Anonymous ID: 32ecf6 Nov. 14, 2018, 7:15 a.m. No.3898989   🗄️.is 🔗kun   >>9040 >>9310

Tech advice for EU anons (and others!) to circumvent future online censorship

 

Given that at least some EU countries are apparently using relatively crude methods (something akin to DNS spoofing) to block sites like 8ch, it is highly recommended that you put in place measures that will help circumvent these attacks before they're implemented.

 

Regarding the example of Italy, it seems the government has instructed their ISPs to alter their DNS servers to provide incorrect responses for certain sites (thus redirecting users elsewhere). This is just the latest in a long list of reasons not to use your ISP's DNS servers!

 

While there are a number of "public DNS" options that would be better than the default ISP DNS servers, the most robust solution is to run your own recursive DNS resolver on your internet router.

 

Step 1: Get control of your router. If you are using an ISP controlled internet router, send it back! Far better to buy and manage your own hardware than to cede control of this critical piece of network infrastructure to an entity that couldn't care less about your information security.

 

For the best control and security, you need a device with open source software / firmware. There are two good options that I would recommend:

 

DD-WRT – an open source project that provides firmware for a number of common commercial routers

https://dd-wrt.com/

 

pfSense – another open source project based on FreeBSD (this is potentially more powerful, and better suited for router devices that are set up more like actual computers, or as a VM on a server, etc.)

https://www.pfsense.org/

 

Step 2: Set up your own DNS resolver.

 

For DD-WRT, follow these instructions to set up Unbound:

https://wiki.dd-wrt.com/wiki/index.php/Unbound

 

It's also very simple in the latest version of pfSense:

https://www.netgate.com/docs/pfsense/dns/unbound-dns-resolver.html

 

Then also make sure the router doesn't have any DNS server entries hard coded, and that it's not set up to obtain any using DHCP (this will give you the ISP servers). Separately, all of your computers and devices on the local network should be set up to get their DNS information via DHCP (most likely this is already the case), as in this case it means they will get the information from your router alone.

 

At this point you should have reasonable protection against any ISP-based DNS attacks. To block you, the ISPs would have to start intercepting queries to the DNS root servers – and this would be quite a bit more serious and would likely break a lot of things.

 

Another benefit to this setup is that your network will support DNSSEC validation, which is another layer of protection against fuckery (although a lot of web sites still don't support this).