|
|
= DNS Resolver / Server =
|
|
|
{{{
|
|
|
#!html
|
|
|
# DNS Resolver / Server
|
|
|
```
|
|
|
<center>
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="90%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;">
|
|
|
<b>DNS Resolver / Server</b> [wiki:doc/DnsResolver] article & project, and all other articles & projects under this page/article are <b>non-offical articles</b> & <b>non-official projects</b>. <a href="#Credits">Author</a>(s) of these articles & projects is(/are) <b>not</b> affiliated with <b><i>torproject.org</i></b>. The Tor developers are <b>not</b> responsible for these articles or projects. Also see <a href="#Disclaimer">Disclaimer</a> for more information. <b>DnsResolver</b> (related) project(s) here, are produced independently from the Tor® anonymity software and carries no guarantee no warranty from 'The Tor Project' about quality, suitability or anything else.
|
|
|
<b>DNS Resolver / Server</b> [doc/DnsResolver](doc/DnsResolver) article & project, and all other articles & projects under this page/article are <b>non-offical articles</b> & <b>non-official projects</b>. <a href="#Credits">Author</a>(s) of these articles & projects is(/are) <b>not</b> affiliated with <b><i>torproject.org</i></b>. The Tor developers are <b>not</b> responsible for these articles or projects. Also see <a href="#Disclaimer">Disclaimer</a> for more information. <b>DnsResolver</b> (related) project(s) here, are produced independently from the Tor® anonymity software and carries no guarantee no warranty from 'The Tor Project' about quality, suitability or anything else.
|
|
|
</td></tr></table></center><br />
|
|
|
}}}
|
|
|
```
|
|
|
[[TOC(noheading, depth=0)]]
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Rules_for_Editors"></a><a name="Rules_for_Developers"></a>
|
|
|
}}}
|
|
|
'' ( Notes for Editors Only: (non-Editor Readers, please goto [wiki:doc/DnsResolver#start next] paragraph): Editors, in this article (and articles under it) you must use such words which make sense to people (if necessary, explain in different style, way and/or words, even multiple different ways), these articles are for people from different discipline and background. This is not an Academic or Research article, nor it is a Technical or Manual document. Must keep it useful for practical purpose (for what a regular user *see* on their computer screen, and what a regular user can *use* practically by following guidelines from this page). Explain in simple words, which practical command-line(s) or step(s) can be applied, and also add info on what it does and why is it necessary for [https://en.wikipedia.org/wiki/Anonymity Anonymity] [https://en.wikipedia.org/wiki/Freedom_of_speech (2)] [https://en.wikipedia.org/wiki/Censorship (3)] [https://en.wikipedia.org/wiki/Surveillance (4)] and [https://en.wikipedia.org/wiki/Privacy_law Privacy] [https://en.wikipedia.org/wiki/Privacy-enhancing_technologies (6)] [https://en.wikipedia.org/wiki/Cyberstalking (7)] [https://en.wikipedia.org/wiki/Identity_theft (8)]. Even if one portion appears to be unnecessary, to you, but remember it may be necessary for another type of person to understand, so please do not remove, do not modify any sections. This page is not intended for only one type of users. You are welcome to create a short sub-paragraph under any paragraph, and explain in a different language or style. You are welcome to create a new page NOT UNDER this article or project, outside, and place a link here, and in that new page explain the same matter or new matter with a different language or whatever style you choose to be. Do not copy text directly, write in your own style & language. Put technical words inside "Acronyms" section, and explain+mention what it means (please make it easy for regular user to understand), then use a common, general, non-technical, synonym or simple word(s) in article which make(s) sense to general or regular level users, and add URL and/or reference link to that technical term inside acronym section. If you are not following these guidelines, [wiki:doc/DnsResolver#Credits I] will remove your additions, you are welcome to start your own pages with your own content. If you are not able to write with simple+easy (non-technical) words, then DO NOT edit. Thanks. ) ''
|
|
|
```
|
|
|
_ ( Notes for Editors Only: (non-Editor Readers, please goto [next](./doc/DnsResolver#start) paragraph): Editors, in this article (and articles under it) you must use such words which make sense to people (if necessary, explain in different style, way and/or words, even multiple different ways), these articles are for people from different discipline and background. This is not an Academic or Research article, nor it is a Technical or Manual document. Must keep it useful for practical purpose (for what a regular user *see* on their computer screen, and what a regular user can *use* practically by following guidelines from this page). Explain in simple words, which practical command-line(s) or step(s) can be applied, and also add info on what it does and why is it necessary for [Anonymity](https://en.wikipedia.org/wiki/Anonymity) [(2)](https://en.wikipedia.org/wiki/Freedom_of_speech) [(3)](https://en.wikipedia.org/wiki/Censorship) [(4)](https://en.wikipedia.org/wiki/Surveillance) and [Privacy](https://en.wikipedia.org/wiki/Privacy_law) [(6)](https://en.wikipedia.org/wiki/Privacy-enhancing_technologies) [(7)](https://en.wikipedia.org/wiki/Cyberstalking) [(8)](https://en.wikipedia.org/wiki/Identity_theft). Even if one portion appears to be unnecessary, to you, but remember it may be necessary for another type of person to understand, so please do not remove, do not modify any sections. This page is not intended for only one type of users. You are welcome to create a short sub-paragraph under any paragraph, and explain in a different language or style. You are welcome to create a new page NOT UNDER this article or project, outside, and place a link here, and in that new page explain the same matter or new matter with a different language or whatever style you choose to be. Do not copy text directly, write in your own style & language. Put technical words inside "Acronyms" section, and explain+mention what it means (please make it easy for regular user to understand), then use a common, general, non-technical, synonym or simple word(s) in article which make(s) sense to general or regular level users, and add URL and/or reference link to that technical term inside acronym section. If you are not following these guidelines, [I](./doc/DnsResolver#Credits) will remove your additions, you are welcome to start your own pages with your own content. If you are not able to write with simple+easy (non-technical) words, then DO NOT edit. Thanks. ) _
|
|
|
|
|
|
''''' This article & all articles under this, This project & all projects under this, are written & developed by Bry8Star. Copyright (C) 2012 Bry8Star. '''''
|
|
|
**_ This article & all articles under this, This project & all projects under this, are written & developed by Bry8Star. Copyright (C) 2012 Bry8Star. **_
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="start"></a>
|
|
|
}}}
|
|
|
''(Start reading from here)''[[BR]]
|
|
|
```
|
|
|
_(Start reading from here)_
|
|
|
|
|
|
We want to reach, communicate, view, exchange any content with any server (Internet destinations), where ever we want to, without anyone blocking it, without any filtering or censoring, without any altering or hampering, without any monitoring or tracking (unless a very justified or appropriate or in-avoidable situation or reason exist for an elected+consented known public entity) and/or without any redirecting in middle.
|
|
|
* Use or apply below solutions (like, How To Use 3rd Party DNS Server and Configure, or, How To Configure existing DNS server or resolver further, or, How To Use All TLDs from All Root DNS or TLD Service provider entities, etc) on such areas''': ''' on Tor Exit Nodes, on any Server or Gateway computers, on any computers which is running any Server software, and, on your own end-user computers.
|
|
|
* Use or apply below solutions (like, How To Use 3rd Party DNS Server and Configure, or, How To Configure existing DNS server or resolver further, or, How To Use All TLDs from All Root DNS or TLD Service provider entities, etc) on such areas**: ** on Tor Exit Nodes, on any Server or Gateway computers, on any computers which is running any Server software, and, on your own end-user computers.
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Pre-Requisite"></a>
|
|
|
}}}
|
|
|
= Pre-Requisite Knowledge =
|
|
|
```
|
|
|
# Pre-Requisite Knowledge
|
|
|
Please read through all mentioned articles for your own better understanding. If you are only interested at this point to get a practical or real solution, then you may skip this section, goto DNS Server or DNS Resolver sections.
|
|
|
* Please read or view the webpage or the section located [wiki:doc/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry here] (it's inside [wiki:doc/TorFAQ TorFAQ] page), and see below [wiki:doc/DnsResolver#DNS DNS] section (in this page) for understanding what is DNS, etc in a regular or general level.
|
|
|
* You should view & read [wiki:doc/TorifyHOWTO TorifyHowTo] to understand Tor and related common terms, conceptions, ideas, issues, etc.
|
|
|
* You should also checkout [https://en.wikipedia.org/wiki/Domain_Name_System DNS] (Wikipedia), [https://en.wikipedia.org/wiki/DNS_hijacking DNS Hijacking] (Wikipedia), [https://en.wikipedia.org/wiki/DNS_spoofing DNS spoofing/cache poisoning] (Wikipedia), [wiki:doc/proxy Proxy] (Torproject), [https://en.wikipedia.org/wiki/Proxy_server Proxy/Server] (Wikipedia), [https://en.wikipedia.org/wiki/SOCKS_%28protocol%29 SOCKS (protocol)] (Wikipedia), [http://en.wikipedia.org/wiki/Alternative_DNS_root Alternative DNS Root] (Wikipedia), etc.
|
|
|
* Various apps & tools to help Torification process and to help increase '''[https://en.wikipedia.org/wiki/Anonymity Anonymity]''', '''[https://en.wikipedia.org/wiki/Privacy_law Privacy]'''^[https://en.wikipedia.org/wiki/Privacy-enhancing_technologies (2)]^, [https://en.wikipedia.org/wiki/Cyberstalking Security]^[https://en.wikipedia.org/wiki/Identity_theft (2)]^, etc for public & end-users like you and me, are mentioned in [wiki:doc/SupportPrograms SupportPrograms] webpage.
|
|
|
* To understand various types of DNS Server & Resolver, please view & read [https://en.wikipedia.org/wiki/Name_server Nameserver] (Wikipedia). To understand DNSSEC, please first read [wiki:doc/DnsResolver#DNSSEC DNSSEC] short section (in this page) and then also visit [https://en.wikipedia.org/wiki/DNS_Security_Extensions DNSSEC] (Wikipedia). And also see [http://en.wikipedia.org/wiki/EDNS0 EDNS] (Wikipedia). DNSSEC system and mechanism provide ways & means to obtain very accurate information on Internet server(s) for a domain-name, so that we can connect with correct destination to view webpage(s), or to exchange (send or receive) email(s) etc Internet or web based services & activities.
|
|
|
* Please read or view the webpage or the section located [here](./doc/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry) (it's inside [TorFAQ](./doc/TorFAQ) page), and see below [DNS](./doc/DnsResolver#DNS) section (in this page) for understanding what is DNS, etc in a regular or general level.
|
|
|
* You should view & read [TorifyHowTo](./doc/TorifyHOWTO) to understand Tor and related common terms, conceptions, ideas, issues, etc.
|
|
|
* You should also checkout [DNS](https://en.wikipedia.org/wiki/Domain_Name_System) (Wikipedia), [DNS Hijacking](https://en.wikipedia.org/wiki/DNS_hijacking) (Wikipedia), [DNS spoofing/cache poisoning](https://en.wikipedia.org/wiki/DNS_spoofing) (Wikipedia), [Proxy](./doc/proxy) (Torproject), [Proxy/Server](https://en.wikipedia.org/wiki/Proxy_server) (Wikipedia), [SOCKS (protocol)](https://en.wikipedia.org/wiki/SOCKS_%28protocol%29) (Wikipedia), [Alternative DNS Root](http://en.wikipedia.org/wiki/Alternative_DNS_root) (Wikipedia), etc.
|
|
|
* Various apps & tools to help Torification process and to help increase **[Anonymity](https://en.wikipedia.org/wiki/Anonymity)**, **[Privacy](https://en.wikipedia.org/wiki/Privacy_law)**^[(2)](https://en.wikipedia.org/wiki/Privacy-enhancing_technologies)^, [Security](https://en.wikipedia.org/wiki/Cyberstalking)^[(2)](https://en.wikipedia.org/wiki/Identity_theft)^, etc for public & end-users like you and me, are mentioned in [SupportPrograms](./doc/SupportPrograms) webpage.
|
|
|
* To understand various types of DNS Server & Resolver, please view & read [Nameserver](https://en.wikipedia.org/wiki/Name_server) (Wikipedia). To understand DNSSEC, please first read [DNSSEC](./doc/DnsResolver#DNSSEC) short section (in this page) and then also visit [DNSSEC](https://en.wikipedia.org/wiki/DNS_Security_Extensions) (Wikipedia). And also see [EDNS](http://en.wikipedia.org/wiki/EDNS0) (Wikipedia). DNSSEC system and mechanism provide ways & means to obtain very accurate information on Internet server(s) for a domain-name, so that we can connect with correct destination to view webpage(s), or to exchange (send or receive) email(s) etc Internet or web based services & activities.
|
|
|
* Also checkout pages mentioned at bottom side of this page, about other DNS articles.
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="ICANN"></a><a name="IANA"></a><a name="Root_Servers"></a>
|
|
|
<a name="VeriSign"></a><a name="Root_Operators"></a>
|
|
|
<a name="Root_Managers"></a><a name="PIR"></a>
|
|
|
<a name="gTLDs"></a><a name="ccTLDs"></a>
|
|
|
}}}
|
|
|
* Mainstream [wiki:doc/DnsResolver#DNS DNS], Root zone, [wiki:doc/DnsResolver#TLD TLD]s, [wiki:doc/DnsResolver#SLD SLD]s, [wiki:doc/DnsResolver#IDN IDN]-TLDs Controllers, Operators, Managers: ccTLDs (two letters based, around 250 '''c'''ountry '''c'''ode TLDs) are governed by [http://www.iana.org/ IANA], gTLDs ('''g'''eneric TLDs, around 21 TLDs) are governed by ''' [http://icann.org/ ICANN]'''. ICANN governs the name and number systems of the Internet. Root KSK (Key Signing Key) is managed by ICANN to provide for verification of the [wiki:doc/DnsResolver#DNSSEC DNSSEC]-signed root zone. IANA is responsible for management of the DNS root zone, ".int" & ".arpa" TLDs, 39 IDN TLDs, 11 test IDN TLDs. IANA is responsible for coordinating the Internet's globally unique identifiers, and is operated by the ICANN. IANA assigns and keeps authoritative "Operator"/"Manager" list for over 250 ccTLDs, and over 40 IDN TLDs. ICANN (& IANA) assigns & keeps authoritative list^[https://www.icann.org/en/resources/registries/listing (1)]^ of "Operator" (also known as: "Sponsor", "Registry", "Maintainer", "Delegation") for around 21 gTLDs: VeriSign (USA) (.com, .net, .name), SITA (USA) (.aero), NeuStar (USA) (.biz), Public Interest Registry ('''PIR''') (USA) (.org), DotCooperation (USA) (.coop), EDUCAUSE (USA) (.edu), Afilias Ltd (Iraland) (.info), Employ Media LLC (USA) (.jobs), Fundació puntCAT (Spain) (.cat), Universal Postal Union (Switzerland) (.post), Registry Services Corp (USA) (.pro), Tralliance Reg Mngmt Co (USA) (.travel), DotAsia Org (Hong Kong) (.asia), Telnic (UK) (.tel), MDI (.museum), ICM reg (USA) (`.`x''x''x), US GSA (.gov), IANA (USA) (.int), US DoD (.mil), etc. Root-zone has 13 named authority [http://www.root-servers.org/ root servers] (actually these are combination of hundreds of networked servers located globally around the world) are managed by 12 entities: '''VeriSign'''^[http://www.verisign-grs.com/ (1)]^ (USA), [http://www.isi.edu/ USC-ISI] (USA), [http://www.cogentco.com/ Cogent Comm] (USA, Spain, Germany), [http://www.isc.org/ ISC] (USA), Univ of Maryland ([http://www.umd.edu/ UMD]) (USA), [http://www.arc.nasa.gov/ NASA-ARC] (USA), US [http://www.nic.mil/ DoD-NIC], [http://www.ripe.net RIPE] (Netherlands), ICANN, [http://www.wide.ad.jp/ WIDE] (Japan), [http://www.netnod.se/ Netnod] ([http://www.autonomica.se/ Autonomica]) (Sweden), US Army ([http://www.arl.army.mil/ ARL]). So far there are around 39 IDN TLDs + 11 test IDNs which IANA controlling & testing (along with 255 ccTLDs). IANA TLD list: [https://www.iana.org/domains/root/db/ 1], [https://data.iana.org/TLD/tlds-alpha-by-domain.txt 2]. The ICANN-accreditation only applies for gTLDs, ICANN accredited registrar list: [http://www.icann.org/registrar-reports/accredited-list.html 1]. There are other Registrar(s) inside each ccTLD. Also see [wiki:doc/DnsResolver#TLD-Providers this] for other TLD-Providers.
|
|
|
* Most ISPs ("Internet Service Provider", a company which gives you their (broadband) modem or access, to connect with Internet), usually provides you their recursive DNS-server's IP-address, and, not all, but, many (ISP) still using non-validating (non-DNSSEC) DNS servers. See [wiki:doc/DnsResolver/PublicDnsResolvers#ISP this] for more info.
|
|
|
* And not all, but, most mainstream Operating Systems include/use '' 'stub resolver' '' type of non-validating (non-DNSSEC) DNS resolver (or DNS client) by default. Most Microsoft Windows uses '' 'stub resolver' '', and Windows Server 2008 R2 and Windows 7 in particular, uses a non-validating but (partially) DNSSEC-aware stub resolver.
|
|
|
* IPv6 supported DNS Registrars status: [http://www.getipv6.info/index.php/DNS_Registrars_IPv6_Support_Status list]. IPv6 support & comparison of OS: [https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems 1].
|
|
|
* Alternative of installing or loading or using your own local DNS-Server or DNS-Resolver software, is to use, any public DNS-servers which are listed in '''[wiki:doc/DnsResolver/PublicDnsResolvers Public DNS Servers]''' page. Find servers which does not censor, filter or block, and supports DNSSEC, then such DNS-Servers will be a closest alternative or replacement which can be used, instead of using your own local DNS server/resolver.
|
|
|
```
|
|
|
* Mainstream [DNS](./doc/DnsResolver#DNS), Root zone, [TLD](./doc/DnsResolver#TLD)s, [SLD](./doc/DnsResolver#SLD)s, [IDN](./doc/DnsResolver#IDN)-TLDs Controllers, Operators, Managers: ccTLDs (two letters based, around 250 **c**ountry **c**ode TLDs) are governed by [IANA](http://www.iana.org/), gTLDs (**g**eneric TLDs, around 21 TLDs) are governed by ** [ICANN](http://icann.org/)**. ICANN governs the name and number systems of the Internet. Root KSK (Key Signing Key) is managed by ICANN to provide for verification of the [DNSSEC](./doc/DnsResolver#DNSSEC)-signed root zone. IANA is responsible for management of the DNS root zone, ".int" & ".arpa" TLDs, 39 IDN TLDs, 11 test IDN TLDs. IANA is responsible for coordinating the Internet's globally unique identifiers, and is operated by the ICANN. IANA assigns and keeps authoritative "Operator"/"Manager" list for over 250 ccTLDs, and over 40 IDN TLDs. ICANN (& IANA) assigns & keeps authoritative list^[(1)](https://www.icann.org/en/resources/registries/listing)^ of "Operator" (also known as: "Sponsor", "Registry", "Maintainer", "Delegation") for around 21 gTLDs: VeriSign (USA) (.com, .net, .name), SITA (USA) (.aero), NeuStar (USA) (.biz), Public Interest Registry (**PIR**) (USA) (.org), DotCooperation (USA) (.coop), EDUCAUSE (USA) (.edu), Afilias Ltd (Iraland) (.info), Employ Media LLC (USA) (.jobs), Fundació puntCAT (Spain) (.cat), Universal Postal Union (Switzerland) (.post), Registry Services Corp (USA) (.pro), Tralliance Reg Mngmt Co (USA) (.travel), DotAsia Org (Hong Kong) (.asia), Telnic (UK) (.tel), MDI (.museum), ICM reg (USA) (`.`x_x_x), US GSA (.gov), IANA (USA) (.int), US DoD (.mil), etc. Root-zone has 13 named authority [root servers](http://www.root-servers.org/) (actually these are combination of hundreds of networked servers located globally around the world) are managed by 12 entities: **VeriSign**^[(1)](http://www.verisign-grs.com/)^ (USA), [USC-ISI](http://www.isi.edu/) (USA), [Cogent Comm](http://www.cogentco.com/) (USA, Spain, Germany), [ISC](http://www.isc.org/) (USA), Univ of Maryland ([UMD](http://www.umd.edu/)) (USA), [NASA-ARC](http://www.arc.nasa.gov/) (USA), US [DoD-NIC](http://www.nic.mil/), [RIPE](http://www.ripe.net) (Netherlands), ICANN, [WIDE](http://www.wide.ad.jp/) (Japan), [Netnod](http://www.netnod.se/) ([Autonomica](http://www.autonomica.se/)) (Sweden), US Army ([ARL](http://www.arl.army.mil/)). So far there are around 39 IDN TLDs + 11 test IDNs which IANA controlling & testing (along with 255 ccTLDs). IANA TLD list: [1](https://www.iana.org/domains/root/db/), [2](https://data.iana.org/TLD/tlds-alpha-by-domain.txt). The ICANN-accreditation only applies for gTLDs, ICANN accredited registrar list: [1](http://www.icann.org/registrar-reports/accredited-list.html). There are other Registrar(s) inside each ccTLD. Also see [this](./doc/DnsResolver#TLD-Providers) for other TLD-Providers.
|
|
|
* Most ISPs ("Internet Service Provider", a company which gives you their (broadband) modem or access, to connect with Internet), usually provides you their recursive DNS-server's IP-address, and, not all, but, many (ISP) still using non-validating (non-DNSSEC) DNS servers. See [this](./doc/DnsResolver/PublicDnsResolvers#ISP) for more info.
|
|
|
* And not all, but, most mainstream Operating Systems include/use _ 'stub resolver' _ type of non-validating (non-DNSSEC) DNS resolver (or DNS client) by default. Most Microsoft Windows uses _ 'stub resolver' _, and Windows Server 2008 R2 and Windows 7 in particular, uses a non-validating but (partially) DNSSEC-aware stub resolver.
|
|
|
* IPv6 supported DNS Registrars status: [list](http://www.getipv6.info/index.php/DNS_Registrars_IPv6_Support_Status). IPv6 support & comparison of OS: [1](https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems).
|
|
|
* Alternative of installing or loading or using your own local DNS-Server or DNS-Resolver software, is to use, any public DNS-servers which are listed in **[Public DNS Servers](./doc/DnsResolver/PublicDnsResolvers)** page. Find servers which does not censor, filter or block, and supports DNSSEC, then such DNS-Servers will be a closest alternative or replacement which can be used, instead of using your own local DNS server/resolver.
|
|
|
* Identity correlation through (Tor) circuit sharing is possible, if DNS queries for your Tor (Anonymity & Privacy related) usage and non-Tor (Private, Personal related) usage, both passes through common circuit.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="DNS"></a><a name="RR"></a><a name="SOA"></a><a name="NS"></a>
|
|
|
<a name="MX"></a>
|
|
|
}}}
|
|
|
== DNS (short/brief info) ==
|
|
|
DNS (Domain Name System) is a way to find IP-address of different types of Internet web servers which are directly related or kept-under or used-by a specific domain-name. Kind of like finding a Phone-number of a Company, from a Telephone-Directory book. (Where, a phone number is similar to a IP-address, and a company-name is similar to a domain-name). DNS is used not only for finding IP-address, it also allows to find & obtain other data ([https://en.wikipedia.org/wiki/List_of_DNS_record_types DNS-Records]) used by a domain-name or a host-name. DNS uses various system(s) & mechanism(s), where the highest, last level is "root-zone" or "root" server. DNS resolving process starts from this "level" (can also be called as "zone"). The "root-zone" or "root" server actually is a combination of 13 groups of DNS servers located globally around the world, these are often called "13 named root servers" as well. Each of this named root-server is actually a combination of hundreds of networked server computers located in different areas and interlinked with each-other. These servers are always answering back when DNS related questions are asked. "Root-zone" servers keep list of those 13 named root-servers in a "root.hints" file. Various software component related to DNS, always keeps or obtains that "root.hints" file. Root-servers also keep a "root-zone" file, which contains list (database) of IP-address of all TLD (gTLDs, ccTLDs, IDN TLDs, etc) operator's (or maintainer's or manager's) nameservers (DNS-servers), located in different areas. TLDs means, Top Level Domains, for example: the ".org" word or portion, is a [wiki:doc/DnsResolver#TLD TLD] of the "torproject.org" domain-name. TLD maintainers are (for example: the ".org" TLD maintainer is "PIR", the ".com" TLD maintainer is "VeriSign") selected by ICANN & IANA organizations. You can very easily create your own TLD almost for free, for example, you can create ".MyName" TLD, and then create your own free website at "home.MyName" or at "www.home.MyName" etc. If you are using your own custom TLD, only then your DNS-server can be treated or called as TLD level DNS-server, and you have turned into a TLD-provider. Next level of DNS-servers under TLD level are SLD level DNS-servers. SLDs means Second Level Domains, for example: the "wikipedia" word or portion, is a [wiki:doc/DnsResolver#SLD SLD] of "en.wikipedia.org" domain-name. Various "Registrar" entities & companies maintains SLD level nameservers (DNS-servers). And 3rd Level of DNS-Servers are from various Hosting Service Providers (HSP) and Data-Centers, who holds sub-contracts with SLD ("Registrar") level DNS-servers. If you are operating your own nameserver(s) (for example: "ns1" & "ns2") for your own domain-name (for example: "example.com"), then your own DNS-server ("ns1.example.com", "ns2.example.com") can also be treated or called as 3rd Level DNS-servers. And this mechanism & process goes on for all next domain levels. DNS-servers keep list (data-base) in a DNS '''[https://en.wikipedia.org/wiki/List_of_DNS_record_types RR]''' (resource records) format (also commonly known as "DNS-record"), associated with each domain-name (or SLD or TLD), host- or node-names, IP-addresses, DNSSEC records, etc. DNS-servers use 'SOA', 'NS', etc DNS RR for each domain-name, TLD, SLD, etc, which help to find the exact 'NS' nameserver which has further related RR (resource records) for a given domain-name, TLD, SLD, hostname, etc. Few RR example: the 'A', 'AAAA' RR shows IP-address of a hostname or nodename, email-server uses 'MX' RR, the 'CNAME" RR is used to create alternative name for a same hostname or nodename, hostnames which has 'www' (at the left-most-side ([wiki:doc/DnsResolver#LMS LMS]) on [wiki:doc/DnsResolver#LtR L-to-R] written language, or, at the RMS on R-to-L written language) indicates that is a webpage related content server's hostname, a hostname with 'ftp' indicates a ftp server which keeps files, etc. Web-browser software resolves DNS like above, by using a DNS-client sofwtare component on your or on that computer, and finds the IP-address, then by default connects on port 80 using HTTP protocol and obtains webpages to show on the web-browser's screen, (it happens when we type or click on a URL, link or domain-name). DNS communication process uses UDP on port 53 with DNS-server by default, when a query and answer is less or equal to 512 bytes. DNS-client side can send query from any port, but, destination must be the DNS port of that DNS-Server, which is usually port 53, (and to bypass surveillance, spoofing & hajacking processes, a DNS-Server can use different port as well). DNS query & DNS answer can also be done over TCP connections/packets, and little bit more secure than using UDP, but uses more bytes & bandwidth. More info: [https://en.wikipedia.org/wiki/Domain_Name_System DNS] (Wikipedia).
|
|
|
```
|
|
|
## DNS (short/brief info)
|
|
|
DNS (Domain Name System) is a way to find IP-address of different types of Internet web servers which are directly related or kept-under or used-by a specific domain-name. Kind of like finding a Phone-number of a Company, from a Telephone-Directory book. (Where, a phone number is similar to a IP-address, and a company-name is similar to a domain-name). DNS is used not only for finding IP-address, it also allows to find & obtain other data ([DNS-Records](https://en.wikipedia.org/wiki/List_of_DNS_record_types)) used by a domain-name or a host-name. DNS uses various system(s) & mechanism(s), where the highest, last level is "root-zone" or "root" server. DNS resolving process starts from this "level" (can also be called as "zone"). The "root-zone" or "root" server actually is a combination of 13 groups of DNS servers located globally around the world, these are often called "13 named root servers" as well. Each of this named root-server is actually a combination of hundreds of networked server computers located in different areas and interlinked with each-other. These servers are always answering back when DNS related questions are asked. "Root-zone" servers keep list of those 13 named root-servers in a "root.hints" file. Various software component related to DNS, always keeps or obtains that "root.hints" file. Root-servers also keep a "root-zone" file, which contains list (database) of IP-address of all TLD (gTLDs, ccTLDs, IDN TLDs, etc) operator's (or maintainer's or manager's) nameservers (DNS-servers), located in different areas. TLDs means, Top Level Domains, for example: the ".org" word or portion, is a [TLD](./doc/DnsResolver#TLD) of the "torproject.org" domain-name. TLD maintainers are (for example: the ".org" TLD maintainer is "PIR", the ".com" TLD maintainer is "VeriSign") selected by ICANN & IANA organizations. You can very easily create your own TLD almost for free, for example, you can create ".MyName" TLD, and then create your own free website at "home.MyName" or at "www.home.MyName" etc. If you are using your own custom TLD, only then your DNS-server can be treated or called as TLD level DNS-server, and you have turned into a TLD-provider. Next level of DNS-servers under TLD level are SLD level DNS-servers. SLDs means Second Level Domains, for example: the "wikipedia" word or portion, is a [SLD](./doc/DnsResolver#SLD) of "en.wikipedia.org" domain-name. Various "Registrar" entities & companies maintains SLD level nameservers (DNS-servers). And 3rd Level of DNS-Servers are from various Hosting Service Providers (HSP) and Data-Centers, who holds sub-contracts with SLD ("Registrar") level DNS-servers. If you are operating your own nameserver(s) (for example: "ns1" & "ns2") for your own domain-name (for example: "example.com"), then your own DNS-server ("ns1.example.com", "ns2.example.com") can also be treated or called as 3rd Level DNS-servers. And this mechanism & process goes on for all next domain levels. DNS-servers keep list (data-base) in a DNS **[RR](https://en.wikipedia.org/wiki/List_of_DNS_record_types)** (resource records) format (also commonly known as "DNS-record"), associated with each domain-name (or SLD or TLD), host- or node-names, IP-addresses, DNSSEC records, etc. DNS-servers use 'SOA', 'NS', etc DNS RR for each domain-name, TLD, SLD, etc, which help to find the exact 'NS' nameserver which has further related RR (resource records) for a given domain-name, TLD, SLD, hostname, etc. Few RR example: the 'A', 'AAAA' RR shows IP-address of a hostname or nodename, email-server uses 'MX' RR, the 'CNAME" RR is used to create alternative name for a same hostname or nodename, hostnames which has 'www' (at the left-most-side ([LMS](./doc/DnsResolver#LMS)) on [L-to-R](./doc/DnsResolver#LtR) written language, or, at the RMS on R-to-L written language) indicates that is a webpage related content server's hostname, a hostname with 'ftp' indicates a ftp server which keeps files, etc. Web-browser software resolves DNS like above, by using a DNS-client sofwtare component on your or on that computer, and finds the IP-address, then by default connects on port 80 using HTTP protocol and obtains webpages to show on the web-browser's screen, (it happens when we type or click on a URL, link or domain-name). DNS communication process uses UDP on port 53 with DNS-server by default, when a query and answer is less or equal to 512 bytes. DNS-client side can send query from any port, but, destination must be the DNS port of that DNS-Server, which is usually port 53, (and to bypass surveillance, spoofing & hajacking processes, a DNS-Server can use different port as well). DNS query & DNS answer can also be done over TCP connections/packets, and little bit more secure than using UDP, but uses more bytes & bandwidth. More info: [DNS](https://en.wikipedia.org/wiki/Domain_Name_System) (Wikipedia).
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="DNSSEC"></a><a name="root.keys"></a><a name="DNSKEY"></a>
|
|
|
<a name="DS"></a><a name="DLV"></a><a name="NSEC3"></a>
|
|
|
}}}
|
|
|
== DNSSEC (short/brief info) ==
|
|
|
DNSSEC means Domain Name System (DNS) Security Extensions. It works by [https://en.wikipedia.org/wiki/Digital_signature digitally signing] the DNS resource records('''RR'''^[https://en.wikipedia.org/wiki/Resource_record#DNS_resource_records (2)]^) (like SOA, A, NS, MX, CNAME, AAAA, CERT, SPF, SRV, TXT, TLSA, etc) using PKI / [https://en.wikipedia.org/wiki/Public-key_cryptography PKC] (public-key [https://en.wikipedia.org/wiki/Cryptography cryptography]) methods, and then resulted (public-side portion of) codes are also stored back in DNS records (as DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, DS, DLV, etc) so that others (who will use DNSSEC) can view, access & verify it. And these records are delivered when a dns-client, dns-user, dns-user-agent, etc has asked or queried for it. The 'DNSKEY' RR is authenticated via a [https://en.wikipedia.org/wiki/Chain_of_trust chain of trust] mechanism (of verifying 'DNSKEY' RR of one level by using the 'DS' or 'DLV' RR from one step higher level (or from user's pre-chosen another DNS-Server), and this process goes on like a sequence of chain (only when verification process is succeeding), by first starting with a verified or very trusted ("root" or "root zone (.)") level, using the public keys ("root.keys") from that "root" level, it is the highest, last level in DNS. When DNSSEC is used, each answer of a DNS query/lookup will contain an 'RRSIG' RR, in addition to the record type which was requested in the query. This 'RRSIG' code is in a "digital signature" form, and can be and is verified by locating the correct public key found in a 'DNSKEY' record. The 'NSEC' and 'NSEC3' RR are used for robust resistance against spoofing. More info: [https://en.wikipedia.org/wiki/DNS_Security_Extensions DNSSEC] (Wikipedia).
|
|
|
```
|
|
|
## DNSSEC (short/brief info)
|
|
|
DNSSEC means Domain Name System (DNS) Security Extensions. It works by [digitally signing](https://en.wikipedia.org/wiki/Digital_signature) the DNS resource records(**RR**^[(2)](https://en.wikipedia.org/wiki/Resource_record#DNS_resource_records)^) (like SOA, A, NS, MX, CNAME, AAAA, CERT, SPF, SRV, TXT, TLSA, etc) using PKI / [PKC](https://en.wikipedia.org/wiki/Public-key_cryptography) (public-key [cryptography](https://en.wikipedia.org/wiki/Cryptography)) methods, and then resulted (public-side portion of) codes are also stored back in DNS records (as DNSKEY, RRSIG, NSEC, NSEC3, NSEC3PARAM, DS, DLV, etc) so that others (who will use DNSSEC) can view, access & verify it. And these records are delivered when a dns-client, dns-user, dns-user-agent, etc has asked or queried for it. The 'DNSKEY' RR is authenticated via a [chain of trust](https://en.wikipedia.org/wiki/Chain_of_trust) mechanism (of verifying 'DNSKEY' RR of one level by using the 'DS' or 'DLV' RR from one step higher level (or from user's pre-chosen another DNS-Server), and this process goes on like a sequence of chain (only when verification process is succeeding), by first starting with a verified or very trusted ("root" or "root zone (.)") level, using the public keys ("root.keys") from that "root" level, it is the highest, last level in DNS. When DNSSEC is used, each answer of a DNS query/lookup will contain an 'RRSIG' RR, in addition to the record type which was requested in the query. This 'RRSIG' code is in a "digital signature" form, and can be and is verified by locating the correct public key found in a 'DNSKEY' record. The 'NSEC' and 'NSEC3' RR are used for robust resistance against spoofing. More info: [DNSSEC](https://en.wikipedia.org/wiki/DNS_Security_Extensions) (Wikipedia).
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="TLD"></a><a name="SLD"></a>
|
|
|
</a><a name="IDN"></a><a name="NIC"></a>
|
|
|
<a name="LtR"></a><a name="LMS"></a><a name="Punycode"></a>
|
|
|
<a name="Legend"></a>
|
|
|
}}}
|
|
|
== Acronyms ==
|
|
|
```
|
|
|
## Acronyms
|
|
|
List of Technical or frequently used acronyms, words, terms, and their meanings and/or short explanation.
|
|
|
|
|
|
[wiki:doc/DnsResolver#DNS DNS] = Domain Name System. A system to convert domain-name or host-name, and obtain the IP-address & other data (DNS-Records) used by it. | '''TLD''' = Top Level Domain (means the last & end portion of a domain-name, like, '''.org''' is the TLD portion of "torproject.org" domain-name) | '''SLD''' = Second Level Domain (means second portion of a domain-name, like the '''torproject''' is the SLD portion of "torproject.org" domain-name, and exists inside '''.org''' TLD) | '''IDN''' = Internationalized Domain Name, uses non-Latin (non-english) scripts & languages. IDN TLD portion or IDN SLD portion, or further lower level portion, can be accessed from client or user side, by using local or native script or language based Unicode characters. IDN maps Unicode strings into valid DNS character set using [https://en.wikipedia.org/wiki/Punycode Punycode]. Punycode based TLD name begines with ''' .xn-- ''' ascii characters | '''NIC''' = Network Information Centers | '''LMS''' = the Left Most Side | '''RMS''' = the Right Most Side.
|
|
|
{{{
|
|
|
#!html
|
|
|
[DNS](./doc/DnsResolver#DNS) = Domain Name System. A system to convert domain-name or host-name, and obtain the IP-address & other data (DNS-Records) used by it. | **TLD** = Top Level Domain (means the last & end portion of a domain-name, like, **.org** is the TLD portion of "torproject.org" domain-name) | **SLD** = Second Level Domain (means second portion of a domain-name, like the **torproject** is the SLD portion of "torproject.org" domain-name, and exists inside **.org** TLD) | **IDN** = Internationalized Domain Name, uses non-Latin (non-english) scripts & languages. IDN TLD portion or IDN SLD portion, or further lower level portion, can be accessed from client or user side, by using local or native script or language based Unicode characters. IDN maps Unicode strings into valid DNS character set using [Punycode](https://en.wikipedia.org/wiki/Punycode). Punycode based TLD name begines with ** .xn-- ** ascii characters | **NIC** = Network Information Centers | **LMS** = the Left Most Side | **RMS** = the Right Most Side.
|
|
|
```
|
|
|
<a name="ROOT"></a><a name="Root_Zone"></a>
|
|
|
}}}
|
|
|
* Root Zone = Root Server = Root nameservers = also known as "root zone": is the highest (the-top-most) last level (set of) DNS server(s), which holds records related to almost all (mainstream) TLDs, and often indicated by using the "." (a dot symbol) at the end of a domain or host or node name. All domain-names has TLD, and after the TLD for a Left-to-Right ('''LtR''' or L-to-R) written script & language this "." exists at the right most side, or, for a Right-to-Left ('''RtL''' or R-to-L) written script & language this "." exists at the left most side, but, no need to write this last dot in web-browser, ping, nslookup, email, etc area, software or purpose. But when, domain information diagnostics or query tool like 'dig' is used, or, when you are configuring DNS zone information, then it is better to use that '.' at the end of a TLD portion of domain-names or hostnames to be more correct & precise.
|
|
|
```
|
|
|
* Root Zone = Root Server = Root nameservers = also known as "root zone": is the highest (the-top-most) last level (set of) DNS server(s), which holds records related to almost all (mainstream) TLDs, and often indicated by using the "." (a dot symbol) at the end of a domain or host or node name. All domain-names has TLD, and after the TLD for a Left-to-Right (**LtR** or L-to-R) written script & language this "." exists at the right most side, or, for a Right-to-Left (**RtL** or R-to-L) written script & language this "." exists at the left most side, but, no need to write this last dot in web-browser, ping, nslookup, email, etc area, software or purpose. But when, domain information diagnostics or query tool like 'dig' is used, or, when you are configuring DNS zone information, then it is better to use that '.' at the end of a TLD portion of domain-names or hostnames to be more correct & precise.
|
|
|
|
|
|
|
|
|
# List of DNS Server / Resolver / Client
|
|
|
A list of wider comparison of multiple DNS server & resolver software is here: [Comparison of DNS Software](https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software). Another comparison is [here](http://www.maradns.org/DNS.security.comparison.txt). Few DNSSEC validation aware DNS servers, resolvers, tools are mentioned [here](https://en.wikipedia.org/wiki/DNSSEC#Tools). Few are mentioned below, which we will use here:
|
|
|
* Unbound: Small DNS Server, it is able to do Caching, Recursive and also Validating(DNSSEC) DNS resolving. It works on Unix, Linux, Windows platforms.
|
|
|
|
|
|
= List of DNS Server / Resolver / Client =
|
|
|
A list of wider comparison of multiple DNS server & resolver software is here: [https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software Comparison of DNS Software]. Another comparison is [http://www.maradns.org/DNS.security.comparison.txt here]. Few DNSSEC validation aware DNS servers, resolvers, tools are mentioned [https://en.wikipedia.org/wiki/DNSSEC#Tools here]. Few are mentioned below, which we will use here:
|
|
|
* Unbound: Small DNS Server, it is able to do Caching, Recursive and also Validating(DNSSEC) DNS resolving. It works on Unix, Linux, Windows platforms.[[BR]]
|
|
|
Note: To prevent DOS failure with Unbound apply 'resolv.conf' tuning per [https://trac.torproject.org/projects/tor/ticket/18580 Bug #18580].
|
|
|
Note: To prevent DOS failure with Unbound apply 'resolv.conf' tuning per [Bug #18580](https://trac.torproject.org/projects/tor/ticket/18580).
|
|
|
* BIND: Very powerful (and almost the Standard) DNS server, able to do Authoritative, Caching, Recursive, Validating(DNSSEC), etc DNS resolving. It works on Unix, MacOSX, Linux, Windows, etc platforms.
|
|
|
* vsResolver, GbDns, etc.
|
|
|
* MaraDNS/Deadwood: 'MaraDNS' is a very small & fast DNS server, it is able to do Authoritative, Caching, Recursive, etc DNS resolving. 'Deadwood' DNS Server is able to do Caching, Recursive, etc DNS resolving. Both does not support DNSSEC Validating. It can work on Windows XP, Vista, 7, Linux, Unix platforms.
|
|
|
|
|
|
Goto DNS Server/Resolver section: [[#Unbound Unbound]], [[#BIND BIND]], [[#Deadwood Deadwood]],.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="TLD_Providers"></a><a name="TLD-Providers"></a><a name="TSP"></a>
|
|
|
<a name="Alt_Roots"></a><a name="Alternative_DNS_Roots"></a>
|
|
|
<a name="Alt_TLD_Providers"></a><a name="Alt.TLD.DNS"></a>
|
|
|
<a name="Alt.Root.DNS.Opr"></a><a name="Alt_Root_Operators"></a>
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
= Tuning eventdns component of Tor Daemon =
|
|
|
Tor utilizes a modified version of the '''eventdns''' subsystem of '''libevent''' for communicating with DNS resolvers. In order to prevent a known denial-of-service scenario and to maximize performance, high-capacity exit relays should include '''eventdns''' tuning parameters in /etc/resolv.conf. Examples for two common cases where a single DNS resolver is running on the same server as the Tor daemon:
|
|
|
=== Local Unbound resolv.conf ===
|
|
|
{{{
|
|
|
# Tuning eventdns component of Tor Daemon
|
|
|
Tor utilizes a modified version of the **eventdns** subsystem of **libevent** for communicating with DNS resolvers. In order to prevent a known denial-of-service scenario and to maximize performance, high-capacity exit relays should include **eventdns** tuning parameters in /etc/resolv.conf. Examples for two common cases where a single DNS resolver is running on the same server as the Tor daemon:
|
|
|
### Local Unbound resolv.conf
|
|
|
```
|
|
|
options timeout:15 attempts:1 max-inflight:16384 max-timeouts:1000000
|
|
|
nameserver 127.0.0.1
|
|
|
}}}
|
|
|
=== Local Bind9/named resolv.conf ===
|
|
|
{{{
|
|
|
```
|
|
|
### Local Bind9/named resolv.conf
|
|
|
```
|
|
|
options timeout:5 attempts:3 max-inflight:16384 max-timeouts:1000000
|
|
|
nameserver 127.0.0.1
|
|
|
}}}
|
|
|
=== Remote any DNS resolv.conf ===
|
|
|
{{{
|
|
|
```
|
|
|
### Remote any DNS resolv.conf
|
|
|
```
|
|
|
options timeout:5 attempts:3 max-inflight:4096 max-timeouts:1000000
|
|
|
nameserver x.x.x.x
|
|
|
}}}
|
|
|
{{{
|
|
|
```
|
|
|
```
|
|
|
options timeout:5 attempts:3 max-inflight:4096 max-timeouts:15
|
|
|
nameserver x.x.x.x
|
|
|
nameserver y.y.y.y
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Timeout:5 is the same as the '''eventdns''' default. Max-inflight:16384 expands the permitted number of concurrent requests from the default of 64 which both enhances performance and mitigates a denial-of-service where a Tor client rapidly requests large numbers of domains and the authoritative or SOA server does not respond (GoDaddy has been known to null-route Tor relays). Unbound automatically retries requests, hence the attempts:1 setting. With 'named' and other resolvers attempts:3 causes '''eventdns''' to perform two request retries one after five and one after ten seconds. Max-timeouts:1000000 also mitigates the aforementioned DOS scenario by preventing '''eventdns''' from marking the resolver "down" after three (the default) consecutive SERVFAIL timeouts replies. If more than one DNS resolver is configured a max-timeouts value of between 10 and 30 probably makes sense. Information which led to this advice can be found in bugs [https://trac.torproject.org/projects/tor/ticket/18580#comment:11 18580] and [https://trac.torproject.org/projects/tor/ticket/21394#comment:55 21394].
|
|
|
Timeout:5 is the same as the **eventdns** default. Max-inflight:16384 expands the permitted number of concurrent requests from the default of 64 which both enhances performance and mitigates a denial-of-service where a Tor client rapidly requests large numbers of domains and the authoritative or SOA server does not respond (GoDaddy has been known to null-route Tor relays). Unbound automatically retries requests, hence the attempts:1 setting. With 'named' and other resolvers attempts:3 causes **eventdns** to perform two request retries one after five and one after ten seconds. Max-timeouts:1000000 also mitigates the aforementioned DOS scenario by preventing **eventdns** from marking the resolver "down" after three (the default) consecutive SERVFAIL timeouts replies. If more than one DNS resolver is configured a max-timeouts value of between 10 and 30 probably makes sense. Information which led to this advice can be found in bugs [18580](https://trac.torproject.org/projects/tor/ticket/18580#comment:11) and [21394](https://trac.torproject.org/projects/tor/ticket/21394#comment:55).
|
|
|
|
|
|
Generalized implementation of the above tuning advice incorporated in Tor daemon commencing at version 0.3.2.
|
|
|
|
|
|
= How To Use All TLDs From All Root Servers =
|
|
|
Generally, by default, most users & computers & network-devices use the ICANN & IANA governed 13 ROOT DNS-Servers (aka, Root Name-Servers) only, for mostly to resolve TLD (Top Level Domains) portion of any domain or host names into their name-server's IP-address. ICANN & IANA, have chosen & controlling & operating & setting-rules for 12 manager companies & entities, these 12 manager entities use & serve "root-zone" file from (IANA controlled) 13 named Root-Servers (or Root DNS Servers), on behalf of those 19 (gTLD "Registry") companies & entities, and around 255 (ccTLDs) manager entities from different countries all around the world. The "root-zone" file keeps list of all TLD (ccTLDs, gTLDs) nameserver's name & IP-address. So entities who are managing any TLDs, (selected & assigned by ICANN & IANA), are (mainstream) "'''TLD-Providers'''" or "TLD Service Providers" (TSP).
|
|
|
# How To Use All TLDs From All Root Servers
|
|
|
Generally, by default, most users & computers & network-devices use the ICANN & IANA governed 13 ROOT DNS-Servers (aka, Root Name-Servers) only, for mostly to resolve TLD (Top Level Domains) portion of any domain or host names into their name-server's IP-address. ICANN & IANA, have chosen & controlling & operating & setting-rules for 12 manager companies & entities, these 12 manager entities use & serve "root-zone" file from (IANA controlled) 13 named Root-Servers (or Root DNS Servers), on behalf of those 19 (gTLD "Registry") companies & entities, and around 255 (ccTLDs) manager entities from different countries all around the world. The "root-zone" file keeps list of all TLD (ccTLDs, gTLDs) nameserver's name & IP-address. So entities who are managing any TLDs, (selected & assigned by ICANN & IANA), are (mainstream) "**TLD-Providers**" or "TLD Service Providers" (TSP).
