Privacy DNS Chooser Script v1.0 "Snow Breeze"

GustavoM, 6 months ago

Ensure you have systemd-resolved installed on your Linux system.

Oh boy.

MigratingtoLemmy, 6 months ago

Man, did you really have to make it dependent on systemd?

Strit, 6 months ago

It’s designed for systemd-resolved, so I would assume that he had to. ;)

MigratingtoLemmy, 6 months ago

Ah, missed that. Thanks

Divine_Confetti, 6 months ago

Sorry I’m new to the networky world of things, could someone explain what TLS and DNS (seen it in settings here and there) are, and the differences between them.

CosmicGiraffe, 6 months ago

DNS = Domain Name System. This is used to lookup an IP address (e.g. 123.234.54.32) from a domain name (e.g. lemmy.ml). A DNS query is one of the first things your computer does when you visit a site.

Plain DNS is unencrypted, which means that anyone with the ability to read your requests (e.g. your ISP) can see the names of sites that you’re visiting.

TLS = Transport Layer Security. This is a protocol that’s used to create an encrypted connection between your device and another one, in this case the DNS server. When this is used, the content of your DNS requests is hidden. Your ISP can still see that you’re talking to the DNS server, but not what you’re saying to it.

TLS also allows your device to cryptographically verify the identity of the DNS server. Without it, someone with the ability to modify your connection could change the responses from the DNS server. That would allow them to send you back the IP address of a server they control, rather than the real servers IP.

Pantherina, 6 months ago

Cool project! Do you know Captive portals? Because there you need to use DHCP DNS a lot, and turn off dnssec and dot afaik

Baritone5371, 6 months ago (edited 6 months ago)

Hello! That's something that I should keep an eye on! When speaking about Captive Portals, I just assume everyone uses 4G/5G (which doesn't require these portals to be used) instead of open networks. My script already has DNSSEC disabled since it has caused some problems during testing. BTW, just a question : Are these portals very common? I haven't seen one since years now.

Pantherina, 6 months ago

In Germany every public wifi, train (ICE windows block cell internetand they are currently lasering small waves in them), hotels, cafes, private wifis even if you are a guest.

Because of “data protection” everyone needs to accept TOS so every network has them.

No idea where you live but cell data is often expensive.

I just use the MullvadVPN app, my systemd-resolved is plain and insecure and Mullvad does all the secure DNS stuff. Obviously sucks and is not scalable at all.

Systemd implementing a switch that could then be integrated into GUIs, like KDE6’s captive portal opener, is crucial. So for the portals you would make the DNS insecure, log in and secure it again. Best automatically.

Baritone5371, 6 months ago (edited 6 months ago)

Ok. I will see that! If you have a GitHub account. You can make an issue right now, so tracking the issue would be better for me. Or I could do that myself.

Edit : I have made a prototype that I could release it soon as an alpha. When it gets released, your goal is to test in a place where captive portals are present. Sadly, the script won't be automatic but requires user interaction.

Edit 2 : it is now available as alpha on the releases page.

Pantherina, 6 months ago

Cool!

Baritone5371, 6 months ago (edited 6 months ago)

I have edited the release page for the alpha. I have modified the file to correct a bug and add the deletion of the backup file when the operation is finished and also restart systemd-resolved service.

_s10e, 6 months ago

Have you looked into how existing software handles captive portals. I believe, both Ubuntu (or Gnome or Network-Manager) and Firefox do check for such portals and detect real internet access. (They simple poll some URL detectportal.vendor.com and check for the expected return code. Portals usually redirect.)

Now I’m thinking, what if this check could trigger a change to the DNS configuration. That is use DoT when internet is available, otherwise fall back to DHCP announced DNS

Pantherina, 6 months ago

That is neat! It is a specific response so it should work.

<span style="color:#323232;">#!/bin/bash
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Function to set insecure DNS
</span><span style="color:#323232;">function insecure-dns() {
</span><span style="color:#323232;">  # Backup the original resolved.conf file
</span><span style="color:#323232;">  cp /etc/systemd/resolved.conf /etc/systemd/resolved.conf.bak
</span><span style="color:#323232;">
</span><span style="color:#323232;">  # Modify resolved.conf to disable custom DNS, DoT, and DNSSEC
</span><span style="color:#323232;">  sed -i 's/^DNS=.*/#DNS=/; s/^Domains=.*/#Domains=/; s/^DNSOverTLS=.*/#DNSOverTLS=/; s/^DNSSEC=.*/#DNSSEC=/' /etc/systemd/resolved.conf
</span><span style="color:#323232;">
</span><span style="color:#323232;">  # Restart systemd-resolved
</span><span style="color:#323232;">  systemctl restart systemd-resolved
</span><span style="color:#323232;">}
</span><span style="color:#323232;">
</span><span style="color:#323232;"># Function to set secure DNS
</span><span style="color:#323232;">function secure-dns() {
</span><span style="color:#323232;">  # Restore the original resolved.conf file
</span><span style="color:#323232;">  mv /etc/systemd/resolved.conf.bak /etc/systemd/resolved.conf
</span><span style="color:#323232;">
</span><span style="color:#323232;">  # Restart systemd-resolved
</span><span style="color:#323232;">  systemctl restart systemd-resolved
</span><span style="color:#323232;">}
</span><span style="color:#323232;">
</span><span style="color:#323232;">while true; do
</span><span style="color:#323232;">  response=$(curl -sI captive.test.com | head -n 1 | cut -d' ' -f2)
</span><span style="color:#323232;">
</span><span style="color:#323232;">  if [ "$response" == "200" ]; then
</span><span style="color:#323232;">    insecure-dns
</span><span style="color:#323232;">    xdg-open captive.test.com
</span><span style="color:#323232;">    sleep 30
</span><span style="color:#323232;">    # something to wait until window is closed, otherwise spam!
</span><span style="color:#323232;">  else
</span><span style="color:#323232;">    secure-dns
</span><span style="color:#323232;">  fi
</span><span style="color:#323232;">
</span><span style="color:#323232;">  sleep 5
</span><span style="color:#323232;">done
</span>

This should work. What would be needed is to track the process of the login and only continue when the window is closed again.

progandy, 6 months ago

No need for a systemd switch. It should work with a dedicated “portal” browser that bypasses the global dns and has a built-in resolver using the dns from dhcp.

Pantherina, 6 months ago (edited 6 months ago)

Yes if that works for sure. Problem here is that GNOME and KDE use different webengines, so yay no standards. Firefox doesnt support that I think?

I use a seperate firefox profile with a shortcut like

<span style="color:#323232;">blabla desktop entry
</span><span style="color:#323232;">Name=Captive Portal
</span><span style="color:#323232;">Exec=mullvad-exclude firefox -P captive http://captive.kuketz.de
</span>

I wanted to do something with mullvad-exclude but that didnt work for some reason, as when excluding it I think it had no internet?

_s10e, 6 months ago

That was also my question. A broader question is how to access services on the local network that are announced through local DNS? Like your router’s web interface or any similar device.

Can you have split routing? Most queries go to our preferred DNSoverTLS endpoint, but some go to DNS53 on the local network.

This would also solve the captive portal if the host used to detect captive portals is always resolved locally.

Pantherina, 6 months ago

Yes I think you can exclude local IPs in systemd-resolved