Agreed, there's a reason Cisco bought OpenDNS, it was a slick solution.
You could feed those dns servers to your kids devices, and it would filter
*bad* responses to error out, without any other sort of next-gen
firewall-ish features. Cisco was late to the game for this, as
Fortinet/PAN were doing this already, so it was easy to add DNS filtering
that way for them for their aging security platforms, just not sure how
that affected the consumer-level offerings.
I did notice a bit back that cloudflare offers
different
ip feeds, to allow stricter feeds ala parental control, which is cool, as
it fills that void. Not used it, I use a fortigate for that stuff at home
with full url/dns filters. Something tells me they won't block crappy ad
sites still that my firewall lets me do.
What's not to like about https? Most things are moving toward tls1.3 which
vendors really cannot man in the middle attack well, as no commercial
vendor firewall really can today. Same with QUIC/HTTP3.0 protocols that
leverage udp primarily, and tcp as a downgrade, encrypted, but
hardware/software firewalls cannot decrypt, at least yet.
I setup an unbound server as a local dns cache at one point, so internally
ports would be udp/tcp/53, but tcp/443 https outbound to play with, seemed
to work ok, but usually just leverage my fortigate for that.
I actually did this when I was getting annoyed at cox intercepting dns
requests and redirecting me to their own park page/search crap. They would
actively redirectly my dns queries to their marketing/ad "search results"
any time I'd mistype something. They might say this is a security feature,
but really this is ISP's way to monetize your dns as an alternative revenue
stream sadly, which means they're logging, redirecting, and monetizing
every dns request you make, particularly to those government black boxes in
the back room no one talks about.
Think about that there's a reason to make your dns private.
-mb
On Thu, Jun 25, 2020 at 8:14 AM Thomas Scott via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:
> Cisco does own OpenDNS/Umbrella, and it does have some more "premium"
> features now. I still use OpenDNS - but day job uses Umbrella and I like
> the default filtering available on some of their other servers
> (208.67.222.123 / 208.67.220.123) as I'm not a fan of having adult
> websites show up even by accident in my house.
>
> That being said I've seen that CloudFlare now offers something similar on
> 1.1.1.3 and 1.0.0.3 but as you mentioned Michael, that uses DNS over HTTPS
> (DOH!) and I haven't liked the idea of anything rogue being able to make a
> request on my network without me being able to log it. If it's a DNS
> request - I expect it to use 53/UDP like it was designed so that *I *can
> decide whether it should be talking on my network or not. I'll play around
> with it when I have more time to see what type of solution I can wrap
> around it. I like the idea, and love privacy, but everything using https
> just feels.... icky? on some level? Maybe it's just the Cox / Jeff Flake
> visit still impacting my bias.
>
> - Thomas Scott | mr.thomas.scott@gmail.com
>
>
> On Thu, Jun 25, 2020 at 10:34 AM Michael Butash via PLUG-discuss <
> plug-discuss@lists.phxlinux.org> wrote:
>
>> I'll just say "OpenDNS" is now owned by Cisco, thus will never be
>> open-anything again, so don't let the name fool you. It's now part of
>> their "umbrella" feature they sell in security appliances for dns
>> inspection. I wouldn't be surprised if there's an upsell from free to be
>> had somewhere these days, with Cisco there always is.
>>
>> I'd recommend CloudFlare dns, which also does https-based dns for
>> encryption, and you can't really forget their 1.1.1.1 dns server address.
>> These are highly anycast routed around the world, and tends to result in
>> good use for me when I need to use one on the road or test externally quick
>> without looking up an external dns.
>>
>> Your ISP should tend to have fast DNS putting local servers in your
>> area. I use my CL DNS on my firewall, and my firewall acts as a local
>> cache/authoritative dns for a few local internal domains I use, which is
>> usually enough to ensure DNS isn't an issue for me.
>>
>> -mb
>>
>>
>> On Thu, Jun 25, 2020 at 1:03 AM Andrew McRobb via PLUG-discuss <
>> plug-discuss@lists.phxlinux.org> wrote:
>>
>>> I can't speak much about privacy, but I've used OpenDNS in the past with
>>> no problems. I'm sure someone will say something about it.
>>>
>>> https://www.opendns.com/home-internet-security/
>>>
>>> If you want real privacy I would just use VPN service, don't think a DNS
>>> service is necessarily going to get a lot of information from you just
>>> based on what sites you visit every so often. Your computer has a few
>>> layers of DNS caching as is, but that's just my two cents.
>>>
>>> On Thu, Jun 25, 2020 at 2:12 AM AZ Pete via PLUG-discuss <
>>> plug-discuss@lists.phxlinux.org> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I was curious if anyone has any recommendations for free public DNS
>>>> servers that they've used. I've been using OpenNic for a while, but in the
>>>> last two days I'm experiencing a lot of trouble with domains not resolving.
>>>> I'm using Google's (8.8.8.8) right now and things are much better. But, I
>>>> thought I'd ping the Plug list for other recommendations. Reliability and
>>>> privacy are the priority in that order (with privacy a close second). I
>>>> don't need all the add on features of parental controls, malicious site
>>>> blocking, etc.
>>>>
>>>> Any thoughts would be appreciated.
>>>> Thanks,
>>>> Peter
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss