Enhancement request regarding filters and options related to security
Created by: Ricky-Tigg
Hi F1ash. Thanks to the released component (dnscrypt-proxy-gui-1.11.14-1.fc27.x86_64) for the distribution I use, I realize the program gets closer to its full potential.
Would it be somewhat wise or at least useful to introduce the use of filters applying to the selection of listed Tier 2 DNS resolvers as follow and not necessarily in that order: Used DNSCrypt version (1, 2) – IPv4 – IPv6 – No logs – Anonymized logs – Server filters regarding domains (two options: Whitelist, Blacklist) – DNSSEC – Namecoin – Country.
As noticeable filters 'No logs' and 'Anonymized logs' exclude themselves. Policies regarding option 'Anonymized logs' conform generally to the following models in which not only IP addresses are not logged but also:
- DNS queries, answers and query statistics for each TLD and domain are cached in a database (e.g. Redis database).
- query type for web statistic page.
Some options aimed to:
- systematically use TCP, and not either UDP or TCP, in connections to upstream servers.
- respond to queries (from servers) related to IPv6 addresses, with an immediate empty response.
For now, server-sided component dnscrypt-wrapper by default generates certificate for a period time of 518 400 min (360 days). When a DNS resolver is started from terminal with dnscrypt-proxy, in case the certificate expiry related to DNSCrypt is more than 1440 min (24 h) from now, a warning related to that weakness is displayed. A way to get that valuable information in the GUI would be in my opinion well appropriated.
Following OpenNIC Public Servers (hostnames) (undoubtedly for a good reason) are not part yet of the dnscrypt-resolvers.csv file (which comes along with installation of component dnscrypt-proxy. Currently none of those DNSCrypt enabled servers are off-line or fail testing for more than 48 hours. List is: ns1.any.dns.opennic.glue – ns3.any.dns.opennic.glue – ns3.ca.dns.opennic.glue – ns4.ca.dns.opennic.glue – ns3.cz.dns.opennic.glue – ns3.nw.de.dns.opennic.glue – ns1.hau.fr.dns.opennic.glue – ns1.tus.it.dns.opennic.glue – ns7.nh.nl.dns.opennic.glue – ns1.ma.us.dns.opennic.glue. Regards.