Disable OpenDNS

[clem]

Here's where we are at the moment in preparation for Mint 16:

- We won't be using OpenDNS anymore (that much we all agree on).
- We can't include DNS fallback in the UI (we could for Cinnamon, but it's in feature-freeze, and we've no control over other DEs.. the best we could do is develop a new tool just for that, it's not ideal..)
- We can't see what's wrong with using resolvconf tail (assuming our DNS fallback returns proper NXDOMAIN errors)

Here are our options:

- Drop DNS fallback entirely
- Replace OpenDNS with a better DNS service provider in resolvconf tail
- Replace OpenDNS with a better DNS service provider but implement DNS fallback differently than via resolvconf tail

We don't need any more feedback about OpenDNS, privacy/security/spyware concerns, but we need feedback about DNS resolution, why the current implementation fails and what you think is wrong with it.

I can't see what's wrong with using resolvconf tail. We need expert feedback here to show us if we're wrong. As far as I can see, making use of /etc/resolvconf/resolv.conf.d/tail is an improvement and doesn't affect people with working DNS (assuming we use a DNS fallback which returns NXDOMAIN errors). That's really the bit we need to understand prior to Mint 16, to decide whether the core of the issue was selecting OpenDNS, using resolvconf tail, or if the entire DNS fallback concept was a mistake.

[xenopeek]

As I understand how it works:

1. NetworkManager loads dnsmasq at startup, configuring it to listen on 127.0.1.1. dnsmasq is loaded with the following command:

   Code: Select all

   /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

   So the files /etc/resolv.conf file and /etc/hosts are both not loaded by dnsmasq. On Ubuntu 13.10 both the conf file /var/run/NetworkManager/dnsmasq.conf and the conf dir /etc/NetworkManager/dnsmasq.d appear empty, so I'm assuming dnsmasq gets its DNS settings from querying the DHCP server.
2. resolvconf dynamically generates /etc/resolv.conf (actually /run/resolvconf/resolv.conf) and sets the nameserver to 127.0.1.1 (though I'm not sure from where).
3. Any DNS lookup queries are sent to 127.0.1.1, arrive at dnsmasq, which forwards it to the DNS as replied back by the DHCP server.

The hook to insert a fallback DNS in the resolvconf tail probably works fine technically, with NetworkManager falling back to that if dnsmasq didn't get a working DNS server from the DHCP server to forward DNS queries to. At least, that is how I understand the technical problem users are encountering. I'm not sure how to either reproduce it, or analyze its root cause (of the fallback being needed, because there was no DNS found) when you do have the problem.

So considering the three options you put forward:

• Drop DNS fallback entirely
  Wouldn't be the option I prefer. It leaves users for which a DNS server couldn't dynamically be found without a working Internet connection. Everybody pitching in on this topic is probably computer savvy enough to detect the root cause of that and fix it, but I think not the majority of Linux Mint users.
• Replace OpenDNS with a better DNS service provider in resolvconf tail
  Probably fine, but aside from Google DNS--which isn't an option--what options are there? Having a search I found this list http://en.wikipedia.org/wiki/Category:Alternative_Internet_DNS_services (a lot on this list wouldn't be useful). Comodo SecureDNS, DNS Advantage, or Norton DNS sound like viable ones to explore further. Probably you can trust many of these (including OpenDNS and Google DNS) with your privacy as far as you can trust your ISP's DNS, but I think there is no scenario where everybody will be happy with the choice made for a fallback DNS.
• Replace OpenDNS with a better DNS service provider but implement DNS fallback differently than via resolvconf tail
  Possibly that can be achieved in dnsmasq configuration?

A fourth option mentioned I think earlier here, was to stick with the current solution but do a notification to the user about the fallback being in effect. So somehow detecting OpenDNS is not only configured, but actively being used, and popping a notification about that so the user can try and correct the problem.

Perhaps a fifth option could be a variant of your first; dropping DNS fallback entirely but detecting that no DNS can be found while Internet is working (ping to some IP address), and if that is the case again popping a notification about that to the user. The downside of this of course is that the user now knows there is a problem, but while fixing that doesn't have a working Internet connection.

Personally, I'd prefer the fourth option--perhaps with a different DNS to get rid of the 404 redirect, but certainly informing the user a fallback is in effect. Though easier said than done Probably needs to background process doing some check at some interval.

[clem]

Ideally a DNS service should be:

- Reliable
- Reputable
- Respectful of standards
- Trustworthy

OpenDNS is out because it doesn't work as expected when domain names are incorrectly typed. It should return an error and not forward to its own servers (I'm not judging here, everybody needs to fund themselves, but it's not suitable for us as underlined by users in this thread).

Google is out because it cannot be trusted. Even if we were to trust it ourselves, its name is associated with privacy concerns. The recent episode about mintupdate (which basically used to ping google.com to know if the computer was online) tells us we don't want to use Google here.

Looking at the other services, we need to ask ourselves.. will they be there and working fine in the next 5 years? Mint 13 LTS goes all the way to 2017. The recent episode with Medibuntu teaches us we shouldn't rely on 3rd party services unless they're extremely reliable.

Another thing to consider... we're questioning whether ndisgtk is still needed in Linux Mint nowadays or whether it solves a problem people no longer have. So we're planning to remove it from the RC and to see if people want it back when collecting feedback. We could use the same approach for DNS fallback... that is, drop it in the RC and keep an eye out for people lacking DNS resolution to see if that problem is as widespread as it once was.

If you remember some of the changes upstream in the last few Ubuntu releases... resolvconf was introduced not so long ago, and there were changes affecting the path of /run files, so it's possible the lack of DNS resolution at the time, which was indeed affecting a lot of people, might have been the result of a regression upstream. It's hard to know for sure if other OSes/distros are affected by this problem because people who don't know about DNS don't search or post about DNS.. they just say they can't connect to the Internet.

[xenopeek]

Dropping the OpenDNS fallback for RC could be an approach to see if this issue still is as widespread on the next release.

Anybody having issues not being able to connect to the Internet could be asked to browse to a known IP address in their browser. If they get to see the page they have the DNS issue, or if they got an error they have a different issue.

[clem]

I usually ask them to "ping 8.8.8.8" to test the connection/routing.

[RobertLM78]

Thank you Clem for clarifying this issue. It made me sad to read that you were hurt by some of the comments, and I'd like to say that it looks like you were just trying to make things easier for the user, even if the choice wound up being the wrong one. I am confident a solution can and will be found, and I am grateful for all that you and the other Mint developers have put into this great OS that we all use in this community!

[KirbySmith]

First, while one aw-rats cancels a thousand atta-boys, one FUD assertion shouldn't. In case it did, Clem, incorporated herein by reference are 1000 atta-boys, and a thank you for what you do.

With respect to the salient questions, I have two opinions:

I would include high level name server addresses, such as those of big pipe operators L3 and Genuity, or perhaps the usually reliable Akamai, or for maximum irony, Microsoft. The choice might change depending on the language of the distribution.

I still believe that if an install determines that it needs to use this last-resort address because it can't obtain one from the installer's ISP or router, some message be generated, couched so that the inexperienced don't panic over what is a minor issue compared with, say, ending up with no video.

kirby

[pseudolobster]

I just want to say I appreciate that you've taken user concerns to heart. A certain person named Mark who shall remain nameless has been a lot less receptive to feedback when I've voiced concerns in the past. Attaboy indeed.

Anyway, I guess there's a few places you could put the option outside of networkmanager. Perhaps it could be an option in the installer or the welcome screen. Maybe a livecd-only option? Or, alternatively, you could disable it by default and have some button or instructions to enable it under some kind of support page, guide, or troubleshooting wizard.

I suppose someone could come up with some convoluted way of detecting if you're running in a VM, or checking if DNS resolution is working in the live environment and setting the option for install, but that seems, well, convoluted.

[clem]

That's a good point.

