loading...

re: How do you practice safe public wifi access? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Basically, instead of reaching out to "central" DNS servers that aggregate entries from every registrar, you'll roll your own "central" server, i.e...

Apart from using a VPN, what you guys are talking about sounds like an alien language to me.

Is all that something everyone should learn to do or do you consider yourselves kind of extra-snowden-like-concerned-about-security because the CIA is trying to catch you? 😊

Instead, it's mostly about being able to easily block ads, avoid country-level/ISP-level censorship (very common in lots of places, sadly)

Might as well run a local Dnsmasq instance doing recursive resolution on TLDs directly, instead of just moving your trust from google to cloudflare.

You know, that's a bit like saying "Might as well store your entire financial assets in gold in a safe under your bed instead of moving your money from a shady mega-corp bank to a Federally-insured, member-owned credit union." It's a bit on the 'overkill' side for many people, myself included.

But why trust Cloudflare over Google? Simple. Guess which one of those sells browsing history as one of their primary forms of income?

I didn't say trusting Cloudflare was bad, or Google was better than CF.

Google sucks, CloudFlare is a move in the right direction, but

  1. Cloudflare is still a centralized and closed infrastructure
  2. Cloudflare is US-hosted

That's two very good reasons to avoid it

I don't see those as automatic reasons to avoid it, any more than the "all financial institutions are bad" assertion some people make (see my previous example) is even remotely wise.

For example, if US-hosted or centralized is an automatic negative, then DEV must not be trustworthy.

I don't have the luxury of time or hardware to set up and run my own DNS resolution server. Most people don't. So, until someone sets up an open-infrastructure, free, public DNS service, Cloudflare is hardly something "to be avoided".

We have to draw the line between common sense and fearmongering.

There are lots of open-infrastructure DNS...

And time, hardware?

We're talking about a 2MB-consuming daemon sitting idle on your computer, which takes roughly 5 minutes to set up on a first-time setup.

Maybe you don't want to take this time, that doesn't make this solution somehow bad or to avoid.

And that daemon can handle DNS for my entire network, including multiple computers and a public-facing, always-on server that is central to our production work? And you can guarantee that I'll never have to suddenly stop what I'm doing to debug it? And that it'll be accessible from any wifi spot I'll ever connect to worldwide, and never go pear-shaped when I least expect it?

If setting up a reliable, works-for-everything DNS is really that easy, it's a marvel 8.8.8.8 and 1.1.1.1 ever even gained adoption.

The fact is, "it takes minutes to set up" never takes into account the inevitable time sink that comes when (a) things don't go according to the docs (more than half the time, ask any IT), or (b) when things break (at least once with everything you ever set up, ask any IT).

So no, I don't have that time.

Well, if it's sitting on your computer, yes, that's kind of the point.

And your complaint about time doesn't change the validity of this solution.

Well, if it's sitting on your computer, yes, that's kind of the point.

Amazing. Too bad I actually couldn't accomplish that with two full days of trying to do exactly that for my network, with the help of two professional, experienced Linux ITs no less. "We must have done something wrong," I suppose.

And your complaint about time doesn't change the validity of this solution.

I never said it wasn't valid, but the way you're talking, it should be the only solution.

In any case, thank you for (apparently) retracting your earlier assertion that it couldn't take more than five minutes.

Amazing. Too bad I actually couldn't accomplish that with two days of trying, with the help of two professional, full-time ITs. "Must have done something wrong."

RTFM. Especially with the plethora of Dnsmasq guides available on Internet, and with Dnsmasq providing one of the simplest and most basic configurations.

I never said it wasn't valid, but the way you're talking, it should be the only solution.

Everyone has their ways of understanding English, I guess.

RTFM.

Because of course it never occured to three Linux professionals in two days that we should read the documentation.

Ahh, the four-letter mantra of the people who don't have any real answers, but love to tell everyone they're wrong. At least that tells me I can leave this conversation — you've announced you have no actual knowledge or insight to share. Thanks for saving everyone the time of taking you seriously. Ta!

Sloan, the sloth mascot Comment marked as low quality/non-constructive by the community View code of conduct

@jason No one forced you to follow up with this solution. There are people who actually know what they are talking about and also people who rant about knowing professionals. You're not in the first group apparently.

You're not in the first group apparently.

Gosh, wish I'd known that before I'd gone and run a secure, production-grade development server for six years. I'll be sure to tell those two IT friends of mine they aren't knowing professionals either. They've wasted years of their lives successfully doing a job they apparently can't do.

Deserved sarcasm aside, I merely said that it wasn't a "fix-all". It's a valid solution, but not the only solution, and not necessarily one that magically works in every imaginable scenario. (P.S. My experience with dnsmasq was from about two years ago, not today.)

"RTFM" is never an appropriate response to anyone. My anger is directed at that, and rightly so. There are many people here on DEV who would be crushed by that remark, with its deliberately hateful insinuation of stupidity. "I read the documentation, but I didn't get it. I must not be legitimate." An insinuation you just helped add fuel to.

I came here to say that maybe the topic of setting up your own "central" server could be a good dev.to article!

I did write a handful of articles on dnsmasq, for ad-blocking, conditional DNS request proxying, and such.

Indeed you have! Thanks for pointing that out, I'll bookmark them. :)

If you find anything ambiguous or have any questions, don't hesitate to ask on associated articles.

I don't see those as automatic reasons to avoid it

pokes oar in

Not specifically against Cloudflare, but personally I don't like encouraging anyone to go with the centralised solution. As long as everyone does it because "that company's alright", people will keep seeing it as safe. I see it as comparable to the "why would I use free software when I can pay for something good?" point of view.

code of conduct - report abuse