HI Michael,
negative. And since then I did not recheck the entropy.
Hi Micheal,
Thanks for your blog , I love reading them.
With the last one I decide to let IPfire do the dns ( Recursor Mode).
I feel really free by not giving the big website my data as you where saying before.
But is the Recursor Mode make the IPfire more vulnerable to DNS Attacks like dns cache poisoning , or Amplification? or other DDoS attack?
how is IPfire setup for those attack ? or can you point me to somewhere dat I can understand more about how Ipfire is doing this great as a firewall and dns server?
1 Like
No. I think it is a lot less likely to be attacked in recursor mode because the attacker does not only have to control one upstream recursor but many many authoritative name servers in the internet.
Of course DNSSEC prevents any kind of spoofing.
Thanks Michael, for the info!
Question about the Public DNS List:
(and this will really show my ignorance!)
I thought IPFire only supported IPv4 and did not support IPv6. In the DNS list there are many IPv6 addresses. Can the IPv6 address be used without re-working IPFire 2 and making lots of backend changes? (see the IPFire Wiki - IPv6 with IPFire2)
To me it seems like the IPv4 address should be shown first (first line). And the IPv6 addresses be shown second (or maybe removed).
I don’t mind re-ordering (or removing) IPv6 address if people agree.
So does this mean that your users who want to use a DNS porn filter (ie, cleanbrowsing.org) are out of luck if they use IPFire? This particular one claims support for DOT and in my limited testing, seemed to work normally in my IPFire. I was testing this one:
Domain:: adult-filter-dns.cleanbrowsing.org
IPv4 address: 185.228.168.10:853 and 185.228.169.11:853
IPv6 address: [2a0d:2a00:1::1]:853 and [2a0d:2a00:2::1]:853
Is it an option to move IPv6 addresses into the footnotes? The table is fairly chaotic and I am happy to see it improved.
Yes, don’t use them. They break your DNS.
1 Like
Yes, it is possible. But it will make a list of 20 different footnotes.
Or this could be done like below (make IPv6 a second line).
Or could even drop all IPv6 to a separate table.
As-is (sample)
| Operator | Location | Address(es) | DNS over TLS Hostname |
|---|---|---|---|
| Alternate DNS | US | 198.101.242.72 | |
| US | 23.253.163.53 | ||
| censurfridns.dk | DK | 2001:67c:28a4:: / 89.233.43.71 | unicast.uncensoreddns.org |
| Anycast | 2002:d596:2a92:1:71:53:: / 91.239.100.100 | ||
| Cloudflare | Anycast | 2606:4700:4700::1111 / 1.1.1.1 | cloudflare-dns.com |
| Anycast | 2606:4700:4700::1001 / 1.0.0.1 | cloudflare-dns.com |
|
| CMRG DNS | CA | 199.58.81.218 | dns.cmrg.net |
| CyberGhost | US | 38.132.106.139 |
Should-be (sample)
| Operator | Location | Address(es) | DNS over TLS Hostname |
|---|---|---|---|
| Alternate DNS | US | 198.101.242.72 | |
| US | 23.253.163.53 | ||
| censurfridns.dk | DK | 89.233.43.71 | unicast.uncensoreddns.org |
| 2001:67c:28a4:: | |||
| Anycast | 91.239.100.100 | ||
| 2002:d596:2a92:1:71:53:: | |||
| Cloudflare | Anycast | 1.1.1.1 | cloudflare-dns.com |
| 2606:4700:4700::1111 | |||
| Anycast | 1.0.0.1 | cloudflare-dns.com |
|
| 2606:4700:4700::1001 | |||
| CMRG DNS | CA | 199.58.81.218 | dns.cmrg.net |
| CyberGhost | US | 38.132.106.139 |
I would vote for an extra row then…
Come to think of it…
It would be better if it was sorted by Country instead of Operator. Personally I would only search for Anycast or US.
You might look for DNS under DE or Anycast.
1 Like
What exactly does that mean? How would my queries be negatively affected? It seems like it’s working, and porn sites are getting blocked. I just want to understand what the consequence would be from my end. I already use URL Filter and Shalla blacklist, but the filtering that cleanbrowsing.org does is more thorough and blocks more new porn sites. Thanks.
They simply send out forged responses which cannot be validated for domains that use DNSSEC. Assuming that more and more domains will do that, soon you will get errors resolving those.
The result may be the same, but you are keeping your resolver busy and don’t allow it to cache things.
Use the URL filter with a complete blacklist.
Is there a way to import a list from ad blocker pihole into the URL filter?
Does the proxy need to be used?
Sorry for the nub question.
But would eliminate the need for pihole.
Yeah there probably is a way to export the blacklists and then you will have a much better ad blocker!
Hi @hvacguy
I have two ways to do it. I don’t know if any of these ways works with current versions:
Form 1: http://forum.ipfire.org/viewtopic.php?f=27&t=11144
Form 2:
- Copy to "/etc/fcron.weekly/ (first unzip it)."block_script.tar (2,5 KB)
- Give you execution rights.
- Access “/etc/fcron.weekly/” with Putty and execute ./block_script
- Check that the entries in “/etc/hosts” have been added
Try and say us.
Regards.
You are trying to load this into /etc/hosts, which won’t be parsed by the DNS proxy. And that script is using dnsmasq which we replaced 4(!) years ago.
Here is what the List of Public DNS Servers with IPv4 as the first line and IPv6 as the second.
Here is the List of Public DNS Servers sorted by Country.
Thoughts?
- I like the IPv4 listed first & IPv6 listed second.
- I like the List sorted by Country!
- I liked the List just fine the way it was. Put it back!
- I don’t like anything!
0
voters
EDIT:
Here is the List of Public DNS Servers the was it was.
Concerning entry “www.new-nations.net” (DE) :
This link is currently unavailable.
1 Like
@jon,
“145.100.185.18” had DNS over TLS Hostname “dnsovertls3.sinodun.com” before your update
1 Like
I’ve been spending the last week reading and learning about DNS and DNSSEC and DNS-over-TLS (DoT) and very little about DNS-over-HTTPS (DoH). It is starting to make some sense. 
I’ve also been searching for US DoT servers and entering different address into the Domain Name System on IPFire.
The List of Public DNS Servers has a column for DNS over TLS Hostname. Should this be interpreted as:
- If there is a DNS over TLS Hostname, then there is a DoT service.
- And if DNS over TLS Hostname is blank, then there is only DNSSEC service?
Does this sound correct?
To me this is very confusing. Maybe there should be ½ step backwards and add a column for DoT/DNSSEC.
SAMPLE
(NOTE: this is sample and does not convey correct data)
DoT = DNS-over-TLS and DS = DNSSEC
| Operator | Service | Address(es) | Hostname |
|---|---|---|---|
| censurfridns.dk | DoT | 91.239.100.100 | anycast.uncensoreddns.org |
| 2002:d596:2a92:1:71:53:: | |||
| Cloudflare | DoT | 1.1.1.1 | cloudflare-dns.com |
| DoT | 1.0.0.1 | ||
| DoT | 2606:4700:4700::1111 | ||
| DoT | 2606:4700:4700::1001 | ||
| dns.sb | DS | 185.222.222.222 | dns.sb |
| DS | 185.184.222.222 | ||
| DS | 2a09:: | ||
| DS | 2a09::1 |
And anything not DoT and not DNSSEC goes to Unusable DNS Providers table near the bottom of the page
Thoughts?