Public DNS servers

Public DNS Servers

What's in for you:
Every ISP provides a couple or more DNS resolvers. Some companies provide DNS resolvers that are accessible by the whole Internet and some of these companies enhance this service to something more than just DNS resolving. Some of the Public DNS servers will warn you about malicious or phising sites. Some could direct you away from pornography or "non-Family Friendly" sites. The Public DNS servers on this list may be faster or slower than the ones provided by your ISP depending on your location and Internet connectivity.

What's in for the DNS Providers:
The DNS providers may produce statistics about Internet usage, figure out domain popularity, discover domain names in use, or analyze malware infections. The DNS providers could also gain traffic by redirecting nonexistent , "mailicious" , "phising" , "pornography" , "non-Family Friendly", and invalid DNS queries.

Hmmm!:
Your DNS provider sees what domains you visit. If a DNS provider is shady or compromised your traffic could be directed to "bad" sites that pretend to be your web mail provider or your bank and steal your passwords or ... --the Sky is the limit on what a bad dude can do when he gets control of your DNS. So pick your DNS provider carefully and perhaps choose more than one to spread the DNS queries and retain a tiny bit more of your privacy. Fast, secure , and reliable caching DNS resolvers are subjective to your perception, your location and your Internet Connectivity. To find out the best public caching DNS resolvers for you test, test again , and then test some more.

Provider: OpenNic Project: www ,  whois opennicproject.org
85.126.4.170
202.83.95.227
111.67.16.202
115.64.101.57
67.212.90.199
67.212.90.199
216.167.252.196
63.243.164.219
72.10.162.198
128.173.89.246

2a01:4f8:110:6221::50
2a00:e10:1000:10:1586:0:33:53
2001:4dd0:fb32:3::d

and at least a few dosen more


Provider: Google www , whois Google.com
8.8.8.8
8.8.4.4

2001:4860:4860::8888
2001:4860:4860::8844



Provider: Neustar, Inc. www
whois neustar.biz ,  whois ultradns.com ,  whois dnsadvantage.com
156.154.70.1
156.154.71.1



Provider: OpenDNS  www , whois opendns.com
208.67.222.222
208.67.220.220



Provider: Norton  www ,  whois norton.com
Security ( it warns about malware & phising sites )
198.153.192.40
198.153.194.40

Security + Pornography
198.153.192.50
198.153.194.50

Security + Pornography + Non-Family Friendly
198.153.192.60
198.153.194.60



Provider: Verison , whois gtei.net , whois verison.com
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6



Provider: Level3  www ,  whois level3.net
209.244.0.3
209.244.0.4



Provider: Comodo  www ,  whois comodo.com
8.26.56.26
8.20.247.20



Provider: Speakeasy, Inc.     whois megapath.com ,  whois speakeasy.net
66.93.87.2
64.81.79.2



Provider: Cisco www ,  whois cisco.com
64.102.255.44
128.107.241.185



An updated Public DNS Servers list

To figure out what DNS resolvers are used by your local or proxy system visit the Anonymity Checker






Public DNS servers

Set up a Tor node on VirtualBox

This is one more shot at making the cheapest Tor relay node so people can make them easy and put them all over the place and solve all censorship and privacy issues once and for all.

I define cheap in terms of hardware, software, Computer resourses , Bandwith , `Legal` Complaints, and physical work ( time that takes to set up and maintain )

The VirtualBox Host is a computer running GNU/Linux.
The Virtual Machine runs Debian 6 Squeeze without a GUI.

Set up a Virtual Machine named "tornode" with the following specifications.

Virtual Machine Specs:
1 CPU
256 - 512 MB RAM
1GB - 2GB HD
2 Network Adapters ( Attached to: NAT , Promiscuous Mode: Deny )

Allow inbound ssh to your virtual machine.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodessh,tcp,,2222,,22"
The above command assumes that the virtual machine name is tornode, that tornode is the first virtual machine using NAT, and that port 2222 is not used by anything on the Host System.
Now the VirtualBox NAT engine forwards all traffic bound to TCP port 222 on the Host to the port 22 on the virtual Machine ( tornode guest ).

Set up Port forwarding for Tor.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetoror,tcp,,9002,,9002"
Assumming that the this Tor Node will be using ORPort 9002 instead of the default 9001.

Set a Tor transparent socks server NAT Forwarding rule.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetortsocks,tcp,,9050,,9050"


If you are using a NAT device to connect the Internet you need to set a rule for Tor on the NAT device.
NAT_device:9002 -> VirtualBoxHost:9002

Do not set a rule for 9050 --except if you want your tsocks proxy accessible from the Internet.

