Agreed, there's a reason Cisco bought OpenDNS, it was a slick solution.  You could feed those dns servers to your kids devices, and it would filter *bad* responses to error out, without any other sort of next-gen firewall-ish features.  Cisco was late to the game for this, as Fortinet/PAN were doing this already, so it was easy to add DNS filtering that way for them for their aging security platforms, just not sure how that affected the consumer-level offerings.

I did notice a bit back that cloudflare offers different ip feeds, to allow stricter feeds ala parental control, which is cool, as it fills that void.  Not used it, I use a fortigate for that stuff at home with full url/dns filters.  Something tells me they won't block crappy ad sites still that my firewall lets me do.

What's not to like about https?  Most things are moving toward tls1.3 which vendors really cannot man in the middle attack well, as no commercial vendor firewall really can today.  Same with QUIC/HTTP3.0 protocols that leverage udp primarily, and tcp as a downgrade, encrypted, but hardware/software firewalls cannot decrypt, at least yet. 

I setup an unbound server as a local dns cache at one point, so internally ports would be udp/tcp/53, but tcp/443 https outbound to play with, seemed to work ok, but usually just leverage my fortigate for that.

I actually did this when I was getting annoyed at cox intercepting dns requests and redirecting me to their own park page/search crap. They would actively redirectly my dns queries to their marketing/ad "search results" any time I'd mistype something.  They might say this is a security feature, but really this is ISP's way to monetize your dns as an alternative revenue stream sadly, which means they're logging, redirecting, and monetizing every dns request you make, particularly to those government black boxes in the back room no one talks about. 

Think about that there's a reason to make your dns private.

-mb


On Thu, Jun 25, 2020 at 8:14 AM Thomas Scott via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:
Cisco does own OpenDNS/Umbrella, and it does have some more "premium" features now. I still use OpenDNS - but day job uses Umbrella and I like the default filtering available on some of their other servers (208.67.222.123 / 208.67.220.123) as I'm not a fan of having adult websites show up even by accident in my house.

That being said I've seen that CloudFlare now offers something similar on 1.1.1.3 and 1.0.0.3 but as you mentioned Michael, that uses DNS over HTTPS (DOH!) and I haven't liked the idea of anything rogue being able to make a request on my network without me being able to log it. If it's a DNS request - I expect it to use 53/UDP like it was designed so that I can decide whether it should be talking on my network or not. I'll play around with it when I have more time to see what type of solution I can wrap around it. I like the idea, and love privacy, but everything using https just feels.... icky? on some level? Maybe it's just the Cox / Jeff Flake visit still impacting my bias. 



On Thu, Jun 25, 2020 at 10:34 AM Michael Butash via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:
I'll just say "OpenDNS" is now owned by Cisco, thus will never be open-anything again, so don't let the name fool you.  It's now part of their "umbrella" feature they sell in security appliances for dns inspection.  I wouldn't be surprised if there's an upsell from free to be had somewhere these days, with Cisco there always is.

I'd recommend CloudFlare dns, which also does https-based dns for encryption, and you can't really forget their 1.1.1.1 dns server address.  These are highly anycast routed around the world, and tends to result in good use for me when I need to use one on the road or test externally quick without looking up an external dns.

Your ISP should tend to have fast DNS putting local servers in your area.  I use my CL DNS on my firewall, and my firewall acts as a local cache/authoritative dns for a few local internal domains I use, which is usually enough to ensure DNS isn't an issue for me.

-mb


On Thu, Jun 25, 2020 at 1:03 AM Andrew McRobb via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:
I can't speak much about privacy, but I've used OpenDNS in the past with no problems. I'm sure someone will say something about it.

If you want real privacy I would just use VPN service, don't think a DNS service is necessarily going to get a lot of information from you just based on what sites you visit every so often. Your computer has a few layers of DNS caching as is, but that's just my two cents.

On Thu, Jun 25, 2020 at 2:12 AM AZ Pete via PLUG-discuss <plug-discuss@lists.phxlinux.org> wrote:
Hi All,

I was curious if anyone has any recommendations for free public DNS servers that they've used. I've been using OpenNic for a while, but in the last two days I'm experiencing a lot of trouble with domains not resolving. I'm using Google's (8.8.8.8) right now and things are much better. But, I thought I'd ping the Plug list for other recommendations. Reliability and privacy are the priority in that order (with privacy a close second). I don't need all the add on features of parental controls, malicious site blocking, etc.

Any thoughts would be appreciated.
Thanks,
Peter

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss