Public DNS servers

Public DNS Servers

What's in for you:
Every ISP provides a couple or more DNS resolvers. Some companies provide DNS resolvers that are accessible by the whole Internet and some of these companies enhance this service to something more than just DNS resolving. Some of the Public DNS servers will warn you about malicious or phising sites. Some could direct you away from pornography or "non-Family Friendly" sites. The Public DNS servers on this list may be faster or slower than the ones provided by your ISP depending on your location and Internet connectivity.

What's in for the DNS Providers:
The DNS providers may produce statistics about Internet usage, figure out domain popularity, discover domain names in use, or analyze malware infections. The DNS providers could also gain traffic by redirecting nonexistent , "mailicious" , "phising" , "pornography" , "non-Family Friendly", and invalid DNS queries.

Your DNS provider sees what domains you visit. If a DNS provider is shady or compromised your traffic could be directed to "bad" sites that pretend to be your web mail provider or your bank and steal your passwords or ... --the Sky is the limit on what a bad dude can do when he gets control of your DNS. So pick your DNS provider carefully and perhaps choose more than one to spread the DNS queries and retain a tiny bit more of your privacy. Fast, secure , and reliable caching DNS resolvers are subjective to your perception, your location and your Internet Connectivity. To find out the best public caching DNS resolvers for you test, test again , and then test some more.

Provider: OpenNic Project: www ,  whois


and at least a few dosen more

Provider: Google www , whois


Provider: Neustar, Inc. www
whois ,  whois ,  whois

Provider: OpenDNS  www , whois

Provider: Norton  www ,  whois
Security ( it warns about malware & phising sites )

Security + Pornography

Security + Pornography + Non-Family Friendly

Provider: Verison , whois , whois

Provider: Level3  www ,  whois

Provider: Comodo  www ,  whois

Provider: Speakeasy, Inc.     whois ,  whois

Provider: Cisco www ,  whois

An updated Public DNS Servers list

To figure out what DNS resolvers are used by your local or proxy system visit the Anonymity Checker

Public DNS servers

Set up a Tor node on VirtualBox

This is one more shot at making the cheapest Tor relay node so people can make them easy and put them all over the place and solve all censorship and privacy issues once and for all.

I define cheap in terms of hardware, software, Computer resourses , Bandwith , `Legal` Complaints, and physical work ( time that takes to set up and maintain )

The VirtualBox Host is a computer running GNU/Linux.
The Virtual Machine runs Debian 6 Squeeze without a GUI.

Set up a Virtual Machine named "tornode" with the following specifications.

Virtual Machine Specs:
256 - 512 MB RAM
1GB - 2GB HD
2 Network Adapters ( Attached to: NAT , Promiscuous Mode: Deny )

Allow inbound ssh to your virtual machine.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodessh,tcp,,2222,,22"
The above command assumes that the virtual machine name is tornode, that tornode is the first virtual machine using NAT, and that port 2222 is not used by anything on the Host System.
Now the VirtualBox NAT engine forwards all traffic bound to TCP port 222 on the Host to the port 22 on the virtual Machine ( tornode guest ).

Set up Port forwarding for Tor.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetoror,tcp,,9002,,9002"
Assumming that the this Tor Node will be using ORPort 9002 instead of the default 9001.

Set a Tor transparent socks server NAT Forwarding rule.
Use this command on the Host System.
$ VBoxManage modifyvm "tornode" --natpf1 "tornodetortsocks,tcp,,9050,,9050"

If you are using a NAT device to connect the Internet you need to set a rule for Tor on the NAT device.
NAT_device:9002 -> VirtualBoxHost:9002

Do not set a rule for 9050 --except if you want your tsocks proxy accessible from the Internet.

