NixNet DNS

From NixNet
Revision as of 02:47, 21 July 2021 by Amolith (talk | contribs) (add warning)
Please don't use these servers. While they are still technically running and usually return answers in a timely manner, they often crash simply due to load and take a bit to get back up and running. We highly recommend finding other servers, or better yet, running your own local resolver with something like Unbound and/or PiHole.

Before going through and setting every device to use my DNS servers, I recommend you read sections 1 - 2 of a previous blog post so you actually understand what's happening and what you're doing. DNS is set up on the same servers as my Tor exits so, if you're in a country that actively blocks Tor, you could run into issues unless you use the Anycast IP/hostname.

Make sure you read the Privacy Policy and Terms of Service as well.

Recommendations

I recommend setting fallbacks with other providers (such as Lelux.fi) in case mine are down for some reason. Redundancy is always a good thing. A friend of mine has a page with a list of DNS resolvers on it that you can peruse as well. I highly recommend DNS-over-TLS (DoT). Plaintext is . . . well . . . plaintext; anyone can snoop on your traffic. DoT is end-to-end encrypted so no one but you and the DNS server can see your queries. DNS-over-HTTPS (DoH) is just as secure but it's supported by far fewer devices and applications.

The best thing to do, in my opinion, is set your DNS at the OS level with Stubby or Unbound, for example, and not at the application level i.e. with Firefox's DoH implementation. For more information about configuring custom DNS servers on various devices, read the related blog post.

If you don't want to use DNS for blocking ads, take a look at my post on doing it locally. There are solutions for most™ devices and none of the guides are particularly difficult to implement.

Features

Uncensored

When using the uncensored IPs and hostnames, your queries are sent directly to Unbound, the backend resolver. Though it is possible to censor domains with Unbound, I don't have that configured. You can view the config files and other setup information on Gitea.

No logging

See Privacy Policy

Anycast

Anycast is a technology that allows a user to connect to one host and be routed to another that's geographically closer. This lets users set a single IP address or hostname in their DNS config but automatically connect to the closest server regardless of where they are in the world.

DNS-over-TLS

DoT is a protocol for wrapping DNS queries in a layer of TLS encryption. This is encrypted so it's much more secure than plaintext and highly recommended.

DNS-over-HTTPS

DoH is a protocol for sending DNS queries to a server over HTTPS, the same thing your browser uses. This is encrypted so it's much more secure than plaintext and recommended.

QNAME minimisation

QNAME minimisation is a way to significantly increase user privacy.

Let’s say you want to visit a blog site at someblogname.bloghosting.com.pl. In order to determine which IP address to connect to to reach that link, your computer sends a request to your ISP’s resolver, asking for the full name - blog.example.com.pl, in this case. Your ISP (or whoever is running the network you are using) will ask the DNS root, then the top-level domain (.pl in this case), and then the secondary domain (.com.pl), for the full domain. In fact, all you are finding out from the root is “where is .pl?” and all you are asking .pl is “where is .com.pl?” Neither of these requests needs to include the full name of the website you are looking for to answer the query but both receive this information. This is how the DNS has always worked, but there is no practical reason for this today.

- Internet Systems Consortium

DNSSEC validation

DNSSEC allows your client to verify that, one, it is indeed my servers responding to your query and, two, that the data hasn't been modified in transit by a third party.

Optional adblock

Adblock is available but, personally, I would recommend using a local solution like uBlockOrigin on desktop or, on Android, either AdAway with root, Blokada without, or NetGuard without (I don't have any Apple devices). This feature is powered by Pi-Hole and blocked domains are listed in hosts.txt. The list is generated by hblock.

Usage

For simplicity's sake, I recommend using the Anycast hostname as your primary, the location normally nearest to you as secondary, and a different provider for your tertiary DNS. With Anycast, you'll automatically use the server geographically nearest (the one with the lowest latency) and it will be secured with TLS. For more technical information on Anycast, click the link above. The second Anycast IP address is for plaintext DNS (not recommended); everything else is DNS-over-TLS. If you don't know what those are, the next section explains a bit more.

Uncensored Anycast

Adblock Anycast

Las Vegas

New York

Luxembourg

After setting them, you can test your connection with ipleak.net.

* Please note: your DNS-over-TLS client must support SNI (Server Name Indication).