Software Endorsements

[Ice Station Zebra]

If you have a Pi-Hole, set up Unbound and run your own DNS server! You can set it up on the same Raspberry Pi that you have Pi-Hole running on and it takes less than an hour. They have instructions here: https://docs.pi-hole.net/guides/dns/unbound/

Thanks, ive been looking for a solution like this for a while, cant believe i havent stumbled upon unbound yet it was right there infront of me

While running your own recursive DNS server (instead of a forwarder) is no issue, there is one thing you should be considerate of: DNS traffic is not encrypted. Any 3 letter bio-luminescent entity or your ISP can snoop on your DNS traffic easily and monitor or in some cases (especially in speech hostile countries) poison the response.

There's a technology called DNSSEC that at least mitigates the poisoning issue by signing zones. Neither the glownigs nor your ISP controls the private keys so they cannot provide their own poisoned response that'll satisfy DNSSEC and successfully poison the cache. That having been said, you need DNSSEC enabled (generally not a default) and fucking Josh hasn't configured DNSSEC for kiwifarms.net!

A solution to the issue of snooping (and to some extent, poisoning) is to use something like dnscrypt-proxy and have your Pi-hole send requests through there. You're no longer a free man on the land of DNS with your own recursive resolver, you're stuck piggybacking off of someone else but at least nobody can open up the packets and fuck with them.

Sadly dnscrypt-proxy isn't well supported with Pi-hole, you'll have to fuck around with the command line to get it working. I don't have a Pi-hole (I'm a colossal OPNsense shill) so I can't help you with setting it up on that thing.

 

[Dread First]

Be careful with public DNS servers like Quad9 as they like to censor under the guise of 'malware' blocking. Their default 'malware' blocking address blocks files.catbox.moe. Control D's 'malware' blocking address blocks the farms. So stick to the unfiltered address if you want to freely surf the web.

I'm using the filtered list and I'm able to access Catbox.moe, Kiwi Farms, and all them other unsavoury but still not malware internet sites. I haven't even done any manual whitelisting on my part (barring whitelisting Kiwi Farms; though I did technically do that when I was using 1.1.1.1). I am thinking of dnscrypt-proxy at some point down the line though but that's only because I just learned about it and now my autism to tinker with Linux shit has been activated.

 

[1996 Toyota Camry]

I can't help you with setting it up on that thing

All good, i can figure it out

 

[guiltyspark85]

I'm using the filtered list and I'm able to access Catbox.moe, Kiwi Farms, and all them other unsavoury but still not malware internet sites. I haven't even done any manual whitelisting on my part (barring whitelisting Kiwi Farms; though I did technically do that when I was using 1.1.1.1).

Catbox.moe domain works with Quad9, but they're definitely blocking the files.catbox.moe sub-domain I mentioned: https://www.quad9.net/result/?url=files.catbox.moe. And I didn't say Quad9 blocked Kiwifarms, but Conttrol D are with their malware list.

 

[Q !!Hs1Jq13jV6]

for those who run pihole in a VM, dedicated linux machine or know how to make their own container, consider using it with DNS over Tor

basically you:
1. follow the guide from the pihole docs https://docs.pi-hole.net/guides/misc/tor/setup/
2. go to Settings -> DNS
3. unset all the named upstream DNS servers (disable google, opendns, etc)
4. set the Custom 1 (IPv4) field to 127.0.10.1
pros:
- it's tor
- basically unfiltered upstream
cons:
- initial site visits can be slow, pihole will cache and speed up future requests
- occasional timeout for dns and you might have to wait up to 5 minutes before you can visit the site again

 

[⠠⠠⠅⠑⠋⠋⠁⠇⠎ ⠠⠠⠊⠎ ⠠⠠⠁ ⠠⠠⠋⠁⠛]

But why only block 1.1.1.1? Quad9 doesn't pass this data by default.

Quad9 is also probably several orders of magnitude smaller than CF's DNS. I doubt he's noticed the problem yet, someone might need to let him know.

 

[1996 Toyota Camry]

Any particular thoughts on OpenDNS? That is what ive been using the past few months before i got unbound installed

 

[moocow]

Any particular thoughts on OpenDNS? That is what ive been using the past few months before i got unbound installed

Owned by Cisco, in case that matters to you.

