Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 19 Oct 2018, 19:02
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Free APNIC, CloudFlare tool
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [2 Posts]  
Author Message
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 13042
Location: Arizona USA

PostPosted: Wed 04 Apr 2018, 17:33    Post subject:  Free APNIC, CloudFlare tool
Subject description: Prevents ISPs from selling your Internet history
 

Free APNIC, CloudFlare tool prevents ISPs from selling your Internet history
Quote:
APNIC and CloudFlare announced the free 1.1.1.1 DNS resolver service, which is intended as a drop-in replacement to protect your privacy from providers.

By James Sanders | April 2, 2018, 5:35 AM PST
CloudFlare and APNIC are working together to run a free DNS routing service, as well as study DNS traffic to develop new mitigations for DNS-based attacks.
CloudFlare is touting the security aspects of the DNS resolver, noting that the company will not write querying IPs to disk, and will delete logs within 24 hours.


1.1.1.1: How to use Cloudflare's DNS service to speed up and secure your internet
Quote:
Cloudflare's new Domain Name System promises to both speed up your internet access and protect your privacy.

By Steven J. Vaughan-Nichols for Networking | April 4, 2018

Cloudflare is an old hand at speeding up corporate internet services with its content delivery network (CDN). The company is also a pro at blocking Distributed Denial of Service (DDoS) attacks. Now, with its new 1.1.1.1 public Domain Name System (DNS) resolver, it can speed up and secure your web browsing, as well.

What is DNS and how does it work?

DNS is the Internet's master phone book. It turns human-readable domain names, such as cbsinteractive.com, into Internet Protocol (IP) addresses such as 64.30.228.118. For all practical purposes, every time you go anywhere on the internet, you start by interacting with DNS.

This takes time. A complex webpage can require multiple DNS lookups -- one for the text, another for an image, another for an ad on the page, and so on -- before your page loads. Each DNS lookup takes an average of 32 milliseconds (ms). That really slows down many websites. So, when you speed up your DNS lookups, you'll get faster internet performance.

There have been fast DNS services for years to help you. My favorites are Cisco OpenDNS and Google Public DNS. According to Olafur Gudmundsson, Cloudflare's director of engineering, Cloudflare's 1.1.1.1 will be faster than the others because "we are already building data centers all over the globe to reduce the distance (i.e. latency) from users to content. Eventually we want everyone to be within 10 milliseconds of at least one of our locations."


1.1.1.1: Cloudflare's new DNS attracting 'gigabits per second' of rubbish
Quote:
Cloudflare is conducting an experiment with APNIC, and it's revealing plenty of dirty hacks.

By Stilgherrian for The Full Tilt | April 4, 2018
Cloudflare's new speed and privacy enhancing domain name system (DNS) servers, launched on Sunday, are also part of an experiment being conducted in partnership with the Asia Pacific Network Information Centre (APNIC).

The experiment aims to understand how DNS can be improved in terms of performance, security, and privacy.

"We are now critically reliant on the integrity of the DNS, yet the details of the way it operates still remains largely opaque," wrote APNIC's chief scientist Geoff Huston in a blog post.

"We are aware that the DNS has been used to generate malicious denial of service attacks, and we are keen to understand if there are simple and widely deployable measures that can be taken to mitigate such attacks. The DNS relies on caching to operate efficiently and quickly, but we are still unsure as to how well caching actually performs. We are also unclear how much of the DNS is related to end user or application requirements for name resolution, and how much is related to the DNS chattering to itself."


Frankly, I have only the vaguest idea of what this all means, but it's free. Laughing
Back to top
View user's profile Send private message 
rufwoof

Joined: 24 Feb 2014
Posts: 2599

PostPosted: Sun 08 Apr 2018, 20:08    Post subject:  

Hi Flash

Varies between OS's, but under OpenBSD as a example if in /etc/resolv.conf I set
Code:
lookup file bind

then that is basically saying use file i.e. /etc/hosts before bind (dns lookup). i.e. file (local /etc/hosts) takes precedence over DNS lookup (I have my own dns server so in /etc/resolv.conf I have nameserver 10.0.0.1 i.e. the local IP for that server). In some systems the order of precedence is set in /etc/nsswitch.conf or /etc/hosts.conf ... etc.

My ISP providers (Virgin) hub/router doesn't support changing the dns server, i.e. its theirs that you're forced to use (so they can record all your dns lookups/activity) ... unless that is you work around that ... I have a second (netgear) router for instance that does cater for defining what dns servers are used.

Each dns record has a time to live (TTL) value that defines how long that record is valid for, after which any cached version of that is dropped. They vary however and can be short periods, such that any local cached domain name look up's tend to soon become out of date/no longer used. That's just all part of how changes are propagated out. Setting lookup's in your /etc/hosts however is one way to avoid hitting dns servers (and having your activity monitored) assuming that is correctly defined i.e. given precedence over dns lookups via BIND or whatever. The downside of course is that changes wont be registered, except if you periodically update /etc/hosts accordingly.

You could for instance add a entry of
Code:
130.89.148.14 murga-linux.com

to /etc/hosts i.e. a Debian IP address and murga-linux.com name - and all murga-linux.com (Puppy web site) requests would direct to the Debian web site.

See how a simple change to a couple of files (/etc/resolv.conf and /etc/hosts) could have you directed to a man-in-middle attack, i.e. perhaps thinking you're going to google.com, but actually directed to a potential hackers PC/IP, that might simply just pass through whatever you request to the intended target web site and return back to you what that target site returns, so it all looks OK, but where they get to see all of that traffic/data

Of course they need root permissions to change those two files, however if you're running a browser as root and that has weaknesses that permit code to be executed (maybe a old browser version with known/published flaws), then that is way way more easily accomplished.

https also goes some way at hampering man-in-middle attacks. By no means certain, but at least additional protection.

For sites that you'd rather your ISP didn't see you visiting, looking up the sites IP and entering that into /etc/hosts is one way to reduce the dns records/lookup's your ISP sees you making. It's also quick too, as its a local file access (/etc/hosts) instead of internet traffic (that said dns tends to (mostly) be very quick at resolving). You can get lists of IP's that are 'bad', and add those to your /etc/hosts file so that they direct to nowhere if/when requested ... adblock style. Again however you have to review/renew those lists as its all dynamic. Some (many?) Pup's have such a adblock via /etc/hosts option IIRC.

Globally there are 13 main DNS "hubs", that conceptually could record the entire worlds population internet activities (when they were online and what they were seeing/accessing). Big Data. That core 13 are very securely guarded and even Anonymous couldn't hack them despite strong attempts to do so. CloudFlare looks interesting - but potentially could be just another means to expand who might be profiling you. "Studying traffic" and inferring they "wont keep logs or write IP's to disk", could just mean that they still store the data to other than "disk" and delete the logs after having made such records. Seen way too many political twisting of words over the years to have faith Sad "Free" in the present day more often means no financial costs to you, just you freely offering up your personal profile as the 'commodity' being traded - for the potential indirect subsequent financial benefit of others.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [2 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0509s ][ Queries: 11 (0.0059s) ][ GZIP on ]