371
Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention * TorrentFreak
(torrentfreak.com)
this post was submitted on 16 Jun 2024
371 points (99.5% liked)
Technology
55618 readers
2245 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Is there such a thing as federated dns servers, self hosted or otherwise? I don't particularly care about piracy but I can see this dominoing into abortion, lgtq+ ect...ect...
As long as you’re not using DNSSEC, you can easily run your own. I’ve been running a PiHole for years now, it can pull in block lists and such from various sources, it’d be fairly easy to add a list to pull in automatically that include extra records. Those could be served from anywhere. Torrents, git repos, http calls, etc.
Note that with just pihole you would still be affected by this, since pihole needs an upstream dns server to get it's data from.
But if you set up pihole with unbound you will be OK, since unbound then will do the job of getting data from the root servers without another upstream dns.
I my experience it is also faster.
I believe you can use DNSSEC directly with root servers.
Would pihole work if all the major DNS that gets pulled resolved the same? I would imagine the change would only work for a while.
While others suggested adding the DNS records manually the far more secure and easier in the long term solution is to run pihole with unbound. Going this route completely eliminates third party upstream DNS servers as unbound will query the top level domain for their authoritative name server and direct the IP address from the source. Pihole has a great explanation on their website. I like crosstalk solutions on setting it up as it's has everything you need just to copy paste your way into it working.
A PiHole functions has a full DNS server. You can configure it to serve any arbitrary records you like - which is basically how it overrides ad domains to prevent them from loading.
So, if you know the IP address that a particular domain is supposed to route to, you configure the PiHole to respond with that IP address for that domain. So, it doesn't matter that the major DNS servers return junk because your PiHole never asks them.
Pihole is great. Easy to setup. Runs on $80 worth of hardware on a raspberry...
$80? I run mine on a Pi Zero that I got for $9 with a $6 wired network adapter for a grand total of $15. No problems for a household of five with one of us (me) being an extremely heavy user.
Or if you have a NAS, just use that. There's nothing special about the Raspberry Pi hardware here.
I used to do that, but it comes with the problem of your DNS going down any time you want to restart or do a hardware swap on your NAS. Or since it was running in docker something as simple as reloading docker would knock out the internet for a few minutes. It's worth the $15 to have them operate separately.
Doesn't that just move the problem to the $15 device? Or are you saying you reboot your NAS significantly more often than your RPi? I have a RetroPie setup that I reboot about as often as my NAS, which is when I remember to run updates.
I pretty much never reboot the Pi. It currently has over 18 months of uptime on it. My NAS on the other hand I probably restart for one reason or another maybe once every 6 months. So yeah I'd say I reboot it minimum 3x more often.
Plus a reboot takes much longer on my NAS than on the Pi. The server board is slow to start, the SAS cards are slow to start, and unRAID is slow to start. Then I need to manually enter the password for disk encryption. Then wait for the array to start up. Then wait a bit more for the docker containers to start. Add all of that up and even the absolute fastest reboot is like 10 minutes while the Pi probably takes 30 seconds.
And what if I want to swap hard drives? Now it's down for an hour. I guess I could wait until 3am to do all my upgrades so everyone is asleep, but I'd rather not. I suppose if it were just for myself it would matter a lot less. But again, it's only $15 to not have to think about it at all.
Interesting. Boot times aren't an issue at all for me on my NAS because it's running on an old desktop processor and has plenty of performance. Both boot in <30s, and I leave them both on 24/7.
I tend to upgrade all my servers around the same time (RPi, NAS, VPS), and my laptop and desktop get updates about every week or two. I don't like leaving systems unpatched, so I stay on top of it. I haven't needed to swap HDDs in the 6-ish years I've had my NAS configured, so I guess it's not an issue I've run into. I'd probably just schedule it when I do a router firmware update (I run a Mikrotik router), which I do every few months as well, since that way everyone expects a little downtime.
Definitely. Though I’ll add that I ran PiHole + PiVPN on a Zero W ($10) for years. I upgraded it to a Pi Zero W 2 ($15 with extra cores) but I found that it had terrible packet drops, so I had to add a $15 usb wired adapter to it. I can max my upload speeds over vpn and dns is super low latency.
Any good lists? Because pihole defaults to the aforementioned servers.
Pretty decent article here
https://avoidthehack.com/best-pihole-blocklists
And there is https://filterlists.com/ which is a searchable index of lists. If you use uBlockOrigin you can add lists directly from fliterlists.com otherwise it provides links to Github etc.
unbound is a validating, recursive, caching, self-hosted DNS resolver.
There's the completely decentralized ENS name system that would bypass this censorship entirely.
But unfortunately it's got the scarlet letters "NFT" hanging around its neck, and so good luck trying to discuss its actual merits or try to implement support for it anywhere.
NFT is scary because people don't know what it means. It is not supposed to be a means of selling jpegs; it is supposed to be a digital untamperable proof of ownership for various uses.
It's not.
It's very tamperable. It lacks common safety features like 2FA. Hacks are common and stolen NFTs can not be recovered.
It doesn't provide any evidence of ownership, much less proof. Anyone can mint NFTs without providing any evidence of ownership or anything. There is no legal requirement that ownership of anything is transferred along with an NFT.
I can’t believe in 2024 we still see NFT advocates. It was and continues to be a colossal waste of time and resources.
It was a waste of time and resources for a particular application, yes. But the basic technology is useful for many applications.
Those "bored ape" NFTs were for jpeg images, do you also think that the jpeg algorithm was a colossal waste of time and resources?
There isn't just one single way of coding an NFT, you're talking about an entire class of application here. You can indeed add all sorts of safety features if you want to.
Saying "anyone can mint NFTs" shows a misunderstanding of the specific application we're discussing here. Not just anyone can mint an ENS name, specifically, which is what we're talking about. ENS names are minted by the ENS contract, so they can be guaranteed unique. An ENS name isn't "representing" anything other than the information contained within it, so there are no legal issues whatsoever. If you own the ENS name NFT then that's all that you need to worry about, it has no other effect or implication other than that.
This is what I was talking about when I mentioned the "scarlet letters NFT". People have an enormous prejudice about the technology and leap to incorrect assumptions about its uses based on those prejudices.
It’s glorified receipts that are billed as far more secure than they actually are looking for a problem to solve. The entire usage is people treating it like a casino, just like cryptocurrency. I guarantee you “small” artists and such, the people that are always paraded around as the beneficiaries, are not using it in any appreciable number. Those that tried simply lost some money in the endless sea of “get rich quick” schemes they were sadly duped into participating in. Crypto bros just decided to target creatives, as if they need to be victimized more.
NFT’s are not helping people in any appreciable number. It’s just another relationship of people getting rich on the backs of a bunch of bag holders sold a false promise.
I am describing a usage that is explicitly not like that. A usage that has nothing to do with art. The concept of "NFT" is not somehow inextricably tied to spending ridiculous amounts of money on pictures of apes, it's a general technology.
This is a perfect illustration of the problem here. People are lamenting about difficult it is to come up with a truly decentralized method of owning domain names that can't be commandeered by authorities or big business, a system to do exactly that already exists, but it's based on a technology that people have such an extreme prejudice about that they'd rather downvote anyone who tries to explain it and go back to helplessly lamenting.
Then please show us some valid usages currently up and running solving actual problems at scale.
I am prejudiced because I was in the crypto space for years. I used to mine and more. So my prejudice comes from a place of experience and knowledge, not random headlines and memes.
I just did. The ENS system, a decentralized replacement for DNS. That's what started this subthread.
What is the NFT component offering that I don’t get from the myriad of other excellent DNS services (many of which are FLOSS) that grant me reliable DNS over HTTPS/other privacy elements? What is the NFT part accomplishing that wasn’t being done prior?
Full decentralization and censorship resistance. In the case of DNS services there's still an organization of some kind that you're having to trust to not mismanage your registration. Both now in their current form and in any future form the organization may take.
ENS, on the other hand, is just a smart contract running on Ethereum. Its behaviour is programmed, not dependent on any human decision making. To censor it you'd need to block Ethereum as a whole.
So then nothing related to NFTs at all but instead a specific application of a specific blockchain...
An ENS name is represented by a token that follows the ERC-721 standard. It is literally an NFT.
FLOSS software is not dependent on trusting an organization. That’s a significant part of the appeal.
What else?
How does your FLOSS software solve the Byzantine Generals problem? If two different people want to use the same domain name, how is it determined who gets it? These are the things that blockchains contribute a solution to.
It's not enough that the software that everything's running on is free/libre. Determining who gets a scarce resource (unique names) is the real difficulty here.
Call me a Luddite, call me ignorant, the simple answer is we don’t need to solve the Byzantine generals problem for privacy because we are able to work indecently I.e. if it’s floss we can compile ourselves. I don’t need to trust anyone when I can vet the code and roll my own with it.
TL;DR: the Byzantine general problem isn’t a problem.
It isn't a problem when you're just running software on your own computer and have no need to communicate with anyone else.
But that's not the case for domain names. It wouldn't work at all if we each had our own private little parallel universe, it defeats the whole purpose of a domain name system. We all need to agree on which names are associated with which IP addresses.
I'm not trying to promote blockchains as a one-size-fits-all universal solution for every problem. That's silly, no technology is a universal solution for every problem. Blockchains are very good at solving a specific subset of problems, and DNS names IMO is one of those. When you need everyone to agree on a particular fact and you don't want to designate some particular authority to be "in charge" of validating that fact then that's exactly what a blockchain is for.
I agree with pretty much everything you said, except the conclusion. For DNS, we don't need distributed consensus, we have ICANN and that seems to work pretty well. We'd only need a blockchain if we needed to replace ICANN for some reason.
So assuming ICANN exists, you only need to trust registrars, which are regulate both by ICANN and whatever municipality they operate in.
Building a separate system to ICANN may be desirable in an abstract sense (ICANN kinda sucks in some ways), but it's a bit too disruptive for too little gain since it would force everyone to go repurchase domains, leading to mismatches with the current system, causing confusion and enabling fraud. That's a pretty high cost for minimal gain.
In other words, just because we can doesn't mean we should. And this is coming from someone who is interested in crypto (mostly Monero) and distributed computing in general.
…what? I’m not sure you understand what I mean by compiling on my end. Why would that preclude my being able to communicate with other people?
Let's say that your computer has the IP address 1.2.3.4. When you register for a DNS name, let's say bolexforsoup.com, you tell the DNS registrar to associate that name with your IP address. So later when my computer wants to communicate with your computer it asks the DNS system "what's the IP address for bolexforsoup.com?" And it tells me "1.2.3.4", which I can then use for communicating. The DNS service is not something you're running yourself, it's a service that someone else is running. That's the problem here. Your computer can be completely 100% FLOSS, you can be a master programmer who can manipulate your computer at will, but if my computer wants to talk to bolexforsoup.com the only way it can know the IP address for it is to ask DNS for it. That happens outside of your control. As we're seeing in this case with anti-piracy laws, this is something that an outside force - a government, a company, maybe even a lone malicious hacker - can interfere with if they want to stop me from reaching your computer.
I had really hoped that the video game industry would use its royalty function to give developers a cut of the secondary market. It would naturally incentivize them to slow down their development cycle, and make games that stand the test of time. Selling games with this technology could have been a virtuous cycle of developers having a vested interest in their work beyond simply selling DLC.
Well, hominids made hand axes for countless aeons without ever really using them. I guess I shouldn't act too shocked.
No competent engineer would use NFTs for the purpose. It's inconvenient, slow and ridiculously expensive. No one uses the "technology" because it's rubbish.
Implementing such a feature is trivial. Steam has a marketplace. They don't let you sell used games because the developers don't want it.
There exists GNUNet, but not really sure how common it is used.
I keep hearing about people being aware of it's existence, but I have yet to see a single person say they use it.
I tried to use gnunet multiple times over the years. It always had wierd routing problems, the worst was their filesharing, it literally never worked. You cant find files that are definitely on the network, and if by some miracle you do find something, it fails to download it. 20 years of development and its an unfinished buggy mess. I hope they finally fix it sometime, cause its a really great idea, just executed horribly.
Yes, it's called
unboundI don't think this question really makes sense.
DNS is centralized in that there is a root zone that determines who is the canonical authority for each top level domain like
.comor.world(and the registrar for each top level domain controls who controls each domain under them). But it's also decentralized in the sense that everyone who controls a domain can assign any subdomains below that, and that anyone can choose to override the name resolving with their own local DNS server (or even a hosts file saved on the device).The court case here is trying to override the official domain ownership records at specific DNS providers. The problem is that the intermediaries are being ordered by the courts not to follow the central authority.
Federation wouldn't fit this model: we still want DNS to be canonical where everyone in the world agrees which domain resolves to which IP addresses.
DNS is to a degree, by design federated to begin with. What you need to participate is a recursive DNS server, like Unbound as some of your other replies have mentioned. You can run it on the same machine as something like Pihole if you’re already running that.