|
|
|
|
|
|
There are other, TLD service providers, whose DNS-Servers partially function as alternative root. But, their main function is to provide & maintain more TLDs, than what is supported or adopted by ICANN & IANA. Such companies & entites are though widely known as "Alternative DNS Roots" ('''Alt Roots'''), but here we are going to identify them simply as "'''Alternative TLD-Providers'''" (Alt TLD-Providers) (ATP), "Alternative TLD DNS Service Provider" (Alt.TLD.DNS.Servc.Provider) (ATDSP), or "'''Alt.TLD.DNS'''", based on their main function & purpose. Many of these TLD based domain-names are very very low cost, or totally '''free'''. If you need to allow your own custom TLD or domain-names be reachable from any place on world, then you can also use these DNS service providers, as they have already placed their DNS-servers all around the world. In our DNS-Resolver software (mentioned on & under this page), we will use TLDs provided by these type of DNS-Server based service providers. See below list.
|
|
|
There are other, TLD service providers, whose DNS-Servers partially function as alternative root. But, their main function is to provide & maintain more TLDs, than what is supported or adopted by ICANN & IANA. Such companies & entites are though widely known as "Alternative DNS Roots" (**Alt Roots**), but here we are going to identify them simply as "**Alternative TLD-Providers**" (Alt TLD-Providers) (ATP), "Alternative TLD DNS Service Provider" (Alt.TLD.DNS.Servc.Provider) (ATDSP), or "**Alt.TLD.DNS**", based on their main function & purpose. Many of these TLD based domain-names are very very low cost, or totally **free**. If you need to allow your own custom TLD or domain-names be reachable from any place on world, then you can also use these DNS service providers, as they have already placed their DNS-servers all around the world. In our DNS-Resolver software (mentioned on & under this page), we will use TLDs provided by these type of DNS-Server based service providers. See below list.
|
|
|
|
|
|
There are also another type of "Alternative DNS Roots" ('''Alt Roots'''), which really & truly mirrors, which really maintains alternative of "Root-Servers" functions. We are not going to use such, (and not going to discuss these type of DNS-Servers or service provider entities here very thoroughly, for now). Since ICANN & IANA members have allowed & exhibited behaviors of favoring only few countries, rather than function as a neutral entity for the entire world, for various functions (specially) related to (censoring & filtering of) "Root-Servers", TLD, SLD level DNS-Servers etc. So, any Decision making process must involve ALL global members, if it is to be used for global exchange purpose for all sides to benefit from it and if located globally. As a result or consequence (of in-appropriate decisions by ICANN & IANA & their members), other global organisations, authorities & various other entities all around the world, have expressed their concern and started to propose & create other alternative root DNS-Servers. Even newer concepts based DNS-Servers are starting up, like: De-centralized Root DNS-Servers, P2P Root DNS-Servers, etc, which cannot be censored or filtered very easily. Some entities have simply placed DNS-Servers publicly all around the world as alternative to ICANN & IANA governed Root-Servers. These type of DNS-Server based entities can '''truly''' be called as "Alternative DNS Roots" ('''Alt Roots'''), or, "Alternative Root DNS Operators" ('''Alt.Root.DNS.Opr'''), or "Alternative Root DNS". Some of these entities also provide their own TLDs, along with special DNS-Server services.
|
|
|
There are also another type of "Alternative DNS Roots" (**Alt Roots**), which really & truly mirrors, which really maintains alternative of "Root-Servers" functions. We are not going to use such, (and not going to discuss these type of DNS-Servers or service provider entities here very thoroughly, for now). Since ICANN & IANA members have allowed & exhibited behaviors of favoring only few countries, rather than function as a neutral entity for the entire world, for various functions (specially) related to (censoring & filtering of) "Root-Servers", TLD, SLD level DNS-Servers etc. So, any Decision making process must involve ALL global members, if it is to be used for global exchange purpose for all sides to benefit from it and if located globally. As a result or consequence (of in-appropriate decisions by ICANN & IANA & their members), other global organisations, authorities & various other entities all around the world, have expressed their concern and started to propose & create other alternative root DNS-Servers. Even newer concepts based DNS-Servers are starting up, like: De-centralized Root DNS-Servers, P2P Root DNS-Servers, etc, which cannot be censored or filtered very easily. Some entities have simply placed DNS-Servers publicly all around the world as alternative to ICANN & IANA governed Root-Servers. These type of DNS-Server based entities can **truly** be called as "Alternative DNS Roots" (**Alt Roots**), or, "Alternative Root DNS Operators" (**Alt.Root.DNS.Opr**), or "Alternative Root DNS". Some of these entities also provide their own TLDs, along with special DNS-Server services.
|
|
|
|
|
|
If Tor exit-nodes, your own system, various server software, etc are not resolving all of those TLDs (from all type of TLD-Providers), then those other alternative TLDs will remain suppressed, which is not good. If all TLDs can be queried and answer is received, then we can communicate & exchange with more users & entities, all around the world, and chance of censoring will reduce.
|
|
|
|
|
|
Specific configuration will allow us to use all TLDs from all type of TLD-providers. Config files which are used in this page, also includes an "Access All TLDs From All Type of TLD-Providers" edition, which is optimized for reaching to all TLD-Provider's DNS-Servers, provided by (almost all known mainstream, alternative & other) root, alt-roots, TLD, SLD etc level DNS-Servers all around the world, (including all mainstream TLDs which are governed & operated by ICANN & IANA).
|
|
|
|
|
|
Currently, all config files are in "Access All TLDs From All Type of TLD-Providers" mode. '' (So when other editions will be added: to use default root only, or to use lesser root servers, etc, then this line will be removed).''
|
|
|
Currently, all config files are in "Access All TLDs From All Type of TLD-Providers" mode. _ (So when other editions will be added: to use default root only, or to use lesser root servers, etc, then this line will be removed)._
|
|
|
|
|
|
Currently, all DNS-Resolver's config files (linked in this webpage) are pre-configured to resolve (almost all) TLDs, IDNs, IDN TLDs, domain-names, etc from these entities:
|
|
|
* [http://icann.org/ ICANN]^[wiki:doc/DnsResolver#ICANN (2)]^ (gTLDs Generic TLDs: 21 TLDs maintained by around 19 Sponsor/Operator/Registry entities).
|
|
|
* [http://www.iana.org/ IANA] (ccTLDs Country-Codes TLDs: 2 IANA TLDs, 255 ccTLDs, 39 IDN TLDs, 11 Test IDN TLDs).
|
|
|
* [http://42registry.org/ 42Registry] (".42" TLD).
|
|
|
* [http://ovh.co.uk/ OVH] (".ovh" TLD).
|
|
|
* [http://dot-bit.org dot-bit.org] (Namecoin) (".bit" TLD).
|
|
|
* [http://New-Nations.net New-Nations.net] (6 TLDs).
|
|
|
* [http://www.opennicproject.org/ OpenNIC] (15 TLDs).
|
|
|
* [http://www.cesidianroot.net/ CesidianRoot] (~84 TLDs).
|
|
|
* [http://i-DNS.net i-DNS] (17 TLDs, IDN TLDs, MultiLingual).
|
|
|
* [http://unifiedroot.com/ Unifiedroot] (~175 TLDs, IDN TLDs).
|
|
|
* [http://werebuild.telecomix.org/wiki/DNS Telecomix]^[https://cryptoanarchy.org/wiki/IRC#I2P_.26_IRC (2)]^ DNS (".tcx" TLD).
|
|
|
* [https://dn42.net/trac/wiki/DNS dn42.net] (".dn42" TLD).
|
|
|
|
|
|
|
|
|
= Prevent DNS Leaks in Windows/MacOS/Linux/Unix Platforms =
|
|
|
In Windows, default local [wiki:doc/DnsResolver#DNS DNS] client resolver service or software cannot stop DNS resolving query specifically made for certain hostnames or domain-names, like which have .onion, .i2p, etc [wiki:doc/DnsResolver#TLD TLD] at end. As a result, DNS query requests are sent for resolving toward the external DNS servers which are listed inside Network Interface Adapter (NIC) setting.
|
|
|
* [ICANN](http://icann.org/)^[(2)](./doc/DnsResolver#ICANN)^ (gTLDs Generic TLDs: 21 TLDs maintained by around 19 Sponsor/Operator/Registry entities).
|
|
|
* [IANA](http://www.iana.org/) (ccTLDs Country-Codes TLDs: 2 IANA TLDs, 255 ccTLDs, 39 IDN TLDs, 11 Test IDN TLDs).
|
|
|
* [42Registry](http://42registry.org/) (".42" TLD).
|
|
|
* [OVH](http://ovh.co.uk/) (".ovh" TLD).
|
|
|
* [dot-bit.org](http://dot-bit.org) (Namecoin) (".bit" TLD).
|
|
|
* [New-Nations.net](http://New-Nations.net) (6 TLDs).
|
|
|
* [OpenNIC](http://www.opennicproject.org/) (15 TLDs).
|
|
|
* [CesidianRoot](http://www.cesidianroot.net/) (~84 TLDs).
|
|
|
* [i-DNS](http://i-DNS.net) (17 TLDs, IDN TLDs, MultiLingual).
|
|
|
* [Unifiedroot](http://unifiedroot.com/) (~175 TLDs, IDN TLDs).
|
|
|
* [Telecomix](http://werebuild.telecomix.org/wiki/DNS)^[(2)](https://cryptoanarchy.org/wiki/IRC#I2P_.26_IRC)^ DNS (".tcx" TLD).
|
|
|
* [dn42.net](https://dn42.net/trac/wiki/DNS) (".dn42" TLD).
|
|
|
|
|
|
|
|
|
# Prevent DNS Leaks in Windows/MacOS/Linux/Unix Platforms
|
|
|
In Windows, default local [DNS](./doc/DnsResolver#DNS) client resolver service or software cannot stop DNS resolving query specifically made for certain hostnames or domain-names, like which have .onion, .i2p, etc [TLD](./doc/DnsResolver#TLD) at end. As a result, DNS query requests are sent for resolving toward the external DNS servers which are listed inside Network Interface Adapter (NIC) setting.
|
|
|
|
|
|
If someone by mistake types a *.onion host name, also known as, a "Hidden Service" (HS), on a non-Torified web-browser, then such happens. If someone by mistake, selects the option "Bypass Proxy Server" or similar option, in their IRC client software, and tries to connect with an IRC server which has a .onion based host, also then such DNS leak happens. Those can happen, even though these software are fully capable of resolving *.onion hostnames inside a properly configured software via going through Tor SOCKS5 proxy server or tunnel without leaking any protocol.
|
|
|
|
|
|
Though here, DNS is working what it suppose to do: find the IP address of a hostname or domain-name by using DNS/name server system, but, by doing so, or, by trying to do so, it is exposing & revealing the site(s) & service(s) where we are trying to reach & suppose to connect Anonymously (by going through Proxy servers or tunnels only). To prevent DNS query of certain type of hostnames, even when by accident or by mistake it was used, or a mis-configured software is started, or when we have forgotten to set correct configurations, we can do these at-least as fail-safe mechanism:
|
|
|
|
|
|
* Use 3rd Party Local DNS Servers/Resolvers, [wiki:doc/DnsResolver#Local_DNS_Resolvers here].
|
|
|
* Apply Windows Tweak and Registry Hacks, [wiki:doc/DnsResolver#Tweak_Windows here].
|
|
|
* Apply MacOS Tweaks, [wiki:doc/DnsResolver#Tweak_MacOS here].
|
|
|
* Configure Firewall as Failsafe To Prevent Leaks, [wiki:doc/DnsResolver#Tweak_Firewalls here].
|
|
|
* Use 3rd Party Local DNS Servers/Resolvers, [here](./doc/DnsResolver#Local_DNS_Resolvers).
|
|
|
* Apply Windows Tweak and Registry Hacks, [here](./doc/DnsResolver#Tweak_Windows).
|
|
|
* Apply MacOS Tweaks, [here](./doc/DnsResolver#Tweak_MacOS).
|
|
|
* Configure Firewall as Failsafe To Prevent Leaks, [here](./doc/DnsResolver#Tweak_Firewalls).
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Local_DNS_Resolvers"></a>
|
|
|
}}}
|
|
|
== 3rd Party Local DNS Servers (Windows) ==
|
|
|
```
|
|
|
## 3rd Party Local DNS Servers (Windows)
|
|
|
Click to goto your choice of 'DNS Server' (or 'DNS-Resolver') section: [[#Deadwood Deadwood]], [[#Unbound Unbound]], [[#BIND BIND]].
|
|
|
|
|
|
Currently, all configuration files are pre-configured to perform like below daigram C:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<center>
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="99%" style="border: none;"><tr><td width=8 border="0" style="border: none; line-height: 0.75em;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7; line-height: 0.75em;"><tt><pre style="display:inline;">
|
|
|
┌—————┐ ┌———┐ ┌———┐ ┌——————┐ ┌——————┐ .
|
... | ... | @@ -201,12 +191,11 @@ Currently, all configuration files are pre-configured to perform like below daig |
|
|
└———————┘ └————————┘ └—————————┘
|
|
|
diagram: C</pre>
|
|
|
</tt></td></tr></table></center><br />
|
|
|
}}}
|
|
|
Please Use Unicode fonts (for example: DejaVu Sans Mono) to view above diagram properly (if you are having difficulty viewing above boxes or shapes, and if not appearing alligned). DNS-Servers which are on Internet side (for public use) (and which are mentioned in above diagram), are explained on '''[wiki:doc/DnsResolver/PublicDnsResolvers PublicDnsResolvers]''' page, and also on this page.
|
|
|
```
|
|
|
Please Use Unicode fonts (for example: DejaVu Sans Mono) to view above diagram properly (if you are having difficulty viewing above boxes or shapes, and if not appearing alligned). DNS-Servers which are on Internet side (for public use) (and which are mentioned in above diagram), are explained on **[PublicDnsResolvers](./doc/DnsResolver/PublicDnsResolvers)** page, and also on this page.
|
|
|
|
|
|
If you follow the "Short Note:" section, mentioned under the configuration file's textbox, then DNS-Resolver software will perform like below diagram B:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<center>
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="99%" style="border: none;"><tr><td width=8 border="0" style="border: none; line-height: 0.75em;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7; line-height: 0.75em;"><tt><pre style="display:inline;">
|
|
|
┌————————————————┐
|
... | ... | @@ -222,64 +211,70 @@ SLD-DNS┌┐<------>| Your | └——————————————— |
|
|
Srvr└┘ └————————┘
|
|
|
diagram: B</pre>
|
|
|
</tt></td></tr></table></center><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Deadwood"></a>
|
|
|
}}}
|
|
|
=== Deadwood (on Windows) ===
|
|
|
(1) '''Deadwood''' can be obtained from [http://www.maradns.org/ MaraDNS] website. Get the maradns win32 zip file, 'deadwood' binary file is included inside it. Deadwood is MaraDNS software's client-side recursive DNS-server or DNS-resolver portion. (The zip file also has a Windows native binary of MaraDNS, which is a reasonably secure DNS client and recursive server, but, does not have all of the security features, that are available in Linux & Unix binary. If you want a MaraDNS with full or all feature set, source can be compiled with 'Cygwin'). MaraDNS and Deadwood are not able to do DNSSEC validation based recursive resolving. It can work with both IPv4, and IPv6. Here we will configure & use the 'Deadwood' portion only.
|
|
|
```
|
|
|
### Deadwood (on Windows)
|
|
|
(1) **Deadwood** can be obtained from [MaraDNS](http://www.maradns.org/) website. Get the maradns win32 zip file, 'deadwood' binary file is included inside it. Deadwood is MaraDNS software's client-side recursive DNS-server or DNS-resolver portion. (The zip file also has a Windows native binary of MaraDNS, which is a reasonably secure DNS client and recursive server, but, does not have all of the security features, that are available in Linux & Unix binary. If you want a MaraDNS with full or all feature set, source can be compiled with 'Cygwin'). MaraDNS and Deadwood are not able to do DNSSEC validation based recursive resolving. It can work with both IPv4, and IPv6. Here we will configure & use the 'Deadwood' portion only.
|
|
|
|
|
|
* (2) Using Windows Explorer, goto the folder or Desktop location on your computer where you downloaded the "maradns-2-N-NN-win32.zip" file (where, N is any 0~9 digits). With mouse, do right-click on that zip file, and select & click on the "Extract.." or "Unzip.." or "Decompress.." or "7-Zip --> Extract Files.." option. Copy the decompressed folder "Deadwood-N-N-NN-win32" (where, N is any 0~9 digits) inside your Windows computer's "Program Files" folder (if your Windows is 32 bit, x86 based) or inside "Program Files (x86)" folder (if your Windows is 64 bit). And rename "Deadwood-N-N-NN-win32" folder into just "Deadwood".
