IPv6, cloudflare and related issues
Hi NMGLUG folks, I heard that using 1.1.1.1 or 1.0.0.1 offers advantages of privacy against ISPs and occasional faster connections with nameservers to browse the web more quickly. I heard that this is a service offered by cloudflare and that I don't need to engage cloudflare to use it. In my Network Connections, I edited IPv4, adding 1.1.1.1 and 1.0.0.1, and that seems to work well. I edited IPv6, adding* 2606:4700:4700::1111,2606:4700:4700::1001* When I test it at https://1.1.1.1/help it's not working right. I looked at the contents of /etc/resolv.conf It had this: # Generated by NetworkManager nameserver 172.16.0.1 nameserver 1.1.1.1 nameserver 1.0.0.1 After rebooting, /etc/resolv.conf had: # Generated by NetworkManager nameserver 172.16.0.1 nameserver 1.1.1.1 nameserver 1.0.0.1 # NOTE: the libc resolver may not support more than 3 nameservers. # The nameservers listed below may not be recognized. nameserver 2606:4700:4700::1111 nameserver 2606:4700:4700::1001 This may be a clue why my IPv6 is not working. I found https://unix.stackexchange.com/questions/28004/how-to-overcome-libc-resolver... This might help, but it has a bunch of stuff in there that I don't follow. Q What is the libc resolver? How can I get IPv6 to work? Is it a good idea to use this cloudflare service? Is this cloudflare service considered to be a good thing by the Linux community? Is there something better? On another note, I just published my first book http://www.leroydiener.com/spirit/christ-seed-book-available-now-christ-seed... Thank you to all of you who have helped me with all of my needs. In gratitude, LeRoy -- I am the Love of God, no matter what. LeRoy Diener 213-LEROYIZ 213-537-6949 www.leroydiener.com/
Hi LeRoy, LeRoy Diener writes:
I heard that using 1.1.1.1 or 1.0.0.1 offers advantages of privacy against ISPs
This only really happens if you use the DNS-over-HTTPS or DNS-over-TLS services provided by CloudFlare. The tradeoff is that all your DNS traffic gets sent to CloudFlare when it wasn't sent before, but your ISP now has less visibility into it. Personally, I'd make that trade, because I while I distrust CloudFlare, I distrust Comcast and Centurylink even more. There are two ways to do so: configure individual applications to do so (I believe both Firefox and Chrome allow this configuration, although very few other programs do), or run a DNS cache on your local network. Personally I use Unbound as a DNS cache. When devices on my LAN ask for nameserver addresses, my router is configured to point to the IP of the Unbound server (which in my case happens to also be the router, but you could run Unbound on any machine on your network as long as it's got a static IP).
I edited IPv6, adding* 2606:4700:4700::1111,2606:4700:4700::1001* When I test it at https://1.1.1.1/help it's not working right.
I suppose the obvious question is, does IPv6 work for you under normal circumstances? Many ISPs don't support it even in 2020. I'm quite sure CenturyLink doesn't and I've never gotten it to work under Comcast either. -- Anthony J. Bentley
Personally I use Unbound as a DNS cache. When devices on my LAN ask for nameserver addresses, my router is configured to point to the IP of the Unbound server (which in my case happens to also be the router, but you could run Unbound on any machine on your network as long as it's got a static IP).
Don't forget that if you have DoH, it is bypassing your local resolver. Then, you're giving your juicy DNS data to the DoH provider rather than your ISP. One of the best videos I've seen that talks about these issues is form the Southern California Linux Expo this year: https://www.youtube.com/watch?v=artLJOwToVY
I suppose the obvious question is, does IPv6 work for you under normal circumstances? Many ISPs don't support it even in 2020. I'm quite sure CenturyLink doesn't and I've never gotten it to work under Comcast either.
Comcast should work well, they were one of the first major ISPs to provide IPv6 for consumers. Using DHCP-PD, they'll assign a /60 to you. So you can have 16 LANs running at your house -- all with addresses that aren't NATed. I haven't worked with CenturyLink's IPv6 offerings.
NMGLugers & John, Thank you, John, for the interesting discussion and pointing out the DoH changes in Firefox. I never saw the notification about the change from them. I have turned off the Doh setting on my instances of Firefox. I enjoyed the video on the "DNS Wars" which is very clear and points out the history and the interesting dynamics of this very basic service. Also interesting to visit SCale18 and see what others are doing. I have updated several usb sticks to current releases and am slowly cataloging for myself the changes. One of these is the use of snap to install the chromium-browser. This is an interesting example of delivering software as sandboxed. It is working, but takes more space and cpu. Both snap and chromium update in the background on a regular basis. See some of you tonight at the Virtual meeting. Thank you, Ted P On Mon, Jul 13, 2020 at 7:47 AM John Osmon <josmon@rigozsaurus.com> wrote:
Personally I use Unbound as a DNS cache. When devices on my LAN ask for nameserver addresses, my router is configured to point to the IP of the Unbound server (which in my case happens to also be the router, but you could run Unbound on any machine on your network as long as it's got a static IP).
Don't forget that if you have DoH, it is bypassing your local resolver. Then, you're giving your juicy DNS data to the DoH provider rather than your ISP.
One of the best videos I've seen that talks about these issues is form the Southern California Linux Expo this year: https://www.youtube.com/watch?v=artLJOwToVY
I suppose the obvious question is, does IPv6 work for you under normal circumstances? Many ISPs don't support it even in 2020. I'm quite sure CenturyLink doesn't and I've never gotten it to work under Comcast either.
Comcast should work well, they were one of the first major ISPs to provide IPv6 for consumers. Using DHCP-PD, they'll assign a /60 to you. So you can have 16 LANs running at your house -- all with addresses that aren't NATed.
I haven't worked with CenturyLink's IPv6 offerings.
_______________________________________________ nmglug mailing list nmglug@lists.nmglug.org http://lists.nmglug.org/listinfo.cgi/nmglug-nmglug.org
participants (4)
-
Anthony J. Bentley -
John Osmon -
LeRoy Diener -
Ted Pomeroy