Include cjdns as well about streisand HOT 6 CLOSED

To elaborate, perhaps running a local DNS caching server would enhance privacy. In the current config, your upstream DNS servers will be seeing all the queries your box generates, this may not be wanted. Unbound or anything that has DNSSEC would probably be a good choice.

from streisand.

@evaryont I am looking into this now. I hadn't heard of it before.

@sporkman DNS leaks do not happen with any of the services that Streisand sets up. The dnsmasq local DNS caching server gets installed and is used in conjunction with OpenVPN connections and OpenVPN connections that are wrapped by stunnel. L2TP/IPsec, OpenSSH, Shadowsocks, and Tor also do not leak DNS queries to your ISP's upstream DNS servers either when they are configured according to the instructions. DNS blocking and filtering is the way that a lot of censorship happens, so it was really important to me to get this right. In the SSH instructions, for example, there's an entire section in the Firefox configuration segment detailing how to send DNS queries through the SOCKS proxy. That's just one example. If you are aware of any areas where DNS leaks are happening, please let me know! That would be a serious bug that I would address right away :)

from streisand.

After reading through the documentation and looking into the setup process here are the two biggest issues that I see:

1. Cjdns doesn't allow you to access any websites or other resources on the traditional internet. Its utility is therefore somewhat limited.
2. You cannot connect to an existing mesh network unless you are authorized by another user who has already connected, so it's not possible to fully automate the process. Your connection to the network depends on the chain you establish, and the setup appears to be fragile.

Point number two is the biggest deal breaker, but it also sounds like the the largest mesh network, Hyperboria, is still in an experimental state. I think the project's goals are admirable, and I look forward to seeing how the experiment plays out, but I don't think that cjdns is a good fit for Streisand right now. Still, thank you for the suggestion!

from streisand.

I hope this doesn't re-open the issue, but my comments about possible leaks were purely guesstimations based on the desire of the OP to integrate another caching DNS server. I have no evidence, suspicions, or hunches about any leaks. :)

from streisand.

OK, that's a relief! Cjdns has a bit of a confusing name in my opinion. It sounds like a caching DNS server, but it's actually a very ambitious mesh networking project.

from streisand.

With the planned goal of including a flag to disable L2TP, would you consider a pull request to include a flag that enables cjdns? It's not fully automated, but does include some cjdns-only websites. (A few people I talked to in the project's IRC channel mentioned running a basic index site of other cjdns nodes only accessible within the network.) So check box 1. 😸

However, you are right that it requires manual intervention to get connected in the first place, so this playbook would solely be an opt-in feature.

from streisand.