|
|
|
|
|
|
* (3) Make a backup copy of the "dwood3rc.txt" file. And then open dwood3rc.txt file for editing, with a better TEXT editing free software like Notepad++, Notepad2, etc. Avoid using windows default Notepad editor. Select all previous text, and then erase, remove or delete. Change 'dwood3rc.txt' file's character encoding from ANSI to "UTF-8" (without BOM, if given the option).
|
|
|
|
|
|
* (4) Click once anywhere inside the "dwood3rc.txt" marked textbox area, on the below mentioned webpage, then select all texts by pressing Ctrl+A buttons. And copy by pressing Ctrl+C buttons (into clipboard/buffer memory area). And then goto your text editor's 'dwood3rc.txt' file editing tab or editing area, and paste copied text (from buffer memory to file) by pressing Ctrl+V buttons:
|
|
|
* Deadwood DNS Server config file ''' 'dwood3rc.txt' ''' is now in below location/webpage:[[BR]][[BR]]
|
|
|
[wiki:doc/DnsResolver/maraDeadwoodDns Deadwood / MaraDNS Server Config File] in (`[`wiki`:`doc/DnsResolver/maraDeadwoodDns`]`) page.
|
|
|
* Deadwood DNS Server config file ** 'dwood3rc.txt' ** is now in below location/webpage:
|
|
|
|
|
|
|
|
|
[Deadwood / MaraDNS Server Config File](./doc/DnsResolver/maraDeadwoodDns) in (`[`wiki`:`doc/DnsResolver/maraDeadwoodDns`]`) page.
|
|
|
|
|
|
* (5) We need a "Command Prompt" window with "Administrator" user level/privilage. Any one of the below option will be suffice, do which is easier for you:
|
|
|
* If you are using Windows XP, then, log into Windows with an user account who is member of 'Administrator'. Goto 'Start' menu --> Run, or, press the Windows Flag/Logo button on keyboard and hold it, and then press the letter button '''R''' just once, and then release both buttons, and then type:
|
|
|
{{{
|
|
|
* If you are using Windows XP, then, log into Windows with an user account who is member of 'Administrator'. Goto 'Start' menu --> Run, or, press the Windows Flag/Logo button on keyboard and hold it, and then press the letter button **R** just once, and then release both buttons, and then type:
|
|
|
```
|
|
|
cmd.exe ⏎
|
|
|
}}}
|
|
|
and then press {{{⏎}}}('Enter') or 'Return' button/key on keyboard. Windows "Command Prompt" window will appear.[[BR]][[BR]]
|
|
|
* (In XP/Vista/7), If you are using a non-Administrator account, then to get a "Command Prompt" with Administrator privilage, type:[[BR]]
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
and then press `⏎`('Enter') or 'Return' button/key on keyboard. Windows "Command Prompt" window will appear.
|
|
|
|
|
|
|
|
|
* (In XP/Vista/7), If you are using a non-Administrator account, then to get a "Command Prompt" with Administrator privilage, type:
|
|
|
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
|
|
|
runas /noprofile /user:mymachine\administrator cmd.exe ⏎
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
In the above 'runas' command-line, you will must have to change/adjust the word 'mymachine' into your computer's exact & actual name. And also change 'administrator' into the user name in your computer who has 'Administrator' level access & privilage. After you enter correct password of an 'Administrator' level privilaged user, another "Command Prompt" window will appear, with 'Administrator' level privilage.[[BR]][[BR]]
|
|
|
```
|
|
|
In the above 'runas' command-line, you will must have to change/adjust the word 'mymachine' into your computer's exact & actual name. And also change 'administrator' into the user name in your computer who has 'Administrator' level access & privilage. After you enter correct password of an 'Administrator' level privilaged user, another "Command Prompt" window will appear, with 'Administrator' level privilage.
|
|
|
|
|
|
|
|
|
* In Vista/7, goto the 'Start' menu, and search for "cmd". When found, right click on the "cmd" or "cmd.exe", and select the option "Run as Administrator", or select the option "cmd" as an administrator.
|
|
|
|
|
|
* (6) go inside 'Deadwood' folder inside the "Command Prompt". Type any one of the below command-line:
|
|
|
{{{
|
|
|
```
|
|
|
cd /d "C:\Program Files\Deadwood" ⏎
|
|
|
cd /d "C:\Program Files (x86)\Deadwood" ⏎
|
|
|
}}}
|
|
|
```
|
|
|
Instruction writer is assuming here, that, your "Program Files" folder is located in C: drive. Change & adjust it to match with your exact location.
|
|
|
|
|
|
* (7) To install Deadwood from inside the "Command Prompt" (window which has 'Admiistrator' privilage), run the below batch file, type:
|
|
|
|
|
|
'''{{{install.bat}}}''' ⏎[[BR]][[BR]]
|
|
|
**`install.bat`** ⏎
|
|
|
|
|
|
|
|
|
Deadwood will first create a 'secret.txt' file using the 'mkSecretTxt.exe' binary file, which stores a 64-byte (512 bit) random file info inside secret.txt, and then deadwood will install 'deadwood.exe' binary file as a 'service' program in Windows (so that it can start automatically when Windows starts up), and then it will start running the "Deadwood DNS cache" server. By default it will listen for DNS query request, on UDP port 53 of 127.0.0.1 IP-address.
|
|
|
|
|
|
* (8) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element/item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter 127.0.0.1 IP-address as a '''preferred''', primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element or item's Properties window, and enter ::1 as '''preferred''' DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
|
|
|
* (8) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element/item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter 127.0.0.1 IP-address as a **preferred**, primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element or item's Properties window, and enter ::1 as **preferred** DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
|
|
|
|
|
|
* (9) Goto [wiki:doc/DnsResolver/TestDnsResolving Test] section, and run the test commands to find & check if local DNS server is working or not. Note: ping, nslookup, web-browser etc should work, but 'dig' tool may not work when using deadwood dns server.
|
|
|
* (9) Goto [Test](./doc/DnsResolver/TestDnsResolving) section, and run the test commands to find & check if local DNS server is working or not. Note: ping, nslookup, web-browser etc should work, but 'dig' tool may not work when using deadwood dns server.
|
|
|
|
|
|
* (10) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quote symbols), and press {{{⏎}}}('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" or the "DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.
|
|
|
* (10) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quote symbols), and press `⏎`('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" or the "DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Unbound"></a>
|
|
|
}}}
|
|
|
=== Unbound (on Windows) ===
|
|
|
(1) '''Unbound''' can be obtained from [https://unbound.net/ Unbound] website. Get the 'unbound_setup_N.N.NN.exe' windows installer file (where, N is any 0~9 digit). Unbound is a Validating (DNSSEC), Recursive, and Caching DNS server. Can also be used as stub-resolver. It can work with both IPv4, and IPv6. Install by using an 'Administrator' privilaged windows user account. By default it will install into "C:\Program Files\Unbound" folder (on 32 bit or x86 systems), or, will install into "C:\Program Files (x86)\Unbound" folder (on 64 bit or x64 systems), you must '''install inside "C:\Program Files\Unbound" folder''' even on 64 bit systems (you may change drive letter C: to another drive letter, but folder must be "\Program Files\Unbound\"). Installer will install it as a Windows 'service', so that it can start automatically when Windows starts up. By default it will listen for DNS query request, on UDP port 53 of 127.0.0.1 IP-address.
|
|
|
```
|
|
|
### Unbound (on Windows)
|
|
|
(1) **Unbound** can be obtained from [Unbound](https://unbound.net/) website. Get the 'unbound_setup_N.N.NN.exe' windows installer file (where, N is any 0~9 digit). Unbound is a Validating (DNSSEC), Recursive, and Caching DNS server. Can also be used as stub-resolver. It can work with both IPv4, and IPv6. Install by using an 'Administrator' privilaged windows user account. By default it will install into "C:\Program Files\Unbound" folder (on 32 bit or x86 systems), or, will install into "C:\Program Files (x86)\Unbound" folder (on 64 bit or x64 systems), you must **install inside "C:\Program Files\Unbound" folder** even on 64 bit systems (you may change drive letter C: to another drive letter, but folder must be "\Program Files\Unbound\"). Installer will install it as a Windows 'service', so that it can start automatically when Windows starts up. By default it will listen for DNS query request, on UDP port 53 of 127.0.0.1 IP-address.
|
|
|
|
|
|
* (2) Set default Character Encoding in Firefox to UTF-8 : goto main menu > 'Tools' > 'Content' > 'Advanced' > change 'Default Character Encoding:' into 'Unicode (UTF-8)' > OK > OK. You must now Refresh or Reload this webpage either by pressing Ctl+R, or by pressing 'F5' function button/key.
|
|
|
|
... | ... | @@ -287,25 +282,28 @@ runas /noprofile /user:mymachine\administrator cmd.exe ⏎ |
|
|
|
|
|
* (4) First, make a backup copy of existing "service.conf" file by right clicking on it using mouse > select 'Copy', then place your mouse pointer arrow on an empty area (in right side pane) and right click > select 'Paste'.
|
|
|
|
|
|
* (5) Open this "service.conf" file for editing : If you dont want to keep Unicode characters intact (which are shown inside "service.conf" textbox on [wiki:doc/DnsResolver/unbound] page) then you can use Windows Notepad text editor and skip below '5b', '6b' sections. The "service.conf" file will work without Unicode characters, so steps '5b', '6b' are optional (not required).[[BR]][[BR]]
|
|
|
* (5) Open this "service.conf" file for editing : If you dont want to keep Unicode characters intact (which are shown inside "service.conf" textbox on [doc/DnsResolver/unbound](doc/DnsResolver/unbound) page) then you can use Windows Notepad text editor and skip below '5b', '6b' sections. The "service.conf" file will work without Unicode characters, so steps '5b', '6b' are optional (not required).
|
|
|
|
|
|
|
|
|
* (5b) To keep Unicode characters intact, use a better TEXT editing (free) software like: Notepad++, Notepad2, etc. Install Notepad++ or Notepad2. Right click on "Notepad++" or on "Notepad2" icon, and select "Run as Administrator" (in Windows Vista, 7, 8), or, select "Run as" (in Windows XP) > select any one of the user account, who is member of 'Administrator' group > OK. In Notepad++ or in Notepad2, goto 'File' > 'Open' > browse to "My Computer" or "Computer" > "C:\Program Files\Unbound\", and select "service.conf" file > 'Open'. Select all previous text (press Ctrl+C), and erase/remove/delete. Then change "service.conf" file's character encoding from "ANSI" to "UTF-8". Press Ctrl+S.
|
|
|
|
|
|
* (6) Save all texts from "service.conf" textbox area which is shown on below linked webpage or linked location.[[BR]]
|
|
|
* (6) Save all texts from "service.conf" textbox area which is shown on below linked webpage or linked location.
|
|
|
|
|
|
Step (6b) section, is now inside below linked webpage.
|
|
|
Unbound DNS Server config file ''' 'service.conf' ''' is now inside below linked webpage or linked location:[[BR]][[BR]]
|
|
|
[wiki:doc/DnsResolver/unbound Unbound DNS Server Config File] in (`[`wiki`:`doc/DnsResolver/unbound`]`) page.
|
|
|
Unbound DNS Server config file ** 'service.conf' ** is now inside below linked webpage or linked location:
|
|
|
|
|
|
If necessary adjust & change the drive letter "C:\" (inside the "service.conf" file) into which your computer's Windows actually uses. When using a computer (micro-)Processor (CPU) with single or '''one core''', then follow steps mentioned inside Tweak section. (And after saving, you may close the running text editor software.) You may later see [[#Tweak_Unbound Tweak Unbound]] section for more configuration options/choices.
|
|
|
|
|
|
Root Trust Anchors provided by ([wiki:doc/DnsResolver#ICANN ICANN]) is [https://data.iana.org/root-anchors/ here]. Root Zone file is [http://www.internic.net/domain/root.zone here], Note: you do not need to download Root Zone file, because, DNS system automatically delivers it to DNS Servers, if you have correct root hints file.
|
|
|
[Unbound DNS Server Config File](./doc/DnsResolver/unbound) in (`[`wiki`:`doc/DnsResolver/unbound`]`) page.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
If necessary adjust & change the drive letter "C:\" (inside the "service.conf" file) into which your computer's Windows actually uses. When using a computer (micro-)Processor (CPU) with single or **one core**, then follow steps mentioned inside Tweak section. (And after saving, you may close the running text editor software.) You may later see [[#Tweak_Unbound Tweak Unbound]] section for more configuration options/choices.
|
|
|
|
|
|
Root Trust Anchors provided by ([ICANN](./doc/DnsResolver#ICANN)) is [here](https://data.iana.org/root-anchors/). Root Zone file is [here](http://www.internic.net/domain/root.zone), Note: you do not need to download Root Zone file, because, DNS system automatically delivers it to DNS Servers, if you have correct root hints file.
|
|
|
|
|
|
```
|
|
|
<a name="named_cache"></a>
|
|
|
}}}
|
|
|
* (7) '''named.cache''': It is a "root hints file" (for [wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc). Hint file is a list of name & IP address of nameservers. If you do not see the file "named.cache" inside "C:\Program Files\Unbound\" folder, then create a text file, rename to "named.cache", and copy-paste below textbox's content inside "named.cache" file (if using Notepad++ or Notepad2 text editor, keep character encoding to ANSI). You can get the original 'named.cache' (also known as 'named.root') file directly from [http://www.internic.net/domain/named.root internic.net](http) site, or, via using ftp-client software from [ftp://ftp.internic.net/domain/ internic.net](ftp), or, view it on [https://www.iana.org/domains/root/servers iana.org].
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
* (7) **named.cache**: It is a "root hints file" (for [ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc). Hint file is a list of name & IP address of nameservers. If you do not see the file "named.cache" inside "C:\Program Files\Unbound\" folder, then create a text file, rename to "named.cache", and copy-paste below textbox's content inside "named.cache" file (if using Notepad++ or Notepad2 text editor, keep character encoding to ANSI). You can get the original 'named.cache' (also known as 'named.root') file directly from [internic.net](http://www.internic.net/domain/named.root)(http) site, or, via using ftp-client software from [ftp://ftp.internic.net/domain/ internic.net](ftp), or, view it on [iana.org](https://www.iana.org/domains/root/servers).
|
|
|
```
|
|
|
<center>
|
|
|
<b>named.cache</b><br />
|
|
|
<textarea name="named_cache" id="named_cache" rows="18" cols="74" readonly="readonly" style="text-align: left;">
|
... | ... | @@ -398,67 +396,65 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 |
|
|
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
|
|
|
; End of File
|
|
|
</textarea></center><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
* (8) Open or run the "Command Prompt" (cmd.exe) utility.
|
|
|
|
|
|
* (9) go inside 'Unbound' folder inside the "Command Prompt". Type below command-line:
|
|
|
{{{
|
|
|
```
|
|
|
cd /d "C:\Program Files\Unbound" ⏎
|
|
|
}}}
|
|
|
Instruction writer is assuming here, that, your "Program Files" folder which has 'Unbound', is located inside C: drive. Change & adjust it to match with your exact location. This ⏎ symbol is indicating that you have to press {{{⏎}}}('Enter') or 'Return' button or key on keyboard.
|
|
|
```
|
|
|
Instruction writer is assuming here, that, your "Program Files" folder which has 'Unbound', is located inside C: drive. Change & adjust it to match with your exact location. This ⏎ symbol is indicating that you have to press `⏎`('Enter') or 'Return' button or key on keyboard.
|
|
|
|
|
|
* (10) Run '''unbound-checkconf.exe''' command inside "Command Prompt" window, (when you are inside '''C:\Program Files\Unbound>''' folder), and if you receive an error message like below:[[BR]]
|
|
|
{{{
|
|
|
#!html
|
|
|
* (10) Run **unbound-checkconf.exe** command inside "Command Prompt" window, (when you are inside **C:\Program Files\Unbound>** folder), and if you receive an error message like below:
|
|
|
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
|
|
|
C:\Program Files\Unbound\service.conf:1 error: unknown keyword '#'<br />
|
|
|
C:\Program Files\Unbound\service.conf:1 error: unknown keyword 'BEGIN'<br />
|
|
|
... <br />
|
|
|
read C:\Program Files\Unbound\service.conf failed: 12 errors in configuration file
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
Then above error is indicating Unbound is not able to process a UTF-8 encoded "service.conf" file. So change "service.conf" file's character encoding back into "ANSI", save Ctrl+S. Run '''unbound-checkconf.exe''' ⏎ again. Right click on a "Command Prompt" (cmd or cmd.exe) icon and select "Run as Administrator", by using that "Command Prompt" window stop "Unbound DNS validator" service by running this command: '''net stop unbound''' ⏎, wait around 30 seconds, and then restart the service by running this command: '''net start unbound''' ⏎.
|
|
|
```
|
|
|
Then above error is indicating Unbound is not able to process a UTF-8 encoded "service.conf" file. So change "service.conf" file's character encoding back into "ANSI", save Ctrl+S. Run **unbound-checkconf.exe** ⏎ again. Right click on a "Command Prompt" (cmd or cmd.exe) icon and select "Run as Administrator", by using that "Command Prompt" window stop "Unbound DNS validator" service by running this command: **net stop unbound** ⏎, wait around 30 seconds, and then restart the service by running this command: **net start unbound** ⏎.
|
|
|
|
|
|
* (11) Inside "Command Prompt" window, run below command. This utility software first runs few tests: if the root anchor file (root.key) is working or not, and it tests if an update for a newer 'root.key' file is possible or not. If update is possible then it tries to connect with ([wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc governed & operated) root servers by default, using the root update certificate. It fetches 'root-anchors.xml' over https connection, and checks the results. If all checks are successful, it updates the root anchor file. Which is used for DNSSEC validation of domains & SLDs & TLDs . Before running "unbound-anchor" command, you must run NTP (preferably in secure mode), that means, you have to adjust, update or sync your computer's time with any one of the "Internet Time Server" using your "NTP-client" sofwtare (try to use an up-to-date IP-address of Time server, closest to your location), because "unbound-anchor" utility software uses it. (You can also get free 'NTP-server' type of sofwtare/tool which can provide NTP data to NTP-client software, these obtains time from atomic-clock or radio-clock or pre-set time or from another time-server, etc).
|
|
|
{{{
|
|
|
* (11) Inside "Command Prompt" window, run below command. This utility software first runs few tests: if the root anchor file (root.key) is working or not, and it tests if an update for a newer 'root.key' file is possible or not. If update is possible then it tries to connect with ([ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc governed & operated) root servers by default, using the root update certificate. It fetches 'root-anchors.xml' over https connection, and checks the results. If all checks are successful, it updates the root anchor file. Which is used for DNSSEC validation of domains & SLDs & TLDs . Before running "unbound-anchor" command, you must run NTP (preferably in secure mode), that means, you have to adjust, update or sync your computer's time with any one of the "Internet Time Server" using your "NTP-client" sofwtare (try to use an up-to-date IP-address of Time server, closest to your location), because "unbound-anchor" utility software uses it. (You can also get free 'NTP-server' type of sofwtare/tool which can provide NTP data to NTP-client software, these obtains time from atomic-clock or radio-clock or pre-set time or from another time-server, etc).
|
|
|
```
|
|
|
unbound-anchor.exe -C service.conf ⏎
|
|
|
}}}
|
|
|
More info [https://unbound.net/documentation/unbound-anchor.html unbound-anchor.html] (Unbound.net). If no error appears then you are ok to use existing "root.key" and "service.conf" file. If you receive "Windows Security Alert" from "Windows Firewall" (in Windows Vista, 7, 8) that it has blocked Internet access for the "unbound-anchor.exe" utility, then allow & select "Private Networks,.." and "Public Networks,.." options > click on 'Allow Access' button > again run above command.
|
|
|
```
|
|
|
More info [unbound-anchor.html](https://unbound.net/documentation/unbound-anchor.html) (Unbound.net). If no error appears then you are ok to use existing "root.key" and "service.conf" file. If you receive "Windows Security Alert" from "Windows Firewall" (in Windows Vista, 7, 8) that it has blocked Internet access for the "unbound-anchor.exe" utility, then allow & select "Private Networks,.." and "Public Networks,.." options > click on 'Allow Access' button > again run above command.
|
|
|
|
|
|
* (12) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element or item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter 127.0.0.1 IP address as a '''preferred''', primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element/item's Properties window, and enter ::1 as '''preferred''' DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
|
|
|
* (12) Go inside the "Network Settings" from "Control Panel", or, right click on the icon that looks like a dual-(networked)-computer (or, network-cable-and-computer) icon, on start menu bar's tray area (usually in bottom-right corner of your screen) and select "Open Network Connections" (in XP) or select "Open Network and Sharing Center" (In Vista/7/8). In Vista/7/8 click on "Change Adapter Settings". Locate, find or goto the Network Adapter (NIC) which your computer uses to connect with Internet (or Router or Gateway), click once on that Network Adapter to select it first, then right click on that and select 'Properties'. Inside 'Properties' window, scroll down or find the element or item : "Internet Protocol version 4 (TCP/IPv4)" (in Windows Vista/7/8) or find the "Internet Protocol (TCP/IP)" (in Windows XP), and click once on it first, then click on 'Properties' button. Then inside the "Internet Protocol ..." window, you will see existing or preferred DNS server IP address list under the "Use following DNS server addresses" section, or, you will see "Obtain DNS Server address auotomatically" option is pre-selected. If DNS server IP address numbers exist, write them down on a paper or on a text file. Click once on the "Use following DNS server addresses" section, then enter 127.0.0.1 IP address as a **preferred**, primary or first DNS server, and then remove or erase all other previous DNS server IP address numbers. Click on 'Ok' button > 'Ok', to save this new configuration. If you use or going to use both TCP/IP v4 and TCP/IP v6, then like previous TCP/IP v4 steps, go inside TCP/IP v6 network element/item's Properties window, and enter ::1 as **preferred** DNS IP address & remove all other DNS IP address numbers, and then also save this new configuration.
|
|
|
|
|
|
* (13) Stop the running "Unbound DNS validator" windows service. And after waiting for about 30 seconds, restart it back. You may see unbound section (10) for how to use '''net''' commands.
|
|
|
* (13) Stop the running "Unbound DNS validator" windows service. And after waiting for about 30 seconds, restart it back. You may see unbound section (10) for how to use **net** commands.
|
|
|
|
|
|
* (14) Goto the [wiki:doc/DnsResolver/TestDnsResolving Test DNS Resolving] page or section and run the test commands to check if local DNS server is working or not.
|
|
|
* (14) Goto the [Test DNS Resolving](./doc/DnsResolver/TestDnsResolving) page or section and run the test commands to check if local DNS server is working or not.
|
|
|
|
|
|
* (15) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS-client or DNS-resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quute symbols), and press {{{⏎}}}('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.
|
|
|
* (15) If everything appeared to be working fine & expected, like shown inside the 'expected' result boxes inside the Test section, then, temporarily disable Windows' default DNS-client or DNS-resolver: press Windows Flag/Logo button on keyboard & hold on to it and then press R button once, and then release both buttons. On 'Run' window, type: "services.msc" (without the double quute symbols), and press `⏎`('Enter') or 'return' button on keyboard. On 'Services' window, find the "Windows DNS Client" service, click on it once, then right-click on it, then select 'Properties'. On 'Properties' window, change "Startup type:" option from 'Automatic', into 'Manual' or 'Disabled', press OK button. Close 'Services' window.
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="BIND"></a>
|
|
|
}}}
|
|
|
=== BIND (on Windows) ===
|
|
|
'' will be added later, please wait, thanks. or, add your data. ''
|
|
|
```
|
|
|
### BIND (on Windows)
|
|
|
_ will be added later, please wait, thanks. or, add your data. _
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Tweak_Windows"></a>
|
|
|
}}}
|
|
|
== Windows Tweak and Registry Hacks ==
|
|
|
```
|
|
|
## Windows Tweak and Registry Hacks
|
|
|
There are some Windows related tweaking (fine-tuning) or registry hacks to prevent some portion of DNS leaks or partially (in Windows XP, Vista, 7, 8). This section is for explaining how to achieve that.
|
|
|
|
|
|
=== Block Domains/Hostnames Using hosts file ===
|
|
|
Using 'Windows Explorer' goto C:\Windows\System32\Drivers\etc folder location. Start Notepad++ or Notepad2 text editor software and open the file 'hosts' for editing, (if you do not have any of those editor, then search on Internet and download & install them). Find the line which has:[[BR]]
|
|
|
{{{
|
|
|
### Block Domains/Hostnames Using hosts file
|
|
|
Using 'Windows Explorer' goto C:\Windows\System32\Drivers\etc folder location. Start Notepad++ or Notepad2 text editor software and open the file 'hosts' for editing, (if you do not have any of those editor, then search on Internet and download & install them). Find the line which has:
|
|
|
|
|
|
```
|
|
|
127.0.0.1 localhost
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Under that line, or go at the end of the 'hosts' file and then, add below lines:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<center>
|
|
|
<b>hosts</b><br />
|
|
|
<textarea name="hosts" id="hosts" rows="10" cols="45" readonly="readonly" style="text-align: left;">
|
... | ... | @@ -488,44 +484,46 @@ Under that line, or go at the end of the 'hosts' file and then, add below lines: |
|
|
127.0.0.3 stats.i2p
|
|
|
127.0.0.3 inr.i2p
|
|
|
</textarea></center><br />
|
|
|
}}}
|
|
|
```
|
|
|
In above textbox, mentioned are few known onion web-sites or web-services (also called or known as "Hidden Services" in Tor terms). And also included are few i2p web-sites & web-services (also known as "eepsites" in i2p terms).
|
|
|
|
|
|
Add all .onion and .i2p address which you visit or you may visit, in your 'hosts' file. So that by accident or because of any mis-configuration, your software cannot connect or try to resolve DNS by going through direct Internet connections, becuase these sites and services are suppose to be connected by going via proxy tunnels or servers only.
|
|
|
|
|
|
The 'hosts' file does not accept wild card symbols like * or does not have a mechanism to use just 1 line to filter "all" or "any" domains which has ".onion" at the end. So we needed to specify each domain-names 1 by 1. However, 3rd party DNS server config file can accept wild card * symbol or has a mechanism to specify "any" or "all" domains or TLDs, etc.
|
|
|
|
|
|
Notes: On Windows computers, if you have difficulty saving your changes to the HOSTS file, you may need to explicitly give your user account Full Control security permissions on the HOSTS file. If you do not know how to do this, from Windows Explorer, right click HOSTS, choose Properties/Security/Edit/Add, type the name of your user account, click Check Names/OK, click on your user account in the top box, click on Full Control in the lower box, then click OK to close each of the dialogue boxes and apply the changes. Also, modifying the HOSTS file may cause Windows Defender to detect the HOSTS file as malware. [http://support.microsoft.com/kb/2764944 See Microsoft Knowledge Base article 2764944.]
|
|
|
Notes: On Windows computers, if you have difficulty saving your changes to the HOSTS file, you may need to explicitly give your user account Full Control security permissions on the HOSTS file. If you do not know how to do this, from Windows Explorer, right click HOSTS, choose Properties/Security/Edit/Add, type the name of your user account, click Check Names/OK, click on your user account in the top box, click on Full Control in the lower box, then click OK to close each of the dialogue boxes and apply the changes. Also, modifying the HOSTS file may cause Windows Defender to detect the HOSTS file as malware. [See Microsoft Knowledge Base article 2764944.](http://support.microsoft.com/kb/2764944)
|
|
|
|
|
|
### Change Unbound Service Running Priority Affinity
|
|
|
If 'Unbound DNS Validator' windows service often or periodically uses too much CPU resources (or causing responsiveness issues on your computer, mostly seen on Windows XP computers), only then, apply one of the tweak which is suitable for your need or which you prefer and easier to you, from below page:
|
|
|
|
|
|
|
|
|
|
|
|
=== Change Unbound Service Running Priority Affinity ===
|
|
|
If 'Unbound DNS Validator' windows service often or periodically uses too much CPU resources (or causing responsiveness issues on your computer, mostly seen on Windows XP computers), only then, apply one of the tweak which is suitable for your need or which you prefer and easier to you, from below page:[[BR]]
|
|
|
[[BR]]
|
|
|
[wiki:doc/windowsServiceProcessThreadPriorityAffinity Windows Service Process Thread Priority Affinity] in (`[`wiki`:`doc/windowsServiceProcessThreadPriorityAffinity`]`) page.
|
|
|
[Windows Service Process Thread Priority Affinity](./doc/windowsServiceProcessThreadPriorityAffinity) in (`[`wiki`:`doc/windowsServiceProcessThreadPriorityAffinity`]`) page.
|
|
|
|
|
|
In above linked page, change the word "vidalia.exe" to "unbound.exe", and "vidalia" into "unbound".
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Test_DNS_Resolver"></a>
|
|
|
}}}
|
|
|
= Test DNS Resolving Functionality =
|
|
|
This section is now here:[[BR]]
|
|
|
[[BR]]
|
|
|
[wiki:doc/DnsResolver/TestDnsResolving Test DNS Resolving] in (`[`wiki`:`doc/DnsResolver/TestDnsResolving`]`) page.
|
|
|
```
|
|
|
# Test DNS Resolving Functionality
|
|
|
This section is now here:
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
|
|
|
[Test DNS Resolving](./doc/DnsResolver/TestDnsResolving) in (`[`wiki`:`doc/DnsResolver/TestDnsResolving`]`) page.
|
|
|
|
|
|
|
|
|
```
|
|
|
<a name="Verify_DNSSEC"></a>
|
|
|
}}}
|
|
|
= How To Verify If DNSSEC is Working =
|
|
|
Run this below command inside a "Command Prompt" window.[[BR]]
|
|
|
'''{{{dig com. any +dnssec}}}''' ⏎
|
|
|
```
|
|
|
# How To Verify If DNSSEC is Working
|
|
|
Run this below command inside a "Command Prompt" window.
|
|
|
|
|
|
**`dig com. any +dnssec`** ⏎
|
|
|
|
|
|
If your DNS server is capable of doing DNSSEC validation, then you will see result similar to below and is expected:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt><pre style="display:inline;">
|
|
|
; <<>> DiG 9.3.2 <<>> com. any +dnssec
|
|
|
;; global options: printcmd
|
... | ... | @@ -563,13 +561,12 @@ com. 86092 IN RRSIG </pre>NS 8 1 172800 201208230417 |
|
|
;; WHEN: Sun Aug 19 02:09:05 2012
|
|
|
;; MSG SIZE rcvd: 844</pre>
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
Notice inside above box, that the '''ad''' is present in the '''flags:''', it is indicating, this query was answered with AD (Authenticated Data) bit, that means, DNSSEC validation was successful. And normally the '''DS''' (Delegation Signer) record will be present in parent servers, which is the root zone, as we have queried/asked to resolve a TLD.
|
|
|
```
|
|
|
Notice inside above box, that the **ad** is present in the **flags:**, it is indicating, this query was answered with AD (Authenticated Data) bit, that means, DNSSEC validation was successful. And normally the **DS** (Delegation Signer) record will be present in parent servers, which is the root zone, as we have queried/asked to resolve a TLD.
|
|
|
|
|
|
If you run '''{{{ dig mozilla.org. any +dnssec }}}''' ⏎ then you will see result similar like below and such result is expected:
|
|
|
If you run **` dig mozilla.org. any +dnssec `** ⏎ then you will see result similar like below and such result is expected:
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt><pre style="display:inline;">
|
|
|
; <<>> DiG 9.3.2 <<>> mozilla.org. any +dnssec
|
|
|
;; global options: printcmd
|
... | ... | @@ -597,35 +594,33 @@ mozilla.org. 599 IN RRSIG </pre>NS 7 2 600 20120919185051 |
|
|
;; WHEN: Wed Aug 22 08:20:05 2012
|
|
|
;; MSG SIZE rcvd: 651</pre>
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Tweak_Firewalls"></a>
|
|
|
}}}
|
|
|
= Configure Firewall as Failsafe To Prevent Leaks =
|
|
|
''Content coming soon. Mostly Windows, MacOS related.''[[BR]]
|
|
|
```
|
|
|
# Configure Firewall as Failsafe To Prevent Leaks
|
|
|
_Content coming soon. Mostly Windows, MacOS related._
|
|
|
|
|
|
The "tor.exe", "vidalia.exe", "firefox.exe", etc uses specific set of ports to communicate with each other, and specific patterns of ports to communicate with Internet servers. We will add rules in firewall rules table, for such valid & known ports & communication, so that any unwanted or accidental or misconfigured communication initiations can be blocked.
