Auto Fragment Block detection breaks Anonamization on Big Tech Servers, like cleanbrowsing-security, cisco, and quad9 #1251
Comments
rugabunda
changed the title
rugabunda
changed the title
|
Don’t worry, Quad9 is also incompatible. |
|
And yes, if packets are dropped during the fragment test, anonymization will be disabled. I don’t like that either since there is no way to know why that happened, but removing automatic detection means that people are going to complain. Maybe we should not downgrade and ignore these servers instead, or at least make that tunable. |
|
Cleanbrowsing’s certificate is not standard, so they may be running the same software (dnsdist) as Quad9. |
|
"And yes, if packets are dropped during the fragment test, anonymization will be disabled." why disable anonymization? why defeat the very purpose your technology was originally designed for which was to keep people anonymous? Threats? Are you sacred? bought up by big tech? "but removing automatic detection means that people are going to complain." OMG its the end of the world. Persons, like corporate fictions, like big tech? like huh? what are you talking about? Gag order? Did they actually convince you of that lie? Tell them to suck a tail pipe. Your update broke anonymization on big tech dns servers that were working fine before. You want complaints? Ill give you complaints. Giving people an option means everybody will be happy, nothing to complain about. Otherwise you usurp your sovereignty and the software to a foreign entity. |
|
"Maybe we should not downgrade and ignore these servers instead, or at least make that tunable." The auto removing anonymization to big tech servers should be optional, or nothing at all. I don't want big tech exempt from anonymization, I want to use them and if you are going to break anonymization on my network because big tech wet the bed I want to be able to disable that. Luke, as your grandfather and medical advisor you would be well advised not to self immolate, nor to cut off your arms or legs, nor any other move that could mean the beginning of the end of dnscrypt. Disrupt the bastards agenda, don't let them disrupt your software. |
rugabunda
changed the title
rugabunda
changed the title
|
@rugabunda Please stop over-reacting and making unfounded accusations of impropriety, it serves to distract from any technical merit your initial issue may have had and reduces the chance of a satisfactory outcome. The number of edits I saw you making to your comments, even an hour later as I formulate this response suggest you should take a step back for a moment before things escalate. |
|
"And yes, if packets are dropped during the fragment test, anonymization will be disabled." @welwood08 given you have a lot of time on your hands, I encourage you to find something productive to do than to sit around for an hour watching me edit my comments regarding the latest anonymization breaking code disguised as a feature. Actually, I kind of like that idea, you are welcome to compare every one of my edits, there is a great software designed just for that. Ask github to remove their comment editing feature if you have a problem with that or have cognitive difficulty catching up with every little edit in your spreadsheet text compare software or whatever it is as you are threatening with escalation. If I'm going to make an ass of my self by being totally wrong I'm going to do it in the most dramatic fashion, one can never be too careful. |
|
"And yes, if packets are dropped during the fragment test, anonymization will be disabled." So with this feature you have included in your software, any dns server [or perhaps middle box] could implement a DoS mechanism to de-anonymize, or shut down any anonamous dnscrypt relay by changing how they deal with fragmented packets? |
|
One thing that I don't understand is when it says "not compatible with anonymization". Does that mean anonymization was truly broken all along [since the time you created it], or does it mean occasionally you might not receive a packet if it is larger than a certain size; I've been using anonymization without any noticeable problem UNTIL these recent updates, the update is a greater problem than the so called problem. If its true my queries are still truly anonymous, I would much prefer disable so called auto-block detection to keep things running as flawlessly they have been for me all along. Also it makes no sense to have auto-block always enforced, and at the same time having a list of padding fixes which basically does the same thing as auto-block detection, no? I want to disable auto-block. Its a huge problem for me. |
|
@jedisct1 Also you claim "And yes, if packets are dropped during the fragment test, anonymization will be disabled." so does this this automatic de-anonamization still continue using the servers? Dnscrypt is still querying cisco and all the others while at the same time claiming they "do not support anonamization"... so what the hell is going on with these servers? Are telling you us dnscrypt is automatically sending out de-anonamized queries? |
Suddenly today I see in my logs:
"[cleanbrowsing-security] is incompatible with anonymization"
I had to disable this server and use only quad9 severs now because cleanbrowsing-security is broken by the latest dnscrypt. It was working fine since anonymous dns was implemented, and broke after the latest update. Block detection blocks the servers.
I'm curious if this is being exploited as a DoS, or if its just a self inflected DoS. Everything was working last night, I woke up and suddenly cleanbrowsing is blocked.
Yesterday I had to comment quad9 broken_query_padding because it too broke quad9's perfectly functional servers
The text was updated successfully, but these errors were encountered: