I have a few questions about DNS, in particular about Recursor Mode, which I only discovered today, and the differences in terms of privacy.
As far as security is concerned, I don’t see any differences as both run via DNSSEC, as far as my limited knowledge goes.
How I came to this: I had entered all censorship-free and DNSSEC-compatible DNS servers with IP/host and TLS protocol in Ipfire from a thread here, around 7 in number.
So far, I have now carried out the tests on the page https://dnscheck.tools/, which were all passed, BUT suddenly completely different DNS servers appeared, including Google and this as an ns: record, whereby my registered ones were only mapped as a ptr: record. Each time the page was reloaded, the ns:records changed back and forth. I also noticed that the response time was very high, sometimes up to 800ms.
What other privacy advantage do I have if my registered DNS servers in ipfire make their own enquiries to Google and the corresponding servers?
Because I was very confused about this, I came across the blog post from 2020 and the Recursor Mode on my search in the infinite depths. This also passes all tests and has a significantly lower response time.
From a data protection/privacy point of view, doesn’t it matter how you get and verify the IP?
Is there any way to make an anonymous DNS query?
What about Tor? Does the exit node get my IP?
Would DNSCrypt be a solution?
Not only, it has an option to anonymize the query, if you select two DNS servers, the first serves as a DNS proxy and sends the query to the second server without forwarding the IP address. So no data can be collected, die first server do not know the query and the second one do not know who ask for the IP.
On android I use this option.
I did not find any description what data and how dnscheck.tools samples for the display.
I see the google server for my system also. But I know that some devices ( mainly Amazon tablets or SmartTVs ) ask google for DNS information. I didn’t check yet, whether I have defined a exception for the ‘force to use IPFire DNS server’ policy.
For me it is one device, only firefox with a specific tab that is set for the Squid proxy.
Everything from my network is redirected to the IPfire for DNS requests.
Or VPN or Tor. Other topic.
Perhaps it should be mentioned here and here, these served as a template for my selection.
Edit2:
btw. I get also a lot of messages in unbound log while checking DNSSEC, with the mentioned DNS Server above, like this →
03:18:07 unbound: [11795:0] info: validation failure <badsig-watch-2520bf2f.go-alg13.dnscheck.tools. A IN>: signature crypto failed from 81.3.27.54
03:13:27 unbound: [11795:0] info: validation failure <nosig-watch-391a9368.go-alg15.dnscheck.tools. A IN>: no DNSSEC records from 81.3.27.54 for DS nosig-watch-391a9368.go-alg15.dnscheck. tools. while building chain of trust
03:13:26 unbound: [11795:0] info: validation failure <expiredsig-watch-391a9368.go-alg15.dnscheck.tools. A IN>: signature expired from 81.3.27.54
Those unbound log entries must be result of testing if DNSSEC validation is really working. They are in my unbound log also when I visit dnscheck.tools and all used services IPs are mentioned in logs, there is test for bad, expired and missing signatures after all.
No google in my results. Only services that I have added and because I have so many added I got different result depending when I visit that site.
Do you have any addons in Firefox that might cause google to appear on that list?
Recarding other arrows in your earlier picture, that Telia 2a01:3a0:53:53:: IPv6 address is for censurfridns and I think most if not all anycast services uses diffrent IPs depending your location.
Now I have to say that I finaly also got those googleusercontet servers in my test results. That happened after I disabled cloudflare services, my other serivices had apparently better pings so dns0.eu was rarely used.
When open.dns0.eu was only enabled service I got pretty constantly those google servers to pop up after test was completed. With other services I haven’t seen them so far.
Not sure if dns0.eu is hosting some servers in Google datacenters or if there is something else going on.
This is normal. The page checks domains with bad/missing/expirered dnssec signatures if your resolver correct report signature errors. and unbound logs this.
That is incorrect. I Have entered unicast.uncensoreddns address, both IPv4&6 telia addresses are for that service.
Here is list of all uncensoreddns servers → server list
Are you wondering if Telia can be trusted to not spy our IPs or dns request when using uncensoreddns? I think it’s good question to ask.
So even if many dns services claims to not log anything how we can be sure if external location where service is running doesn’t do some sort of loggin for connections? If they did and TLS is used don’t they see just some unrecognizable gibberish. Or am I wrong here?
TLS means that any people looking at the traffic from your IPFire to the DNS Server(s) you have selected will not be able to see anything, other than encrypted traffic, ie your ISP and anyone looking at the traffic flowing across the internet.
However the DNS server you are connecting with has to be able to decrypt your traffic to know what your DNS request is.
At the end of the day you have to review the various DNS Server services offered and decide which are the ones you are going to believe in.
As mentioned in one of the DNS blog posts it is advisable to utilise several DNS servers.
Alternatively you could use the Recursor Mode that is the subject of this post. The benefits and downsides are mentioned in one of the following blog posts.