I'm not keen on asking people questions in the installer or the welcome screen, especially questions they might not understand or have no interest about... but as you said it would be good to either alert users when the event occurs, through a notification maybe, or use an opt-in mechanism maybe via a troubleshooting tool. Since we've none of that, that would go towards the option of dropping DNS fallback for now and considering putting it back when the implementation is more complete and doesn't just bring functionality but also user-awareness and configuration.

[sunsatori]

@clem

Thank you for your command line to disable OpenDNS.
Here are the results of me executing that command line.

Can you confirm that was successful with these results?

gimpy@Salterine ~ $ sudo rm /etc/resolvconf/resolv.conf.d/tail
[sudo] password for gimpy:
gimpy@Salterine ~ $ sudo rm /etc/resolvconf/resolv.conf.d/tail
rm: cannot remove ‘/etc/resolvconf/resolv.conf.d/tail’: No such file or directory
gimpy@Salterine ~ $

[clem]

Yes, the next time Network Manager generates your resolv.conf (usually when you connect to a router) you will no longer have OpenDNS as a fallback.

[sunsatori]

@clem

Thank you for confirming the disabling of OpenDNS on my install.

Since I admin my broadband router, and the DNS servers of my ISP are flaky, I hard coded primary as 8.8.8.8 and secondary as 4.2.2.2. But I am now realizing that using Google and Verizon is not a good idea (thanks to this thread).

If you know of any safer, non reporting, non farming DNS servers that have your confidence, I would appreciate you sharing them with me and the thread.

Of course, if my question makes no technical sense, my apologies in advance.

All for now and many thanks for LM15.

[minter13]

What do you all think about using Comodo DNS? I use it at home and have very few issues. plus Comodo does alot of security type of applications an dhas become a trusted certificate authority.

[th3marmot]

Why has no-one mentioned running your own DNS caching service? You already have users trust with the OS, why not improve on that and provide, as a fallback only a dns service that you control? The process of setting that up is fairly arbitrary assuming security is kept at the top of the list and would remove the need to compromise on the potential security pitfalls that other services have. Lets say you go with comodos dns, what happens when MS approaches them and requests they provide data for users coming from Mint systems to improve their marketing efforts?

[Hootiegibbon]

Clem,

Where as I am not a regular Linux Mint user (although I do use LMDE on some machines) I think that having a DNS fallback IS a good idea, and OpenDNS were a good choice, although clearly from your posts/links they (OpenDNS) would prefer you not to make them the default fallback.

As you requested ideas for potential solutions here goes...

1> enter talks with a reliable, non-sucky DNS provider to supply default dns lookups with a co-branded (linuxmint / dns provider) non-invasive 404 page when a look up fails. it may be enough for teh provider to have their brand awareness in place. I am not sure how feasible this would be though.

2> use the free opennic service - I am not convinced that it would be the most suitable option for the distribution though.

3> see if the community can run a DNS server for fall back purposes although for the same reasons as 2 it may not be the right option.

4> explore whether there is a suitable decentralised DNS solution that linux-mint users could opt into (dot-bit project?)

not sure if any of the above is any good, but it may be food for thought for other suggestions.

Jase

[coteyr]

Personally, this OpenDNS thing was nearly enough to make me find another distro. The only thing that made it less critical was the fact that it's easy to disable. Now on to the more important issue.

DNS Fallback is not a totally horrid idea, however there is no situation that you can cite where everyone is going to be ok with sending their requests to some unknown entity.

There is also the problem that a DNS service that doesn't return proper errors, or that hijacks requests, means that low level APIs will be looking at the wrong server. So ssh someinvaliddomain.com is already 50% closer to a security problem (for example).

If your DNS is not properly setup, then you should get a name resolution error. It's that simple. /etc/resolvconf/resolv.conf.d/tail is a great thing to have if I set it up with DNS providers that I choose. It's DAMN WRONG if I don't make an active decision to have it.

I suggest commenting out the entries in /etc/resolvconf/resolv.conf.d/tail. Then when DNS fails people can go look, and see an alternative way to correct issues. They will still be making the choice.

