Disclaimer : I’m the author of this project.

🚀 Privacy DNS Chooser Script v1.0 “Snow Breeze” Release!

Project source code : https://github.com/rollsicecream/privacy-dns-chooser

Dear Community,

I’m thrilled to announce the official release of the Privacy DNS Chooser Script v1.0, code-named “Snow Breeze”! This marks a significant milestone in my journey to simplify the process of enabling DNS-over-TLS with privacy-focused DNS providers on Linux systems using systemd-resolved.

Key Highlights:

  • User-Friendly Setup: Easily configure DNS-over-TLS with a seamless and intuitive CLI Interface
  • Privacy-Focused Providers: Choose from trusted DNS providers like Quad9, Mullvad DNS, and NextDNS (more coming soon!)
  • Enhanced Security: DNS-over-TLS is enabled by default for a more secure online experience.

How to Get Started:

  1. Ensure you have systemd-resolved installed on your Linux system.
  2. Download the script from GitHub.
  3. Run the script with sudo to set up your preferred DNS provider.

Your Feedback Matters:

We value your feedback! Share your experience, report issues, or suggest improvements on GitHub Issues. Your insights help us refine and enhance the Privacy DNS Chooser Script.

Spread the Word:

Help us reach more users by sharing the news! Talk about it, share on your favorite forums, and let your community know about the release.

Thank you!

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    0
    ·
    11 months ago

    In Germany every public wifi, train (ICE windows block cell internetand they are currently lasering small waves in them), hotels, cafes, private wifis even if you are a guest.

    Because of “data protection” everyone needs to accept TOS so every network has them.

    No idea where you live but cell data is often expensive.

    I just use the MullvadVPN app, my systemd-resolved is plain and insecure and Mullvad does all the secure DNS stuff. Obviously sucks and is not scalable at all.

    Systemd implementing a switch that could then be integrated into GUIs, like KDE6’s captive portal opener, is crucial. So for the portals you would make the DNS insecure, log in and secure it again. Best automatically.

    • progandy@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      11 months ago

      No need for a systemd switch. It should work with a dedicated “portal” browser that bypasses the global dns and has a built-in resolver using the dns from dhcp.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        11 months ago

        Yes if that works for sure. Problem here is that GNOME and KDE use different webengines, so yay no standards. Firefox doesnt support that I think?

        I use a seperate firefox profile with a shortcut like

        blabla desktop entry
        Name=Captive Portal
        Exec=mullvad-exclude firefox -P captive http://captive.kuketz.de
        

        I wanted to do something with mullvad-exclude but that didnt work for some reason, as when excluding it I think it had no internet?

    • Baritone5371@kbin.socialOP
      link
      fedilink
      arrow-up
      0
      ·
      11 months ago

      Ok. I will see that! If you have a GitHub account. You can make an issue right now, so tracking the issue would be better for me. Or I could do that myself.

      Edit : I have made a prototype that I could release it soon as an alpha. When it gets released, your goal is to test in a place where captive portals are present. Sadly, the script won’t be automatic but requires user interaction.

      Edit 2 : it is now available as alpha on the releases page.

        • _s10e@feddit.de
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          Have you looked into how existing software handles captive portals. I believe, both Ubuntu (or Gnome or Network-Manager) and Firefox do check for such portals and detect real internet access. (They simple poll some URL http://detectportal.vendor.com and check for the expected return code. Portals usually redirect.)

          Now I’m thinking, what if this check could trigger a change to the DNS configuration. That is use DoT when internet is available, otherwise fall back to DHCP announced DNS

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            2
            ·
            11 months ago

            That is neat! It is a specific response so it should work.

            #!/bin/bash
            
            # Function to set insecure DNS
            function insecure-dns() {
              # Backup the original resolved.conf file
              cp /etc/systemd/resolved.conf /etc/systemd/resolved.conf.bak
            
              # Modify resolved.conf to disable custom DNS, DoT, and DNSSEC
              sed -i 's/^DNS=.*/#DNS=/; s/^Domains=.*/#Domains=/; s/^DNSOverTLS=.*/#DNSOverTLS=/; s/^DNSSEC=.*/#DNSSEC=/' /etc/systemd/resolved.conf
            
              # Restart systemd-resolved
              systemctl restart systemd-resolved
            }
            
            # Function to set secure DNS
            function secure-dns() {
              # Restore the original resolved.conf file
              mv /etc/systemd/resolved.conf.bak /etc/systemd/resolved.conf
            
              # Restart systemd-resolved
              systemctl restart systemd-resolved
            }
            
            while true; do
              response=$(curl -sI captive.test.com | head -n 1 | cut -d' ' -f2)
            
              if [ "$response" == "200" ]; then
                insecure-dns
                xdg-open captive.test.com
                sleep 30
                # something to wait until window is closed, otherwise spam!
              else
                secure-dns
              fi
            
              sleep 5
            done
            

            This should work. What would be needed is to track the process of the login and only continue when the window is closed again.