VI. fooey on that muck... leave your internal systems looking to your perimeter firewall/router for their DNS... reconfigure your perimeter firewall/router to use 1.1.1.1 or 8.8.8.8 or which ever other DNS service you want to use... it is totally rediculous to have all of your internal machines generating DNS traffic and sending it outside your network when your firewall/router has a caching DNS server/proxy in it specifically to cache the lookups and make them faster... it was a good article, though! i did enjoy reading it even though i did kinda pick a bunch of lint out of it :lol: )\/(ark Always Mount a Scratch Monkey Do you manage your own servers? If you are not running an IDS/IPS yer doin' it wrong... .... Pokemon (n) a Jamaican proctologist. --- * Origin: (1:3634/12.73) .