IP Address Manager

Your Entity Agent comes with an IP Firewall that is used to manage the IP addresses used in both inbound and outbound traffic.

Encrypted DNS

Encrypted DNS services like DNS over HTTPS (DoH), DNS over TLS (DoT) etc. make it very difficult for you to discover which hostname is being access by your devices.

Encrypted DNS service is yet another transfer pf power to the Cloud, in this case they take out the visibility of your traffic from your ISP and YOU, making their visibility of your traffic even more valuable.

For example, Cloudflare (1.1.1.1) and Google (8.8.8.8) can now see ALL your traffic destinations.

All these Encrypted DNS should be blocked so your OWN DNS server can be used by ALL the apps on devices that you own.

Other security concerns about DoH are here:

  1. DNS-over-HTTPS causes more problems than it solves, experts say | ZDNET
  2. https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9775718
  3. https://santandergto.com/en/how-to-protect-from-malware-that-abuses-dns-over-https-doh/

Blocking Encrypted DNS

While encrypted DNS can be useful for hiding upstream traffic (between your OWN DNS server and external DNS servers), normally they are not used from your DNS server, they are instead used from your personal device thus hiding DNS traffic from you!

The main focus here is to block DoH and DoT which are the very popular, blocking other encrypted DNS protocols e.g DNScrypt, DNS over QUIC etc. is optional.

Notes:

  1. The rapid growth of DoH servers means they are very difficult to block using a centralised list. The use of Citizen Synergy to classify IP addresses is the only scalable way of handling such dynamic data.

  2. DNSSEC simply confirm that a DNS record is correct, it does not hide the hostname so should NOT be blocked.

1. Port

The following ports to NON local DNS servers can be blocked:

  1. To block normal DNS: port 53
  2. To block DNS over TLS: port 853

2. IP Addresses

IP addresses of known DNS servers can be blocked using a citizen synergy maintained list available to members at https://publicip.88.io.

Some of the sources used to seed that list are listed below.

2.1. One Off Dallas

Last update 2022-12-13

  1. dohservers/iplist.txt at master · oneoffdallas/dohservers · GitHub
  2. dohservers/ipv6list.txt at master · oneoffdallas/dohservers · GitHub
  3. dohservers/list.txt at master · oneoffdallas/dohservers · GitHub
  4. dohservers/listv6.txt at master · oneoffdallas/dohservers · GitHub

2.2. The Great Wall

Last update 2020-06-15

  1. TheGreatWall/TheGreatWall_ipv4 at master · Sekhan/TheGreatWall · GitHub
  2. TheGreatWall/TheGreatWall_ipv4 at master · Sekhan/TheGreatWall · GitHub
  3. TheGreatWall/TheGreatWall.txt at master · Sekhan/TheGreatWall · GitHub

2.3 DNScrypt Resolvers

  1. GitHub - DNSCrypt/dnscrypt-resolvers: Lists of public DNSCrypt / DoH DNS servers and DNS relays
  2. DNS server sources · DNSCrypt/dnscrypt-proxy Wiki · GitHub

2.4. Adguard DNS

  1. https://adguard-dns.io/kb/general/dns-providers/

2.5. Extra Added To Above

Last update 2022-12-31

  1. mask-canary.icloud.com
  2. mask.apple-dns.net
  3. canary.mask.apple-dns.net

Known End-Points

It is increasing difficult to decode HTTPS traffic due to certificate pinning, but metadata analysis can still be performed.

Major Cloud providers publish their hosts and domains, the intention was so we can at least lookup the IPs for those to ensure that the destination traffic is really going to them.

Problem of course is that the lists can be incomplete!

For example, the domain apple-dns.net belongs to Apple and have traffic going to it yet it is NOT on the Apple published list above. How many people have asked about what traffic is actually going to gateway.fe.apple-dns.net and how many got an answer ?