On the Virtuall Machine install Debian 6.
-Install just the system utilities and the ssh server. Do not install a GUI
-optionally install bind

Configure the Network Interface on the Virtual Machine "tornode".
The virtualbox NAT engine has a DHCP server but setting a static IP is better. The first default internal network for the VirtualBox NAT engine is 10.0.2.0/24 with gateway 10.0.2.2. Therefore the /etc/network/interfaces file on the Virtual Machine should look something like this.
# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
      address 10.0.2.15
      network 10.0.2.0
      netmask 255.255.255.0
      broadcast 10.0.2.255
      gateway 10.0.2.2



Install Tor
# apt-get install tor


Configure Tor

Try to configure at least the following Tor parameters.
# cat /etc/tor/torrc | grep g0
SocksPort 9050 #what port to open for local application connections #g0
SocksListenAddress 10.0.2.15 #g0
##SocksPolicy accept 192.168.0.0/16   #g0 
ORListenAddress 10.0.2.15:9002 #g0
Nickname IPduhDotCom #g0 IPduhDotCom is mine, use something else
Address mtor.ipduh.com   #g0 --Don't worry about this if you don't have access to the DNS of a domain name
RelayBandwidthRate 20 KB  # Throttle traffic to 160Kb/s #g0 --minimum
ContactInfo Tor Relay Admin  #g0
ExitPolicy accept *:80      #g0
ExitPolicy accept *:110     #g0
ExitPolicy accept *:143     #g0
ExitPolicy accept *:443     #g0
ExitPolicy accept *:993     #g0
ExitPolicy accept *:8080    #g0
ExitPolicy reject *:* # no exits allowed #g0
 


Restart Tor
# /etc/init.d/tor restart
Stopping tor daemon: ..............................tor.
Starting tor daemon: tor...
Jun 21 20:56:11.658 [notice] Tor v0.2.2.35 (git-4f42b0a93422f70e). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
Jun 21 20:56:11.667 [notice] Initialized libevent version 1.4.13-stable using method epoll. Good.
Jun 21 20:56:11.668 [notice] Opening OR listener on 10.0.2.15:9002
Jun 21 20:56:11.668 [notice] Opening Socks listener on 10.0.2.15:9050
done.


If you do not have a Time server in your Network, then Install NTP on "Tornode".

NTP is the best way to keep your Tor Node's clock current.

check the date
# date


install ntp
#apt-get install ntp


see the time servers you are syncing with and then check the date.
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 aquarius.chorum  192.0.2.44  2 u  19   64    1    7.622  12648.2 1316.29
 chronos.duh.gr   .PPS.            1 u   18   64    1   13.152  12655.9 1314.66
 hora.example.net .GPS.            1 u   17   64    1    0.857  12676.9 1327.20
Now check the date again. It should be different.
If you do not see something like the above, try
#dpkg-reconfigure ntp;ntpq -p


Some public Internet Time Servers Pools:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
0.debian.pool.ntp.org
1.debian.pool.ntp.org
2.debian.pool.ntp.org
3.debian.pool.ntp.org
europe.pool.ntp.org
uk.pool.ntp.org




If you have a time server on your network, then set your "Tornode" to use it.
de-comment or put on /etc/ntp.conf
#tail -2 /etc/ntp.conf
disable auth
broadcastclient
and make sure that your network's time server is broadcasting to your "Tornode" eg:
# grep broadcast /etc/ntp.conf
broadcast 192.0.2.31
note:Assuming that your Host in the 192.0.2.16/28 block where 192.0.2.31 is the broadcast address.

Set Up DNS on "tornode".

IF you choose to not install Bind set resolv.conf with your ISP nameservers or some public DNS servers to spread the queries and provide more privacy. According to #define MAXNS on /usr/include/resolv.h we can track at least 3 nameservers so something like the following would be OK at /etc/resolv.conf.
# cat /etc/resolv.conf
#ISP Namerserver

#Google
nameserver 8.8.8.8

#Level 3
nameserver 4.2.2.1

#Norton
nameserver 198.153.192.40



If you choose to install Bind the following configuration files should be sufficient.

# cat /etc/bind/named.conf.options
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 //  0.0.0.0;
 // };
 
 listen-on { 10.0.2.15; };
 auth-nxdomain no;    # conform to RFC1035
 //listen-on-v6 { any; };
};

You could set some public DNS servers as forwarders.

