Glad to have installed IPFIre a few days a few days ago, I am writing today my first post to the community - hello everyone !
Having visited the IPFire wiki a number of times, I have noted that members can edit pages and contribute to the wiki. There is actually a first topic that I would like to contribute to but, before putting any change on line, I believe it would be wise to ask feedback on this forum, as this is about DNS over TLS.
Recently enough, I found out about the company Control ID, which plans to block Ads, Malware or other unwanted online stuff with free DNS, both without or with TLS. Control ID is based in Canada, and it is the same company as the one publishing the Windscribe VPN.
The website claims there is no logging, and the list of free DNSes is here: Control D?
Wondering please what experienced IPFire team and users may think of this?
As that DNS provider filters the DNS queries then it should be placed into the last section on the wiki page titled DNS providers that are not recommended.
As mentioned in that section
These providers are not recommended for use with IPFire because they do not support DNSSEC or tamper with DNS traffic in another way, such as filtering advertisement, malware or porn. While there is a legitimate use-case for the latter, such filtering breaks DNSSEC, being indistinguishable from an adversary from a technical point of view.
So you’re right, most of those DNSes are indeed filtered but there are also unfiltered ones, for both IPv4 and IPv6.
For instance, the IPv4 unfiltered DNS servers seem to be working with DNSSEC (using dig) and, for the DNS server 76.76.2.0, this IP can be resolved into a host name, which could be in turn [checked online on VerySignLabs]
So I have no shares with them at all but just wondering if these additional (unfiltered) DNS servers could be suitable options ?
Wondering also, having read this IPFire blogpost about DNS which further steps could/should be taken in practice to explore potential DNS servers in order to know if these are indeed suitable candidates DNS servers?
The original post only mentioned DNS options with filtering. If these are put into the wiki in the normal DoT section then the devs will move it to the not recommended section.
From the third post it looks like @alex47260 has found that they have a no filtering, no logging option as well as all the filtering ones. In that case the non filtering one could be added to the normal DoT section.
So, my initial post mentioned secured DNS offering protection against adware and malware but before using IPFire, it was more interesting for me to use these features that the first DNS of the list, the unfiltered one.
As @cbrown rightly pointed, I was thinking to add that DNS and I was wondering if, in addition to the sources I mentioned, there would be additional points to check before adding the DNS. So with the last message, I understand it’s ok to add that DNS line.
There is however a but as, over the week-end, something broke in my IPFire : boths passwords (root & admin) don’t work this morning anymore, so I’ll make another post about a local root recovery…
I have also found an interesting website that is monitoring and referencing operating DNS servers worldwide : the first page shows the latest additions. Today for instance, most DNS servers don’t support DNSSEC - this information is provided in the column status. That could be a good source to look for additional candidate DNS servers: https://public-dns.info/#recently
Have a good day all!
PS for @cbrown : when I was getting started, I found your posts on initial IPFire set up, they helped me greatly together with the responses from @pmueller - thanks both of you !