|
|
|
|
|
|
|
|
|
= Tweaks (DNS Server/Resolver) =
|
|
|
# Tweaks (DNS Server/Resolver)
|
|
|
Use below sections to configure further to suit your need.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Tweak_Unbound"></a>
|
|
|
}}}
|
|
|
== Tweaking Unbound ==
|
|
|
Basic level configuration is shown & used inside [[#Unbound Unbound]] section. The shown "[wiki:doc/DnsResolver/unbound#unbound_conf service.conf]" file is pre-configured to function by default as a Validating Recursive Caching DNS Server, which will be using multiple external Recursive Servers for the (".") Root Zone, and Unbound will also resolve other TLD and domains which exists & provided by other alternative root dns providers or operators, other than the "[wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc governed or operated Root DNS servers".
|
|
|
```
|
|
|
## Tweaking Unbound
|
|
|
Basic level configuration is shown & used inside [[#Unbound Unbound]] section. The shown "[service.conf](./doc/DnsResolver/unbound#unbound_conf)" file is pre-configured to function by default as a Validating Recursive Caching DNS Server, which will be using multiple external Recursive Servers for the (".") Root Zone, and Unbound will also resolve other TLD and domains which exists & provided by other alternative root dns providers or operators, other than the "[ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc governed or operated Root DNS servers".
|
|
|
|
|
|
== Different Options for Root Zone ==
|
|
|
If you want to use lesser amount of Recursive or Caching DNS server(s) which uses at-least the "[wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", for the Root Zone (.), then search for the word ''' [ROOT ZONE] ''' inside the "service.conf" file, and read various options and choices.
|
|
|
## Different Options for Root Zone
|
|
|
If you want to use lesser amount of Recursive or Caching DNS server(s) which uses at-least the "[ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", for the Root Zone (.), then search for the word ** [ROOT ZONE] ** inside the "service.conf" file, and read various options and choices.
|
|
|
|
|
|
== Unbound is Not Able To Resolve Some Sites ==
|
|
|
When Unbound is not able to resolve some sites, which are under the "[wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then find (Ctrl+F) below lines (which has ''' forward-zone: ''' and ''' name: "." # [Root.Zone] ''' configuration command-lines) inside the "service.conf" file. Then you can, either disable (by placing a # sign in front of) some of the ''' forward-addr: ''' command-lines, or, you can remove all of the next lines after the below two lines. And when you have disabled or removed all ''' forward-addr: ''' lines (after the ''' name: "." # [Root.Zone] ''' configuration command-line), then also disable below two lines:
|
|
|
{{{
|
|
|
#!html
|
|
|
## Unbound is Not Able To Resolve Some Sites
|
|
|
When Unbound is not able to resolve some sites, which are under the "[ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then find (Ctrl+F) below lines (which has ** forward-zone: ** and ** name: "." # [Root.Zone] ** configuration command-lines) inside the "service.conf" file. Then you can, either disable (by placing a # sign in front of) some of the ** forward-addr: ** command-lines, or, you can remove all of the next lines after the below two lines. And when you have disabled or removed all ** forward-addr: ** lines (after the ** name: "." # [Root.Zone] ** configuration command-line), then also disable below two lines:
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt><pre style="display:inline;">
|
|
|
forward-zone:
|
|
|
name: "." # [Root.Zone]
|
... | ... | @@ -635,17 +630,15 @@ forward-zone: |
|
|
</pre># Chaos Computer Club (Berlin) DNS: censor-free, http://www.chaoscomputerclub.de/en/censorship/dns-howto<br /><pre style="display:inline;">
|
|
|
forward-addr: 213.73.91.35</pre>
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
* If you have info, fact, reason to trust your ISP provided DNS servers, then you may add just your ISP provided (external) DNS servers, or, add just one or set of very TRUSTWORTHY (external) DNS server IP-addresses (as a ''forward-addr:''), below the ''' name: "." # [Root.Zone] ''' configuration command-line (like shown above). If you are going to use your ISP's (recursive/caching) DNS Servers, then also add 13 root server IP addresses, shown inside "named.cache" file. Some of the TRUSTWORTHY DNS Servers are already mentioned/included under the [ROOT ZONE] section inside "service.conf" file. In above example box, the CCC DNS is shown, you may change or add more based on your preference. When you want to add or use external DNS servers, then you will have to add each IP address in separate lines, and each IP-address will also have to be specified after a 'forward-addr:' configuration command (without using the single quote symbols).
|
|
|
```
|
|
|
* If you have info, fact, reason to trust your ISP provided DNS servers, then you may add just your ISP provided (external) DNS servers, or, add just one or set of very TRUSTWORTHY (external) DNS server IP-addresses (as a _forward-addr:_), below the ** name: "." # [Root.Zone] ** configuration command-line (like shown above). If you are going to use your ISP's (recursive/caching) DNS Servers, then also add 13 root server IP addresses, shown inside "named.cache" file. Some of the TRUSTWORTHY DNS Servers are already mentioned/included under the [ROOT ZONE] section inside "service.conf" file. In above example box, the CCC DNS is shown, you may change or add more based on your preference. When you want to add or use external DNS servers, then you will have to add each IP address in separate lines, and each IP-address will also have to be specified after a 'forward-addr:' configuration command (without using the single quote symbols).
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Recursive_Caching_Resolver"></a>
|
|
|
}}}
|
|
|
== Turn Off DNSSEC Validation And Use As Caching DNS Server ==
|
|
|
Current Unbound "service.conf" is pre-configured to function as a Validating Recursive Caching DNS Server. If you do not want to use the DNSSEC validation functionality, then you can disable by doing steps like shown in below box. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the ''' # ''' (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
## Turn Off DNSSEC Validation And Use As Caching DNS Server
|
|
|
Current Unbound "service.conf" is pre-configured to function as a Validating Recursive Caching DNS Server. If you do not want to use the DNSSEC validation functionality, then you can disable by doing steps like shown in below box. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the ** # ** (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt><pre style="display:inline;">
|
|
|
#module-config: "validator iterator"
|
|
|
module-config: "iterator"
|
... | ... | @@ -662,18 +655,16 @@ val-clean-additional: "no" |
|
|
# Optional step, you may disable below line like this:<br />
|
|
|
#dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Above settings will turn off "DNSSEC Validator" portion of Unbound, and will turn it into a Recursive Caching DNS server only.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Specific_Nameserver"></a>
|
|
|
}}}
|
|
|
== Use Specific Nameservers for Specific Sites ==
|
|
|
```
|
|
|
## Use Specific Nameservers for Specific Sites
|
|
|
If you need to forcefully use a very specific set of DNS or name servers for a very specific website or domain-name, and for all sub-domians under that, then follow this:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt>
|
|
|
# If you use Deadwood / MaraDNS then use below one line:<br />
|
|
|
upstream_servers["example1.com."]="ip.adrs.dns.N1, ip.adrs.ns.N2"<br />
|
... | ... | @@ -686,31 +677,28 @@ stub-zone:<br /><pre style="display:inline;"> |
|
|
stub-addr: ip.adrs.dns.Numbers1
|
|
|
stub-addr: ip.adrs.ns.Numbers2</pre>
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
Change "example1.com" to your desired website or domain-name. And change ''ip.adrs.dns.Numbers1'' and ''ip.adrs.ns.Numbers2'' to the correct IP address numbers for that website. Like above examples, keep the '''.''' (dot) at end of a domain-name or name-server in ''stub-host'' configuration command-lines, when example shown above used it. For more info, search for [SIGNED TLD] & [UNSIGNED TLD OR ROOT] sections inside "service.conf" file.
|
|
|
* If you don't have name-server's or DNS server's (FQDN) hostname, then disable line which has ''name.server1.net.'' or ''name.server2.net.'' by placing a # (hash/pound) sign at the begin as first character of that line. If you don't have actual IP address then disable lines which has ''ip.adrs.dns.Numbers1'' or ''ip.adrs.ns.Numbers2''.
|
|
|
Change "example1.com" to your desired website or domain-name. And change _ip.adrs.dns.Numbers1_ and _ip.adrs.ns.Numbers2_ to the correct IP address numbers for that website. Like above examples, keep the **.** (dot) at end of a domain-name or name-server in _stub-host_ configuration command-lines, when example shown above used it. For more info, search for [SIGNED TLD] & [UNSIGNED TLD OR ROOT] sections inside "service.conf" file.
|
|
|
* If you don't have name-server's or DNS server's (FQDN) hostname, then disable line which has _name.server1.net._ or _name.server2.net._ by placing a # (hash/pound) sign at the begin as first character of that line. If you don't have actual IP address then disable lines which has _ip.adrs.dns.Numbers1_ or _ip.adrs.ns.Numbers2_.
|
|
|
* If your desired domain-name, site or TLD is DNSSEC signed, then add 'trust-anchor:' for it, see "service.conf" file for further info.
|
|
|
* If ''stub-host:'' nameserver's hostname is using such a TLD portion, which is not supported by the "[wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then use ''forward-zone:'' for each of those ''stub-host:'' hostname, and also add such TLD in 'domain-insecure:' section if such TLD is not DNSSEC signed.
|
|
|
* If _stub-host:_ nameserver's hostname is using such a TLD portion, which is not supported by the "[ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc governed or operated Root DNS Servers", then use _forward-zone:_ for each of those _stub-host:_ hostname, and also add such TLD in 'domain-insecure:' section if such TLD is not DNSSEC signed.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Add_Unsigned_Or_Signed_Dom"></a>
|
|
|
}}}
|
|
|
== Add Unsigned or Signed TLD from Other or Alt Root DNS Providers ==
|
|
|
Inside the "unbound.conf" or "service.conf" look (Ctrl+F) for these words: ''' [UNSIGNED TLD OR ROOT] ''' to goto related section. Also see above section. Those sections will give further instructions on what to do when you want to add new or more TLDs, or, what you need to do if you want to move or add DNSSEC signed TLDs, or what you need to do for zones, domain-names, etc.
|
|
|
* If you obtained '''caching''' dns server IP addresses (or hostnames) which can also resolve your desired site or domain-name or TLD instantly, and you do not want DNSSEC validation, or those domain-names or TLDs are not DNSSEC signed, then those can also be added using 'forward-zone:' and 'domain-insecure:' configuration command-lines.
|
|
|
* For DNSSEC validation to work for a (signed) site or domain-name or TLD, your (3rd party) DNS-resolver must connect directly with the "Authoritative" DNS server which holds the AA, SOA dns records of that exact domain-name or TLD, and it must also be DNSSEC signed, and then DNSSEC validation will work for all signed SLDs, under DNSSEC signed TLDs which are from [wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc entity.
|
|
|
* If your desired site or domain-name or TLD exists outside of [wiki:doc/DnsResolver#ICANN ICANN]/IANA/VeriSign/PIR/etc entity and DNSSEC signed, then you must add those DNSSEC public keys, either by using a file and 'trust-anchor:' configuration command, or, by adding them directly in the "service.conf" file. You can also run your own DLV supported DNS-server for assisting in DNSSEC validation for such TLD, and for any future SLDs, 3rd Level Domains, etc under that. A 2nd DNS-resolver configured to use another DLV (& DNSSEC data), can be queried from main (or first) DNS-resolver to resolve your own custom created TLDs, SLDs, etc.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
## Add Unsigned or Signed TLD from Other or Alt Root DNS Providers
|
|
|
Inside the "unbound.conf" or "service.conf" look (Ctrl+F) for these words: ** [UNSIGNED TLD OR ROOT] ** to goto related section. Also see above section. Those sections will give further instructions on what to do when you want to add new or more TLDs, or, what you need to do if you want to move or add DNSSEC signed TLDs, or what you need to do for zones, domain-names, etc.
|
|
|
* If you obtained **caching** dns server IP addresses (or hostnames) which can also resolve your desired site or domain-name or TLD instantly, and you do not want DNSSEC validation, or those domain-names or TLDs are not DNSSEC signed, then those can also be added using 'forward-zone:' and 'domain-insecure:' configuration command-lines.
|
|
|
* For DNSSEC validation to work for a (signed) site or domain-name or TLD, your (3rd party) DNS-resolver must connect directly with the "Authoritative" DNS server which holds the AA, SOA dns records of that exact domain-name or TLD, and it must also be DNSSEC signed, and then DNSSEC validation will work for all signed SLDs, under DNSSEC signed TLDs which are from [ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc entity.
|
|
|
* If your desired site or domain-name or TLD exists outside of [ICANN](./doc/DnsResolver#ICANN)/IANA/VeriSign/PIR/etc entity and DNSSEC signed, then you must add those DNSSEC public keys, either by using a file and 'trust-anchor:' configuration command, or, by adding them directly in the "service.conf" file. You can also run your own DLV supported DNS-server for assisting in DNSSEC validation for such TLD, and for any future SLDs, 3rd Level Domains, etc under that. A 2nd DNS-resolver configured to use another DLV (& DNSSEC data), can be queried from main (or first) DNS-resolver to resolve your own custom created TLDs, SLDs, etc.
|
|
|
|
|
|
```
|
|
|
<a name="One_Core_Unbound"></a>
|
|
|
}}}
|
|
|
== Re-Configure Unbound To Use One Core/CPU ==
|
|
|
Currently, the "service.conf" is configured to use dual-core based CPU and use 2 threads. On single-core (or 1 CPU) based computer, use 1 thread. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the ''' # ''' (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
## Re-Configure Unbound To Use One Core/CPU
|
|
|
Currently, the "service.conf" is configured to use dual-core based CPU and use 2 threads. On single-core (or 1 CPU) based computer, use 1 thread. In "service.conf" (or in "unbound.conf") file, search (Ctrl+F) for mentioned below lines which has the ** # ** (hash/pound) symbol at the beginning of that line, (but do not use the # sign in the search string or text). Once you find it, add the # symbol at the beginning of that line, and if the next line (in below box which does not have # symbol at beginning), does not exist inside "service.conf" file, then add that line:
|
|
|
```
|
|
|
<table border="0" cellpadding="0" cellspacing="0" width="95%" style="border: none;"><tr><td width=8 border="0" style="border: none;"> </td><td border="1" style="border: 1px solid #d7d7d7; padding: 0.25em; background: #f7f7f7;"><tt><pre style="display:inline;">
|
|
|
#num-threads: 2
|
|
|
num-threads: 1
|
... | ... | @@ -733,122 +721,116 @@ infra-cache-slabs: 1 |
|
|
#key-cache-slabs: 2
|
|
|
key-cache-slabs: 1</pre>
|
|
|
</tt></td></tr></table><br />
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="TCP_UDP_DNS"></a>
|
|
|
}}}
|
|
|
== Use UDP And TCP DNS Query And Answer ==
|
|
|
```
|
|
|
## Use UDP And TCP DNS Query And Answer
|
|
|
To allow Unbound to connect with DNS/nameserver using TCP or UDP DNS based connection, and to allow UDP answer for UDP query, and TCP answer for TCP query, make sure your "service.conf" file has these configuration lines in this format:
|
|
|
{{{
|
|
|
```
|
|
|
do-udp: "yes"
|
|
|
do-tcp: "yes"
|
|
|
}}}
|
|
|
Most software and DiG tool uses UDP DNS by default, but to use a TCP DNS query, see example [wiki:doc/DnsResolver/TestDnsResolving#Test_Via_TCP_DNS here].
|
|
|
```
|
|
|
Most software and DiG tool uses UDP DNS by default, but to use a TCP DNS query, see example [here](./doc/DnsResolver/TestDnsResolving#Test_Via_TCP_DNS).
