Comment by davegson

4 years ago

> Maybe add an (i) explaining why do you ask for the prefix?

True, could be a bonus. Took a note.

> And for me it would be another hard 'no' for using your product

Reading about your setup I do agree with you. One shoe must not fit all, totally fine with us. My goal was not to convince you, but to provide explainers and pointers to your input.

> Okay, now I have a way formulate my concerns:

> Not only you do the things you shouldn't do (eg dnscache disablement); you are omitting how exactly your 'Secure DNS' works in your documentation (no, blogs are not documentation); you purposely skew your wordings on things you shouldn't (WFP filters for browsers?!).

Now generally speaking, I acknowledge I responded with technical inaccuracies. The sentence with VPNs and browsers should have been left out.

I normally tend to BS check technical stuff with Daniel, but did not want to ping him in his vacation because of a HN response. However, I should have disclaimed I am not a Portmaster dev or networking expert. I come from a web development background.

> you are thinking you know better than me or even guys from Redmond.

I am certain I know less than you in this field. Thankfully Safing does not rely on my skills in that area.

I do however strongly push the docs, through which I want to bridge the gap between the high level claims on our website and the source code. If you are willing to contribute, I am happy to receive a write up of yours about the things you feel are missing. It can be technical and beyond my expertise, since I would discuss it with Daniel anyway and see how to best proceed.

1 comment

davegson

Reply
justsomehnguy  4 years ago

> My goal was not to convince you, but to provide explainers and pointers to your input.

The thing is, I should be convinced by your documentation alone. My shoe is unique (as in 0.001% at best), but the questions are valid not only for my setup only. The typical situation would be some VPN provider installing a global route through the VPN service and configuring resolvers to internal company DNS servers (to be able to resolve internal names, duh). This is not /that/ unique situation in WFH world.

> but did not want to ping him in his vacation because of a HN response

Yep, you shouldn't!

> I come from a web development background.

Ah, that explains some things.

> Thankfully Safing does not rely on my skills in that area

Ahah, being humble and self-conscious. Gladly I already drank my coffee.

> If you are willing to contribute

Thanks, no, I have too many posts unread, too many comments not replied.

But overall:

You should have a clear and straight explanation on how P. uses DNS in [0] (right at the start, before anything else) and in [1].

Preferably in typical scenarios, eg:

1. I want to use only secure DNS of P.? A: Configure your OS' DNS resolvers to point to 127.0.0.1/::1; configure P. to use secure DNS providers (or leave the defaults enabled)

2. I want to use my own resolvers, how P. would work with them? A: P. would intercept non-secure DNS requests (plain udp/53) and perform the request itself and return the result back to the querier.

3. I use P. secure DNS, but my work resources (which I access with VPN) isn't working! A: Make following configuration changes in P. config to route queries for you work: ...bla.bla.bla.

For anyone else (who doesn't need typical scenarios, like me?) I need to understand how exactly you provide a secure DNS without changing my configuration. Because now it is looks like this is exactly what happens - no changes, system configured with external plain UDP/53 resolvers... and P. magikally makes them secure.

[0] https://docs.safing.io/portmaster/guides/dns-configuration

[1] https://docs.safing.io/portmaster/architecture/core-service/...

NB: looks like miekg/dns doesn't support QNAME minimisation. This isn't strictly required, but is preferred in some situations [2]

[2] https://www.nlnetlabs.nl/downloads/presentations/unbound_qna...