Privacy-preserving services

[Moonchild]

what kind of latency is acceptable for this kind of thing

That depends entirely on you.

The average latency to your DNS is 25ms. Is that good or not good enough?

25 ms is excellent. Especially considering Pale Moon will do lookups in advance and it keeps a proper cache of results. You probably wouldn't even notice unless you're getting > 300 ms regularly.

Oh and what would be the reason to use an alternative NTP server?

Already explained. How about reading before posting?

[jarsealer]

I would normally suspect a strange issue, especially when it happens on random web sites, and when they aren't illegal. Does the browser claim it don't exist, or that it's not responding? In the U.S., I only see intentional blocking at schools and libraries, besides at businesses. The blocking at schools and libraries, are normally for NSFW content.

Some YouTube pages (on NewPipe) wouldn't load for me when I used the default DNS, like live videos or subscribed channel videos, so I used another provider for it to work. But it was likely an issue on my device since it now works and I can connect to everything normally.

[Massacre]

IPv4 5.189.164.139
IPv6 2a02:c207:2280:9322::1

DNS2
IPv4 80.255.7.132

works

IPv6 2a01:4a0:68:1::492a

down

NTP
time.palemoon.org

time (37) down SNTP (123) works

Thanks for the service

[Octopuss]

Oh and what would be the reason to use an alternative NTP server?

Already explained. How about reading before posting?

How about not being a toxic ass when someone politely asks? Yes I did read the thread. No, I don't think "so your IP isn't logged when you anonymously request time" is a good reason at all (unless someone is paranoid AF in which case he has much bigger problems).

[RJARPCGP]

page explaining it's blocked

That usually happens at schools and libraries, besides businesses.

[Moonchild]

How about not being a toxic ass when someone politely asks?

How about not immediately calling someone toxic when they call you out on something?
It's literally all in this same thread.

[Moonchild]

IPv6 2a01:4a0:68:1::492a
down

I double-checked and it should be operational. It's configured the same as DNS1, and the proper firewall settings are also in place. I see no reason why it would be down on IPv6?

EDIT: Ah I see the issue. config file confusion because of chroot. It should work now.

time (37) down SNTP (123) works

Yeah it's NTP only. UNIX Time has long since been superseded by NTP as a protocol. I won't be providing time/37

[Massacre]

IPv6 2a01:4a0:68:1::492a
down

I double-checked and it should be operational. It's configured the same as DNS1, and the proper firewall settings are also in place. I see no reason why it would be down on IPv6?

EDIT: Ah I see the issue. config file confusion because of chroot. It should work now.

It works now, thanks.

[frostknight]

How about not being a toxic ass when someone politely asks?

Chill bro...

[Drugwash]

Apologies in advance if I did anything wrong.
Entered the two IPv4 DNS addresses in my router, saved the config, and rebooted the router:

MB112-4G_-_2025-09-24_11.04.07_edit.jpg

Still, trying to access https://thepiratebay.org (one of the domains known to have been blocked by ISP from before) it's still blocked:

Screenshot from 2025-09-24 11-11-22_edit.jpg

My connection is behind a CGNAT - if I get the terms correctly - running on a SIM card connected to the router (Mercusys MB112-4G).
Is there any way I could escape the ISP filtering/blocking?
If not, would there make any sense changing the DNSes in the router or should I leave them to their default of 0.0.0.0?
BTW, testing at http://dns.ipleak.net/ I got 260ms for primary DNS and 408ms for secondary. Just FYI.

[Moonchild]

Entered the two IPv4 DNS addresses in my router,
...
it's still blocked

Are also using the router as your DNS provider in your operating system? Because if not, then the addresses won't be used.

I got 260ms for primary DNS and 408ms for secondary. Just FYI.

That's pretty slow. If your ISP is actually intercepting and redirecting DNS requests (which is possible) then the Pale Moon DNS may not be a solution for you and you may want to look at using a (true) VPN tunnel instead.

[Drugwash]

Are also using the router as your DNS provider in your operating system? Because if not, then the addresses won't be used.

Not sure how to check for that. From what I've read around here the system uses systemd's settings - /etc/resolv.conf contains nameserver 127.0.0.53 and search <my_workgroup_name>. I'm not very knowledgeable of all Linux internals. (using Linux Mint 19.2 based on Ubuntu 18.04)
Could use some help/confirmation.

I did look in the past for some VPN solution but can't pay for the good ones, and the free are of not much use if any.

[mmouse]

No. DoH/DoT isn't actually solving the problem I'm setting this up for, isn't benefiting our community since we don't support DoH in Goanna anyway, and goes against my vision of a healthy, multi-protocol internet. Not to mention the problem DoH/DoT causes for organisational network security. See my other posts on this forum about DoH.

hmm, it depends on what one is calling 'organisational network security'.

If one is a customer of one of the 4 majors Internet providers of my country, the organisational network security is the Internet box. Well, it's the case for all Internet providers, but this one is providing a copyright network policy (obviously this is the only provider part of a group that is also a content producer so that makes some sense). What these guys are doing is blocking all Dns accesses and replacing them by Dns lookups they are doing themselves 'safely', respecting their sense of good taste. All non conforming Dns providers are blocked. No 8.8.8.8 or 1.1.1.1 nonsense.
The hapless user of this provider was saying that they had prowled the forums and that *nobody* had found a way to work around the blocking.
So I found a little known DOT provider (well-known ones were blocked at the IP level) and set it up in their browser (not Palemoon obviously). It worked. No other way was effective. Your DNS server would be useless.

So your idea of a 'network admin' that should be respected can mean something much larger. In a way, this could be a harbinger of things to come. This is roughly 20% of the French Internet effectively controlled at DNS level. French politicians are all more or less all gung ho on 'intellectual property' protection, when they are in power they also love to spy on the general population, so this scheme could be extended to the other providers by legal guns, or good old extra-legal policy pressures.

[Moonchild]

it depends on what one is calling 'organisational network security'.

You completely missed my point in your description following.

The main problem is any DoH and DoT resolver will receive resolve requests for org-internal host names if the org normally uses an internal DNS server or domain controller. That exposes internal structures to the TRR and basically leaks org-internal infrastructure details to the outside. That's not a good thing.

[mmouse]

@moonchild

I did not miss your point.
I was talking about end users - who don't have an internal DNS server.
I have also dealt with business network administration. It's just that I think that business should enforce their priorities with the tools that the law gives them.
If businesses want to restrict access to DNS outside their network, that's their problem.
General open source software should not give special priority on business needs. Businesses are users like all others.

If Palemoon is only aiming at serving businesses, please say so. I'll go away and not bother you anymore.

[Moonchild]

I did not miss your point.

respectfully, you did.
end-users in organisations using browsers with DoH/DoT (and preferring that), like Firefox, will run into this issue. That has nothing to do with restricting DNS outside their network, it has everything to do with the web client choosing to ignore the DNS that should be used, opting for DoH/DoT instead to a TRR outside of the organisation.

You are absolutely correct that that doesn't apply to residential use. But that doesn't mean that business use should be ignored just because it's not your use case...
Open Source or not has zero bearing on that, either.

What I'm offering here is an alternative to sending all your lookup requests to known data harvesters like Google or monitors like your ISP, or to resolvers that may be censoring your Internet use via DNS.
If you don't care about either situation then please don't use it, as it will not benefit you.

[mmouse]

@moonchild

users running in a corporate environment with a DOT functionality will NOT run in any issue unless they CHOOSE to activate it. If they do, they may be violating their contract.
That's their responsability because they are adults.

users running in their own environment not having this functionality may run into issues of being blocked by their internet provider.

In my point of view, by refusing on principle (!) to have any DOT functionality, you are making a business first tool.

