support DNS addresses

[DandelionSprout]

Adding this one on our to-do list, as per parts of #693.

Support adding DNS server address services as entries on FilterLists.com.

"syntaxId": 22 has been assigned for entries about DNS adresses, as per #698.

Obstacles:

• Many DNS address services may choose to keep its entries hidden, or may otherwise not have an easily accessible text list for the purposes of viewUrl.
• The DNS addresses may or may not be used for subscribeUrl, but not for viewUrl, as they can't be viewed per se. If we opt to do so, then a mechanism to divide subscribeUrl and viewUrl for the purpose of DNS service entries may have to be added.
• As some major DNS services (e.g. 1.1.1.1, AdGuard DNS) have 2 DNSv4 addresses (One main, one backup) as well as 2 DNSv6 addresses (Mostly for DNSv6-only users), I believe that support for a viewUrlMirror3 value (or its equivalent for the resolution of the above obstacle) should be added.

Potential entries that could be added:

Most (if not all) addresses that are listed in Blokada. As I'm not a frequent user of Blokada, I only really give my guarantees for AdGuard DNS and possibly OpenDNS off the top of my head, especially now that Norton ConnectSafe has been shut down.

Other services that are listed in Blokada, and which have traits that are desirable for FilterLists.com, but which I can not give personal guarantees for the quality levels of:

• CloudFlare 1.1.1.1
• Comodo Secure DNS
• DNS.WATCH
• FoolDNS
• Keweon
• Quad9
• VeriSign Public DNS
• Yandex DNS Safe

Non-Blokada servers:

• 91.239.26.140, a server run by Vladimir Pissarev, a company fellow of Peter Lowe (of Peter Lowe's Ad Servers fame) at Tempico Labs, as per https://pgl.yoyo.org/adservers/#tempico-labs-dns-server.
• Neustar Threat Protection
• CleanBrowsing Security Filter

[kowith337]

CleanBrowsing is now alternative of Norton ConnectSafe, see migrate from Norton Connect Safe note.

Another DNS that should look, I've got from DNS66 list

• AS250
• Digital Courage
• Chaos Computer Club
• OpenNIC

But the three service above have only one IP address, while OpenNIC have many addresses (in tier 2) that run by volunteer and sponsored, however, some address have different features (blacklist, whitelist and logging policy)

[DandelionSprout]

I have some problems finding firm information about those four DNS services, but all 4 of them seem to be anti-censorship-only, which FilterLists.com currently has very little support for. There is a proxy tag for hosts files that serve PR-China and Indonesia and such, but DNS services ≠ proxies, to the best of my knowledge.

[DandelionSprout]

I could (im)plausibly give them the whitelist tag, if no better ideas strike us during this time.

[ghost]

@opennic offers tools that go beyond IPv4/6 addresses, including solid DNSCrypt v1&2 servers (with the basic DNSCrypt blacklist baked in). Importantly, they are outside of ICANN’s control. I’ve been a member for many years and can give my personal recommendation for servers operated by @luggs-co, @Shdwdrgn if one wishes to become whitelisted to use said servers. Luggs runs DNSCrypt servers as well which have never failed me. @Fusl’s anycast servers are a good backup for servers geographically closer to one’s own location and require no whitelisting. @jonaharagon is always busy redesigning & implementing improved overall infrastructure among the main “keyholders” who operate OpenNIC’s T1 servers. As was pointed out, each person has different policy’s regarding logging, each of which are laid out in a very clear manner reachable by clicking on the server’s .glue domain listing. There are also distinct flags which tag each .glue listing to ease one’s choice when combing through their listings. 🙂

[kowith337]

I had wrote some doc.

https://github.com/kowith337/PersonalFilterListCollection/blob/master/docs/dns66.md

But I have no time to actually test out how it's effective and useful for DNS66 app.

Note that I've tried use ISP DNS and found DNS66 doesn't block any, however, switching to DNS that support DNSSEC seems to work.

[luggs-co]

Luggs runs DNSCrypt servers as well which have never failed me.

*blushes*

[ghost]

That was my intent. 😁

[jonaharagon]

OpenNIC have many addresses (in tier 2)

https://github.com/kowith337/PersonalFilterListCollection/blob/master/docs/dns66.md

@kowith337 FYI, OpenNIC Tier 1 servers typically should not be used by end users. They're authoratative servers akin to ICANN/IANA's root servers. If one of them has recursion enabled so they can be used as a DNS resolver, then yes they can be used, but that definitely isn't a guaranteed thing (as opposed to a Tier 2), and indeed a few of them have recursion disabled.

@Shadowdragon

Also, it's @Shdwdrgn ;)

[ghost]

Also, it's @Shdwdrgn
Apologies, @Shdwdrgn :)

[ghost]

@kowith337 Perhaps not including or displaying prominent Warning! signs those / for those servers run by organizations that mine usage data / log everywhere one goes online for profiling / profiteering, e.g. Google ... nvm, I see you've already Goggle 👍 ... , Yandex, OpenDNS, etc., would be of service to that portion of the public who wouldn't use those servers if they know their (lack of) privacy practices. Thoughts?
EDIT - How did I miss that you've alredy addedd tags for many of the servers listed? I need sleep...

[DandelionSprout]

So after some recent pondering in the past week after learning about DNS-over-HTTPS, I began to think "Screw it, let's just try this out after all despite obvious problems with the View/Subscribe buttons still remaining", so I've hereby added AdGuard DNS as our very first DNS server entry through #1268.

[collinbarrett]

Unlimited mirrors for each FilterList is now supported. See primariness here.

[collinbarrett]

I think there is nothing else specifically left to do for this issue. We can add more DNS lists as we find them.