[clem]

Hi,

Quick follow-up on this. DNS fallback will be removed in Mint 16 RC.

[speedie]

Hello everybody ,
my first post on this board ( my first post on any board in a long time , for that matter ) ...

Something good might turn out from this openDNS mess . Clem , I have seen you proposed OpenNIC for fallback , and I think you should have sticked to that idea .
You had a very good intention in this whole matter and it saddens me to see people put so much effort in putting you down , and it's even more disturbing to see that they pushed you to the point where you give up your ( good ) decision .
I have a case for fallback and against it , so let's start wit the pro ;

My ISP does not resolve noip addresses ( eg *.zapto.org , or *.servebeer.org ) , on which I have my private servers at home . So , when I tried to connect to my server I got no connection , and my first instinct was that I was doing something wrong , so I went trough my whole setup again ... and again . Then I fired up browser and to my great surprise , it said dns error . If I had been running mint back then , this would have not happened .

And as for the con , somebody here pointed out that he got to openDNS spam site by clicking a google result to mint forum . I got the same result , it freaked me out , and as paranoid as I am , I was ready to drop mint and walk away .

But then I stumbled upon thread on launchpad , and realised clem is a good guy , doing a great service to community . All of us geeks that can do a simple sudo vi /etc/resolvconf/resolv.conf.d/tail could give the man a break . Fallback was not there for us , anyway ..

But maybe this situation might turn into something good if clem reconsiders his decision to drop fallback in mint16 .
Go with opennic . First of all , they provide a great community service , just like mint does . Second , they provide a whole set of geeky TLD's

Clem , give it a try , maybe it turns out well .

[coteyr]

@speedie

...it freaked me out , and as paranoid as I am , I was ready to drop mint and walk away .

That's reason enough to disable it completely, especially with the privacy concerns that are around today.

All of us geeks that can do a simple sudo vi /etc/resolvconf/resolv.conf.d/tail could give the man a break...

This is a false statement. It's our responsibility, to the community, as "geeks" to help steer decisions. We have the knowledge of what is "right" and "wrong" and should not just say "your too ignorant to know what your doing so you get the idiot settings, with reduced security". Instead we should make sure every one gets a secure set of settings the "teach" them how to fix issues.

So , when I tried to connect to my server I got no connection , and my first instinct was that I was doing something wrong

You were. You were 100% wrong, your DNS should have failed, and you should have fixed your DNS entries.

Go with opennic . First of all , they provide a great community service

Opinion, not fact. Also lets not forget the unity shopping lens, unity, and such are a "great" service, and we already jumped ship one time. It's not that hard to 'apt-get install other-de' but we all decided mint was better because of bad default settings in ubuntu.

Keep in mind that ANYTHING, that sends my data (in any part) to a third party without my consent is wrong, immoral (in my opinion) , and possibly illegal.

[speedie]

@speedie

...it freaked me out , and as paranoid as I am , I was ready to drop mint and walk away .

That's reason enough to disable it completely, especially with the privacy concerns that are around today.

All of us geeks that can do a simple sudo vi /etc/resolvconf/resolv.conf.d/tail could give the man a break...

This is a false statement. It's our responsibility, to the community, as "geeks" to help steer decisions. We have the knowledge of what is "right" and "wrong" and should not just say "your too ignorant to know what your doing so you get the idiot settings, with reduced security". Instead we should make sure every one gets a secure set of settings the "teach" them how to fix issues.

So , when I tried to connect to my server I got no connection , and my first instinct was that I was doing something wrong

You were. You were 100% wrong, your DNS should have failed, and you should have fixed your DNS entries.

how was I wrong ? how was I to know my ISP does not resolve dyndns TLD's ?

I agree with the privacy concerns , and opendns did not live up to that standard . you go and check about opennic before you throw statements like "Opinion, not fact" .
[url]http://www.opennicproject.org/[/url] was established with privacy concerns on mind .

but here's an opinion , your dissection of my post is exactly the FUD clem was referring to .