On the Virtuall Machine install Debian 6.
-Install just the system utilities and the ssh server. Do not install a GUI
-optionally install bind

Configure the Network Interface on the Virtual Machine "tornode".
The virtualbox NAT engine has a DHCP server but setting a static IP is better. The first default internal network for the VirtualBox NAT engine is with gateway Therefore the /etc/network/interfaces file on the Virtual Machine should look something like this.
# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static

Install Tor
# apt-get install tor

Configure Tor

Try to configure at least the following Tor parameters.
# cat /etc/tor/torrc | grep g0
SocksPort 9050 #what port to open for local application connections #g0
SocksListenAddress #g0
##SocksPolicy accept   #g0 
ORListenAddress #g0
Nickname IPduhDotCom #g0 IPduhDotCom is mine, use something else
Address   #g0 --Don't worry about this if you don't have access to the DNS of a domain name
RelayBandwidthRate 20 KB  # Throttle traffic to 160Kb/s #g0 --minimum
ContactInfo Tor Relay Admin  #g0
ExitPolicy accept *:80      #g0
ExitPolicy accept *:110     #g0
ExitPolicy accept *:143     #g0
ExitPolicy accept *:443     #g0
ExitPolicy accept *:993     #g0
ExitPolicy accept *:8080    #g0
ExitPolicy reject *:* # no exits allowed #g0

Restart Tor
# /etc/init.d/tor restart
Stopping tor daemon: ..............................tor.
Starting tor daemon: tor...
Jun 21 20:56:11.658 [notice] Tor v0.2.2.35 (git-4f42b0a93422f70e). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
Jun 21 20:56:11.667 [notice] Initialized libevent version 1.4.13-stable using method epoll. Good.
Jun 21 20:56:11.668 [notice] Opening OR listener on
Jun 21 20:56:11.668 [notice] Opening Socks listener on

If you do not have a Time server in your Network, then Install NTP on "Tornode".

NTP is the best way to keep your Tor Node's clock current.

check the date
# date

install ntp
#apt-get install ntp

see the time servers you are syncing with and then check the date.
# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
 aquarius.chorum  2 u  19   64    1    7.622  12648.2 1316.29   .PPS.            1 u   18   64    1   13.152  12655.9 1314.66 .GPS.            1 u   17   64    1    0.857  12676.9 1327.20
Now check the date again. It should be different.
If you do not see something like the above, try
#dpkg-reconfigure ntp;ntpq -p

Some public Internet Time Servers Pools:

If you have a time server on your network, then set your "Tornode" to use it.
de-comment or put on /etc/ntp.conf
#tail -2 /etc/ntp.conf
disable auth
and make sure that your network's time server is broadcasting to your "Tornode" eg:
# grep broadcast /etc/ntp.conf
note:Assuming that your Host in the block where is the broadcast address.

Set Up DNS on "tornode".

IF you choose to not install Bind set resolv.conf with your ISP nameservers or some public DNS servers to spread the queries and provide more privacy. According to #define MAXNS on /usr/include/resolv.h we can track at least 3 nameservers so something like the following would be OK at /etc/resolv.conf.
# cat /etc/resolv.conf
#ISP Namerserver


#Level 3


If you choose to install Bind the following configuration files should be sufficient.

# cat /etc/bind/named.conf.options
options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk.  See

 // If your ISP provided one or more IP addresses for stable 
 // nameservers, you probably want to use them as forwarders.  
 // Uncomment the following block, and insert the addresses replacing 
 // the all-0's placeholder.

 // forwarders {
 // };
 listen-on {; };
 auth-nxdomain no;    # conform to RFC1035
 //listen-on-v6 { any; };

You could set some public DNS servers as forwarders.

# cat /etc/resolv.conf

Done! To use Tor use the socks server on port 9050 on the Host Machine.

augh ... almost done. Sooner or later you 'll figure out that the virtual machine outbound connections ( HTTP and HTTPS for sure) are extremely slow. The slow outbound connections are caused by the Virtual Box NAT engine. To correct it you will have to
  • increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size ( 1024 KB ).
  • and add one more NATed Network Interface to the virtual machine to handle outgoing connections

To Increase the VirtualBox NAT Engine TCP/IP buffers to the maximum size (1024KB).
use the following command
$ VBoxmanage modifyvm "tornode" --natsettings1 1500,1024,1024,1024,1024

To add one more NATed Network Interface to the virtual machine
Set Adapter2 with Attached to: NAT and Promiscuous Mode: Deny , on the Virtual Machine Network Settings.