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="TCP_Only"></a>
|
|
|
}}}
|
|
|
== Force Unbound To Use TCP With DNS/Nameservers ==
|
|
|
```
|
|
|
## Force Unbound To Use TCP With DNS/Nameservers
|
|
|
To force Unbound to connect with DNS/nameserver using TCP based connection, make sure your "service.conf" file has this configuration lines in below format. Also useful when you are using TCP based Tunnels or Proxy-Servers (like Tor proxy) etc:
|
|
|
{{{
|
|
|
```
|
|
|
#tcp-upstream: "no"
|
|
|
tcp-upstream: "yes"
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Connect_With_Nameservers_From_Exit-Node"></a>
|
|
|
<a name="Unbound_And_Transparent_Proxy"></a>
|
|
|
<a name="Torify_Unbound"></a>
|
|
|
}}}
|
|
|
== Use Unbound In VM, a VM Dedicated Only For Tor ==
|
|
|
(1) Install your choice of [wiki:doc/VM VM] solution, from [wiki:doc/VM this] page. (2) Implement Anonymizing and Torification for various components of OS, all software, hardware etc. (3) Goto [wiki:doc/DnsResolver/TorifyUnbound Torify Unbound] page for more detail instructions/guidelines.
|
|
|
```
|
|
|
## Use Unbound In VM, a VM Dedicated Only For Tor
|
|
|
(1) Install your choice of [VM](./doc/VM) solution, from [this](./doc/VM) page. (2) Implement Anonymizing and Torification for various components of OS, all software, hardware etc. (3) Goto [Torify Unbound](./doc/DnsResolver/TorifyUnbound) page for more detail instructions/guidelines.
|
|
|
|
|
|
|
|
|
= Credits =
|
|
|
''' This entire article & ALL articles under it and this project & ALL projects under it are written & developed by Bry8Star. '''
|
|
|
# Credits
|
|
|
** This entire article & ALL articles under it and this project & ALL projects under it are written & developed by Bry8Star. **
|
|
|
|
|
|
By Bry8Star. '''Copyright''' (c) 2012 Bry8Star (bry8star a.t yahoo d.o.t com).
|
|
|
By Bry8Star. **Copyright** (c) 2012 Bry8Star (bry8star a.t yahoo d.o.t com).
|
|
|
|
|
|
Other Co-Author(s) (Section or project which are written or developed by other author or developer will mention his/her name):
|
|
|
|
|
|
By adrelanos. Copyright (c) 2012 adrelanos. These sections: [wiki:doc/DnsResolver#adrelanos_1 1], [wiki:doc/DnsResolver#adrelanos_2 2].
|
|
|
By adrelanos. Copyright (c) 2012 adrelanos. These sections: [1](./doc/DnsResolver#adrelanos_1), [2](./doc/DnsResolver#adrelanos_2).
|
|
|
|
|
|
* Credit also goes to freenode & other IRC network users: 'Olipro', 'detha', 'tareek', 'mjt', 'PZt', and, to OFTC IRC network users: 'velope', 'Riastradh', 'linus', and, to CesidianRoot user: 'Kai', and, to Unbound.net Mail List users: 'Leen Besselink', 'Jan-Piet Mens', 'Paul Wouters', 'Anders Sundman', and, to TorProject.org Mail List users: 'Ondrej Mikle', among many others, for their help & helpful suggestions & helpful data on solving various configuration, blocking related issues, accesing all TLDs, hardenning DNSSEC config, etc, related to this article.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Disclaimer"></a>
|
|
|
}}}
|
|
|
'''Disclaimer''': If you make mistake in following, any of these "general" steps & guidelines mentioned here in these article, it will NOT be good at all for your system, so be warned, search for each word which you don't understand, on Bing or Yahoo or Google or DuckDuckGo search engine sites, and search in documents and books, before actually following any of these steps. No Warranty. No Guarantee. If you wish & want to use, use at your own risk. Instruction writer(s) has(/have) tested and found these steps to be effective on his/her(/their) computer's OS + software + hardware + internal-network + external-network, etc environment + configuration + settings + features + restrictions, etc combinations. These factors & combinations cannot be 100% same on your case. Instruction writer(s) is(/are) assuming, users who will follow these steps are familiar with these steps, at least have done such once or twice before and very recently, effectively and correctly. Instruction writer will not be (and cannot be held) responsible in any way for your mistakes, or for your lack of experties, or for your lack of understanding, or for your lack of not following these general instructions, or for not converting them to a practical level in correct manner for your case, or for not learning effectively more on these, or for not realizing the patterns to suit with & modify for your case, or for any conflict or for any type of any loss which may or will occur with any current or any future component, event, etc, or, for any reason. Everything is changing all the time, so you will need to improve & adopt better solution(s) which suits you, your need(s), that is your responsibility. Adopt such solution(s) which is(/are) (or will be) better for majority, or will meet your goals. Adopt which works, discard which does not.
|
|
|
```
|
|
|
**Disclaimer**: If you make mistake in following, any of these "general" steps & guidelines mentioned here in these article, it will NOT be good at all for your system, so be warned, search for each word which you don't understand, on Bing or Yahoo or Google or DuckDuckGo search engine sites, and search in documents and books, before actually following any of these steps. No Warranty. No Guarantee. If you wish & want to use, use at your own risk. Instruction writer(s) has(/have) tested and found these steps to be effective on his/her(/their) computer's OS + software + hardware + internal-network + external-network, etc environment + configuration + settings + features + restrictions, etc combinations. These factors & combinations cannot be 100% same on your case. Instruction writer(s) is(/are) assuming, users who will follow these steps are familiar with these steps, at least have done such once or twice before and very recently, effectively and correctly. Instruction writer will not be (and cannot be held) responsible in any way for your mistakes, or for your lack of experties, or for your lack of understanding, or for your lack of not following these general instructions, or for not converting them to a practical level in correct manner for your case, or for not learning effectively more on these, or for not realizing the patterns to suit with & modify for your case, or for any conflict or for any type of any loss which may or will occur with any current or any future component, event, etc, or, for any reason. Everything is changing all the time, so you will need to improve & adopt better solution(s) which suits you, your need(s), that is your responsibility. Adopt such solution(s) which is(/are) (or will be) better for majority, or will meet your goals. Adopt which works, discard which does not.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Contact"></a>
|
|
|
}}}
|
|
|
'''Contact''': To communicate with authors, users, developers, operators related to this article, join [wiki:doc/TorifyHOWTO/IrcSilc IRC] channel named #dnsresolvers on '''''irc.oftc.net''''' server on port +6697 using TLS/SSL. Answer will not be provided instantly. If you stay connected then someone knowledgeable on your question will respond back.
|
|
|
```
|
|
|
**Contact**: To communicate with authors, users, developers, operators related to this article, join [IRC](./doc/TorifyHOWTO/IrcSilc) channel named #dnsresolvers on **_irc.oftc.net**_ server on port +6697 using TLS/SSL. Answer will not be provided instantly. If you stay connected then someone knowledgeable on your question will respond back.
|
|
|
Send author(s), link of other (complex or techincal) article & data, if you want them to add an easier version, in this article.
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Guidelines_and_Rules"></a>
|
|
|
}}}
|
|
|
'''Guidelines & Rules''' (for Authors): are ''' [wiki:doc/DnsResolver#Rules_for_Editors here]'''. '' (And, Please learn to create [wiki:WikiProcessors html links] in between sections on a same page and on another page, and learn to create [wiki:WikiFormatting sub-paragraphs] using lists). ''
|
|
|
```
|
|
|
**Guidelines & Rules** (for Authors): are ** [here](./doc/DnsResolver#Rules_for_Editors)**. _ (And, Please learn to create [html links](./WikiProcessors) in between sections on a same page and on another page, and learn to create [sub-paragraphs](./WikiFormatting) using lists). _
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="TorDNS_Warning"></a><a name="adrelanos_1"></a>
|
|
|
}}}
|
|
|
= Warnings If You Use Tor-DNS For Both Tor and non-Tor Purpose =
|
|
|
'' This specific section and paragraphs are written & developed by author 'adrelanos', 'Bry8Star'. ''[[BR]]
|
|
|
```
|
|
|
# Warnings If You Use Tor-DNS For Both Tor and non-Tor Purpose
|
|
|
_ This specific section and paragraphs are written & developed by author 'adrelanos', 'Bry8Star'. _
|
|
|
|
|
|
Tor is a Socks5 proxy server. It can also be configured to turn it into a local DNS-Server or DNS-Resolver to resolve DNS queries from all type of software in your computer. If you start to use Tor-DNS resolver when you are using Internet for your Private purpose (non-Anonymity related) usage, then in some cases by observing Exit-node traffics some are able to obtain & reveal your identity & location, so it is very risky and not suggested. In this page, or in the shown default DNS server configurations, we are not using any "Tor DNS" in any form. TorDNS should only be used on a VM or on a computer, which is only to be used for "Anonymity" related purpose.
|
|
|
* If you login into some online accounts over Tor, such as bank accounts, your bank account may get frozen. That is a very realistic risk, for example paypal freezes for any Tor exit or VPN.
|
|
|
* For example, if http://check2ip.com/ can determine which DNS server you are using, any other server (you connect to) can do that as well.
|
|
|
* You should not use Tor to resolve DNS for your non-Tor surfing.
|
|
|
* Example: a malicious exit node asked to resolve paypal.com could return an IP under their control and sslstrip. The website would look and feel like normal, no SSL warnings. You'd only recognize if you remember to manually look if SSL is activated. Of course, also your ISP's DNS server can mount such an attack. But it's much more easy to host an malicious exit node, anyone can do that. On the other hand, not everyone can compromise a ISP DNS server or mount a MITM in your ISP's network.
|
|
|
* Since your TorDNS and web-browsing and your non-Tor DNS requests will go through the same circuit, identity correlation or even de-anonymizing is at risk. Imagine an exit node gets and DNS request and traffic for anonymous-forum.com and for my-real-name.com. (Same circuit, same flow.)
|
|
|
* If you have installed an OS (Operating System) as a native OS for a computer, or inside a [wiki:doc/VM VM] (Virtual Machine), from the very beginning to be used ONLY for your Privacy & Anonymous related usage, and you have not used any information in that OS or in any software which can be used to reveal your real identity, or to reveal your location, and if you have also taken enough steps to obscure or randomize or generalize various & specific hardware IDs, and you have also "Anonymized" (aka, "Torified") all software components, then you can use "Tor DNS".
|
|
|
* If you have installed an OS (Operating System) as a native OS for a computer, or inside a [VM](./doc/VM) (Virtual Machine), from the very beginning to be used ONLY for your Privacy & Anonymous related usage, and you have not used any information in that OS or in any software which can be used to reveal your real identity, or to reveal your location, and if you have also taken enough steps to obscure or randomize or generalize various & specific hardware IDs, and you have also "Anonymized" (aka, "Torified") all software components, then you can use "Tor DNS".
|
|
|
|
|
|
|
|
|
{{{
|
|
|
#!html
|
|
|
```
|
|
|
<a name="Braindump"></a><a name="adrelanos_2"></a>
|
|
|
}}}
|
|
|
= Braindump =
|
|
|
'' This specific section and paragraphs are written & developed by author 'adrelanos'. ''[[BR]]
|
|
|
```
|
|
|
# Braindump
|
|
|
_ This specific section and paragraphs are written & developed by author 'adrelanos'. _
|
|
|
|
|
|
TODO: This chapter needs to be incorporated into this article...
|
|
|
|
|
|
Some ISPs [https://en.wikipedia.org/wiki/Man-in-the-middle_attack mitm] and thus manipulate (i.e. censor or spoof) DNS traffic, even though you are using a censorship free DNS server. They mitm the DNS traffic directly. Source: [http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php transparent DNS proxy]. Circumvention is only possible using:
|
|
|
Some ISPs [mitm](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) and thus manipulate (i.e. censor or spoof) DNS traffic, even though you are using a censorship free DNS server. They mitm the DNS traffic directly. Source: [transparent DNS proxy](http://www.dnsleaktest.com/what-is-transparent-dns-proxy.php). Circumvention is only possible using:
|
|
|
* encrypted connection to DNS server (there is only httpsdnsd and DNSCrypt)
|
|
|
* proxies (only if the censurer is not technically sophisticated, because the connection to the proxy is not encrypted, see [https://trac.torproject.org/projects/tor/wiki/doc/proxy proxy] and [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor plus VPN or proxy])
|
|
|
* See [https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN Tor plus VPN or proxy]
|
|
|
* proxies (only if the censurer is not technically sophisticated, because the connection to the proxy is not encrypted, see [proxy](https://trac.torproject.org/projects/tor/wiki/doc/proxy) and [Tor plus VPN or proxy](https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN))
|
|
|
* See [Tor plus VPN or proxy](https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN)
|
|
|
* SSH tunnels.
|
|
|
* VPNs.
|
|
|
* Tor
|
|
|
* Jondo
|
|
|
|
|
|
[http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#secondary-dns-resolver Whonix Secondary DNS resolver] chapter should be adapted for this article.
|
|
|
[Whonix Secondary DNS resolver](http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#secondary-dns-resolver) chapter should be adapted for this article.
|
|
|
|
|
|
httpsdnsd by JonDo (not sure if it can be compiled for Windows, if I remember right it was written in a script language and should be possible), although documentation lacks, it's a fine piece of software and can be used for encrypted DNS requests on port 443 (SSL), thus circumventing transparent DNS manipulation. On the [https://anonymous-proxy-servers.net/en/help/transocks.html Jondo transocks page]. The page might be a bit confusing, because it's about transparent proxying, but there are no other official documents about httpsdnsd. [http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#httpsdnsd-by-jondos Whonix related httpsdnsd] can be adapted for this article.
|
|
|
httpsdnsd by JonDo (not sure if it can be compiled for Windows, if I remember right it was written in a script language and should be possible), although documentation lacks, it's a fine piece of software and can be used for encrypted DNS requests on port 443 (SSL), thus circumventing transparent DNS manipulation. On the [Jondo transocks page](https://anonymous-proxy-servers.net/en/help/transocks.html). The page might be a bit confusing, because it's about transparent proxying, but there are no other official documents about httpsdnsd. [Whonix related httpsdnsd](http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#httpsdnsd-by-jondos) can be adapted for this article.
|
|
|
|
|
|
[https://www.opendns.com/technology/dnscrypt/ DNSCrypt by OpenDNS] (all platforms), better documented, can be used against transparent DNS manipulation circumvention as well.; [https://github.com/opendns/dnscrypt-proxy DNSCrypt github]; [http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#dnscrypt-by-opendns Whonix related about DNSCrypt] can be adapted for this article.
|
|
|
[DNSCrypt by OpenDNS](https://www.opendns.com/technology/dnscrypt/) (all platforms), better documented, can be used against transparent DNS manipulation circumvention as well.; [DNSCrypt github](https://github.com/opendns/dnscrypt-proxy); [Whonix related about DNSCrypt](http://sourceforge.net/p/whonix/wiki/OptionalConfigurations/#dnscrypt-by-opendns) can be adapted for this article.
|
|
|
|
|
|
|
|
|
= See Other DNS Related Articles =
|
|
|
# See Other DNS Related Articles
|
|
|
Most articles could be merged with this one.
|
|
|
* [wiki:doc/BIND BIND] - by 'bee'. Create your own cached DNS server.
|
|
|
* [wiki:doc/Torwin32DNS Torwin32DNS] Tor socks dns leak problem fix for win32 (Windows XP) using treewalk, by 'C. Wilson'.
|
|
|
* [wiki:doc/PreventingDnsLeaksInTor Preventing DNS Leaks in Tor with dsocks] by 'tyranix'.
|
|
|
* [wiki:doc/Preventing_Tor_DNS_Leaks Preventing DNS Leaks] by 'chemicalx'.
|
|
|
* [wiki:doc/DNSHijacking DNS Hijacking] by 'BarkerJr', further content also added by 'bee', 'Bry8Star'.
|
|
|
* [BIND](./doc/BIND) - by 'bee'. Create your own cached DNS server.
|
|
|
* [Torwin32DNS](./doc/Torwin32DNS) Tor socks dns leak problem fix for win32 (Windows XP) using treewalk, by 'C. Wilson'.
|
|
|
* [Preventing DNS Leaks in Tor with dsocks](./doc/PreventingDnsLeaksInTor) by 'tyranix'.
|
|
|
* [Preventing DNS Leaks](./doc/Preventing_Tor_DNS_Leaks) by 'chemicalx'.
|
|
|
* [DNS Hijacking](./doc/DNSHijacking) by 'BarkerJr', further content also added by 'bee', 'Bry8Star'.
|
|
|
|
|
|
|
|
|
= Editor Talk =
|
|
|
Please see [wiki:doc/DnsResolver#Rules_for_Editors Editor Guidelines] first.
|
|
|
# Editor Talk
|
|
|
Please see [Editor Guidelines](./doc/DnsResolver#Rules_for_Editors) first.
|
|
|
* (adrelanos) The "Preventing_Tor_DNS_Leaks Preventing DNS Leaks" has a high ranking on google. People share this link in forums, blogs etc. So it should be really probable checked if it's still accurate. (Haven't checked.) Perhaps should be really merged/redirected.
|
|
|
* Hi, this page's name is "Prevent_DNS_Leaks", it is not "Preventing_Tor_DNS_Leaks". It is not about Tor binary/system's leakage. It is neither about DNS leakage from other sofwtare. It is about, How to prevent ACCIDENTAL or by MISTAKENLY entered or used .onion host, and/or how to block mis-configured settings trying to resolve .onion host on a computer. Fail-safe mechanism to block DNS query to go outside. More notes will be added. need to add firewall config info, etc. And not about Linux/Unix, but some1 can add into it. At this stage i will add info related to Windows and MacOS. -- Bry8Star.
|
|
|
* (adrelanos) We should move and redirect this article to https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/DNS or something like that.
|
... | ... | |