To make things clearer: if parents want to stop their children to access forbidden sites, they can install approved software that will refuse to do so.
If a browser implement this functionality, it's a browser destined to parents who want to block their children.
If one is an adult, one may want to use a browser for adults that is not blocking some functionality without any override.

If what you want is the ability to advertise your browser to organizations as being business friendly and not being able to work around any corporate policies, that's your call.
But please be clear about that.

[Moonchild]

users running in a corporate environment with a DOT functionality will NOT run in any issue unless they CHOOSE to activate it. If they do, they may be violating their contract.
That's their responsability because they are adults.

Nice, unless whatever browser they use makes that choice for them.

In my point of view, by refusing on principle (!) to have any DOT functionality, you are making a business first tool.

Not at all. The fact that I'm pointing out one of the risks of DoH/DoT in a corporate environment doesn't mean anything other than exactly that.
Your prized class of "end-users" (i.e. most people) don't need DoH/DoT at all. IMO it's a half-assed measure to try and tunnel out of an untrusted network (especially DoH, by masquerading as normal HTTPS traffic) that comes with a lot of potential risks and caveats you can easily avoid by using a trustworthy DNS server over the normal DNS protocol, which is what I'm now providing.
If you do need to tunnel out of an untrusted network, then you should be using a VPN to avoid any chance of interception.

If, however, you're looking for a tool to "work around" (i.e. breach) corporate policies that are there for a reason, then you're looking in the wrong place. While you can easily do that with Pale Moon combined with other software, it's not within our scope (and not within the scope of these provided services, either). You can breach your corporate policies on your own accord, and like an adult take responsibility for your own actions.

[back2themoon]

In my point of view, by refusing on principle (!) to have any DOT functionality, you are making a business first tool.

Isn't DoH more like an application/browser feature? And DoT sort of still a protocol to be applied at the hardware, or OS level?

Are you requesting the feature (DoT?) for the browser, or for the new services mentioned in this topic? DNS settings per browser (overriding everything else) seems to me like very bad implementation. DoT-supporting server to be configured on the router or OS (as occurs with plain DNS) sounds way more logical.

[Drugwash]

Are also using the router as your DNS provider in your operating system? Because if not, then the addresses won't be used.

Kept fiddling with the system a bit more because at times I'm a dog with a bone. Finally I got to the point where the example domain (piratebay) loaded correctly without interference from the ISP.
But that required manual changes to a few system configuration files - changes that were performed rather chaotically following advices found on a handful web sites (1 2 3 4).
I'm posting the contents of those files here should anyone be interested, but please be aware different versions of Linux may require different options and/or file names/locations. Mine is an old Mint 19.2 (Ubuntu 18.04) so keep that in mind and double-check with experts on the web or elsewhere. Also, some of the files may not need any changes if their services are fully disabled.
Please make backup copies of the original files before modifying them !

/etc/systemd/resolved.conf

Code: Select all

[Resolve]
DNS=5.189.164.139
FallbackDNS=80.255.7.132
Domains=~.
#LLMNR=no
#MulticastDNS=no
DNSSEC=allow-downgrade
#Cache=yes
#DNSStubListener=yes
DNSOverTLS=no

/etc/resolv.conf (make sure it's a real file not a hardlink !)

Code: Select all

search .
nameserver 5.189.164.139
nameserver 80.255.7.132

/run/systemd/resolve/resolv.conf

Code: Select all

search .
nameserver 5.189.164.139
nameserver 80.255.7.132

/etc/NetworkManager/NetworkManager.conf
in its main section ([main]) add this line:
dns=default
or alternatively:
dns=none

In addition to the changes to the above files I had to run following commands in Terminal:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo systemctl mask systemd-resolved
sudo chattr +i /etc/resolv.conf <== in order to prevent further changes to the file

Also I readded the two DNS addresses to the router (see previous post with the screenshots).

Haven't yet rebooted to see if the changes take permanently but hopefully they do.

P.S. This time the DNS timings were 130ms, and 88ms respectively.