In the Virtual Machine add the following 2 lines to the /etc/network/interfaces file.
$ tail -3 interfaces

auto eth1
iface eth1 inet dhcp
The second interface does not need to have a static IP address. No services will be bound to it. The Virtual Box NAT Engine runs a dhcp server that will assign to it in the network. The gateway provided by the Virtual Box NAT Engine to will be and the default route will be put higher on the virtual machine's routing table forcing all outbound connections this way.
# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0   U     0      0        0 eth1         UG    0      0        0 eth1         UG    0      0        0 eth0

Now you are done!
To set up a browser look under Network or Proxy Settings. The transparent socks or just socks server in your browser 's settings should be accessible by the host machine on port 9050 just fine.

Use the Anonymity Check to test your setup.

References: Install Tor on Debian/Ubuntu Exit Relay Typical Abuses Tor Legal FAQ : Virtual Networking : NAT and limitations : Fine-tuning the VirtualBox NAT

Set up a Tor node on VirtualBox

Ubuntu 12.04 LTS boots only from USB

This is classic but I bet it is going to be hot.

After installing Ubuntu 12.04 LTS as the only Operating System using a USB stick.

The computer boots only when the USB drive ( used to install Ubuntu 12.04 LTS ) is plugged in.

The boot manager Grub is written in the USB stick but not in the Hard Drive.

Install Grub on the Hard Drive

On this scenario I assume that the Hard Drive ( containing the OS ) is /dev/sda and that the boot order on BIOS contains this HD.

To find out the boot order for sure check the BIOS settings. To enter BIOS follow the instructions on the splash screen --hit one of these keys F2 , F12 , DEL , ESC , F10 while booting.

To figure out the name of the hard drive containing the OS hit Dash Home - Type "Terminal" -Fire up a Terminal and list your Hard Drive(s) Partitions with fdisk.
$ sudo fdisk -l

To Install Grub on /dev/sda
$ sudo grub-install /dev/sda
$ sudo update-grub

Now check
$ sudo grub-install --recheck /dev/sda
Remove the USB stick and reboot.
$ sudo shutdown -r now


ubuntu 12.04 LTS boots only from USB

Private Key and Certificate Signing Request CSR

To generate the private key and the Certificate Signing Request ( CSR )

$ openssl req \
> -new -newkey rsa:2048 -nodes \
> -keyout private_key.pem -out key_csr.pem
Generating a 2048 bit RSA private key
writing new private key to 'private_key.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:EU
State or Province Name (full name) [Some-State]:state_g0
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IPduh
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, YOUR name) []:g0
Email Address []

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

The CSR we need to send for signing to our Certificate Authority is at key_csr.pem

Apache 2 Virtual Host SSL setup

Let's name the public key certificate that our Certificate Authority signed: signed_public.pem

Put the keys in the appropriate /etc/ssl/ directories
#cp signed_public.pem /etc/ssl/certs
#cp private_key.pem /etc/ssl/private

Enable mod_ssl
# cd /etc/apache2/mods-available/
# a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

Adjust /etc/apache2/ports.conf
# cat /etc/apache2/ports.conf


<IfModule mod_ssl.c>

<IfModule mod_gnutls.c>

Configure the Virtual Hosts:

#head -7

 DocumentRoot /var/www/
 SSLEngine on
 SSLOptions +StrictRequire
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem        
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

#head -9

 DocumentRoot /var/www/
 SSLEngine on
 SSLOptions +StrictRequire
        SSLProtocol all -SSLv2
 SSLCertificateFile /etc/ssl/certs/signed_public.pem
 SSLCertificateKeyFile /etc/ssl/private/private_key.pem  
      #  SSLCertificateChainFile 
      #  SSLCACertificateFile 
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        CustomLog logs/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Alternative MSIE SSL connection handling workaround
( taken from /usr/share/doc/apache2.2-common/README.Debian.gz )
SSL workaround for MSIE

The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.

Apache 2 mod_ssl

Private Key and Certificate Signing Request CSR