# cat /etc/resolv.conf
nameserver 10.0.2.15



Done! To use Tor use the socks server on port 9050 on the Host Machine.

augh ... almost done. Sooner or later you 'll figure out that the virtual machine outbound connections ( HTTP and HTTPS for sure) are extremely slow. The slow outbound connections are caused by the Virtual Box NAT engine. To correct it you will have to
  • increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size ( 1024 KB ).
  • and add one more NATed Network Interface to the virtual machine to handle outgoing connections


To Increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size (1024KB).
use the following command
$ VBoxmanage modifyvm "tornode" --natsettings1 1500,1024,1024,1024,1024


To add one more NATed Network Interface to the virtual machine
Set Adapter2 with Attached to: NAT and Promiscuous Mode: Deny , on the Virtual Machine Network Settings.

In the Virtual Machine add the following 2 lines to the /etc/network/interfaces file.
$ tail -3 interfaces

auto eth1
iface eth1 inet dhcp
The second interface does not need to have a static IP address. No services will be bound to it. The Virtual Box NAT Engine runs a dhcp server that will assign to it 10.0.3.15 in the 10.0.3.0/24 network. The gateway provided by the Virtual Box NAT Engine to 10.0.3.0/24 will be 10.0.3.2 and the default route 0.0.0.0/0 will be put higher on the virtual machine's routing table forcing all outbound connections this way.
# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         10.0.3.2        0.0.0.0         UG    0      0        0 eth1
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0


Now you are done!
To set up a browser look under Network or Proxy Settings. The transparent socks or just socks server in your browser 's settings should be accessible by the host machine on port 9050 just fine.

Use the Anonymity Check to test your setup.

References:
TorProject.org: Install Tor on Debian/Ubuntu
TorProject.org: Exit Relay Typical Abuses
TorProject.org: Tor Legal FAQ
VirtualBox.org : Virtual Networking
VirtualBox.org : NAT and limitations
VirtualBox.org : Fine-tuning the VirtualBox NAT





Set up a Tor node on VirtualBox

Ubuntu 12.04 LTS boots only from USB

This is classic but I bet it is going to be hot.

When
After installing Ubuntu 12.04 LTS as the only Operating System using a USB stick.

Issue
The computer boots only when the USB drive ( used to install Ubuntu 12.04 LTS ) is plugged in.

Why
The boot manager Grub is written in the USB stick but not in the Hard Drive.

Solution
Install Grub on the Hard Drive

Assumptions
On this scenario I assume that the Hard Drive ( containing the OS ) is /dev/sda and that the boot order on BIOS contains this HD.

To find out the boot order for sure check the BIOS settings. To enter BIOS follow the instructions on the splash screen --hit one of these keys F2 , F12 , DEL , ESC , F10 while booting.

To figure out the name of the hard drive containing the OS hit Dash Home - Type "Terminal" -Fire up a Terminal and list your Hard Drive(s) Partitions with fdisk.
$ sudo fdisk -l


How
To Install Grub on /dev/sda
$ sudo grub-install /dev/sda
$ sudo update-grub


Now check
$ sudo grub-install --recheck /dev/sda
Remove the USB stick and reboot.
$ sudo shutdown -r now


Done!



ubuntu 12.04 LTS boots only from USB

Private Key and Certificate Signing Request CSR

To generate the private key and the Certificate Signing Request ( CSR )

$ openssl req \
> -new -newkey rsa:2048 -nodes \
> -keyout private_key.pem -out key_csr.pem
Generating a 2048 bit RSA private key
......................................................+++
......................+++
writing new private key to 'private_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EU
State or Province Name (full name) [Some-State]:state_g0
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:g0
Email Address []:fckna@bot.ipduh.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 



The CSR we need to send for signing to our Certificate Authority is at key_csr.pem

Apache 2 Virtual Host SSL setup

Let's name the public key certificate that our Certificate Authority signed: signed_public.pem

Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs
#cp private_key.pem /etc/ssl/private


Enable mod_ssl
# cd /etc/apache2/mods-available/
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!


Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf

Listen 192.0.2.44:80
NameVirtualHost 192.0.2.44:80

<IfModule mod_ssl.c>
    Listen 192.0.2.44:443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 192.0.2.44:443
</IfModule>



Configure the Virtual Hosts:

#head -7 ssl.example.net

 ServerAdmin admin@example.net
 DocumentRoot /var/www/example.net
 SSLEngine on
 SSLOptions +StrictRequire
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


or
#head -9 ssl.alt.example.net

 ServerAdmin admin@example.net
 DocumentRoot /var/www/example.net
 SSLEngine on
 SSLOptions +StrictRequire
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem  
      #  SSLCertificateChainFile 
      #  SSLCACertificateFile 
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"




Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE
-----------------------

The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.


ref:
Apache 2 mod_ssl



Private Key and Certificate Signing Request CSR