 

[Cowboy Kim]

OpenDNS doesn't seem all thaf private/safe:
Cisco(the owner of OpenDNS)'s general privacy policy [archive] explicitly state they log a shitton of data, including:

• Information about the user of our products and services, including System Information such as device identifiers, and telemetry (such as IP or MAC address) when such data is linked or tied to a specific person’s device.

They also share data with various individuals, which includes:

• With Cisco business partners or vendors, so that they may share information with you about their products or services. To opt-out of Cisco sharing with third parties for their marketing purposes, please submit a Privacy Request.
• In response to a request for information by a competent authority or third party if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process.
• With law enforcement officials, government authorities, or other third parties as necessary to comply with legal process or meet national security requirements; protect the rights, property, or safety of Cisco, our business partners, you, or others; or as otherwise required by applicable law.

The OpenDNS specific privacy policy [archive] isn't all that much more promising, and is seemingly copy-pasted from Cisco's general terms. The fact that there's a switch that has to be toggled to disable logging on their premium subscription [archive] doesn't bode well either.
They also used to inject their own advertisements when the user typed a nonexistent domain.
TL;DR: They have a history of doing shady shit to webpages and state they keep and share lots of data.

 

[byuu]

Why use a third-party DNS server for "privacy"?
Your ISP can see all the hosts you connect to whether you use their DNS server or not.
You're just increasing the amount of parties you give your data to.

 

[1996 Toyota Camry]

Why use a third-party DNS server for "privacy"?
Your ISP can see all the hosts you connect to whether you use their DNS server or not.
You're just increasing the amount of parties you give your data to.

Thats the thing, im not using third-party dns for that particularly. My ISPs DNS servers are dogshit slow compared to my own unbound instance and even ones like google, cloudflare, etc..

 

[anustart76]

While running your own recursive DNS server (instead of a forwarder) is no issue, there is one thing you should be considerate of: DNS traffic is not encrypted. Any 3 letter bio-luminescent entity or your ISP can snoop on your DNS traffic easily and monitor or in some cases (especially in speech hostile countries) poison the response.

There's a technology called DNSSEC that at least mitigates the poisoning issue by signing zones. Neither the glownigs nor your ISP controls the private keys so they cannot provide their own poisoned response that'll satisfy DNSSEC and successfully poison the cache. That having been said, you need DNSSEC enabled (generally not a default) and fucking Josh hasn't configured DNSSEC for kiwifarms.net!

A solution to the issue of snooping (and to some extent, poisoning) is to use something like dnscrypt-proxy and have your Pi-hole send requests through there. You're no longer a free man on the land of DNS with your own recursive resolver, you're stuck piggybacking off of someone else but at least nobody can open up the packets and fuck with them.

Sadly dnscrypt-proxy isn't well supported with Pi-hole, you'll have to fuck around with the command line to get it working. I don't have a Pi-hole (I'm a colossal OPNsense shill) so I can't help you with setting it up on that thing.

Looking through the config, it looks like unbound is verifying DNSSEC, unless I'm misunderstanding what's going on: https://docs.pi-hole.net/guides/dns/unbound/#configure-unbound

 

[1996 Toyota Camry]

I've been using the built-in macOS mail client for many years which has served me well up until they redesigned it with the release of Big Sur, and now it has decided it should send emails out using completely wrong SMTP servers, causing personal emails to send out of my business address, etc... They also removed the main junk folder which showed you junk/spam emails from all addresses at once, a change which really fucked me off.
I used to like Thunderbird a lot but the current version just feels weird, doesn't sort mail correctly at times (seems to want to default to half way down the list of 20,000 emails) and is downright just slower than apple mail is.
Does anyone have any very good recommendations for a mail client that supports both macOS and Linux? FOSS isn't a hard requirement but would be nice

 

[ditto]

Why use a third-party DNS server for "privacy"?

AdGuard has a public DNS that blocks some ad servers and tracking as well as making mobile browsing bearable.

Thunderbird a lot but the current version just feels weird

I don't trust Thunderbird after the debacle breaking GPG support. Mozilla tried to integrate it closer but instead ending up with some incompatible mess. That combined with aggressive auto-updates means that the most common GPG configs were borked overnight.

 

[1996 Toyota Camry]

I don't trust Thunderbird after the debacle breaking GPG support. Mozilla tried to integrate it closer but instead ending up with some incompatible mess. That combined with aggressive auto-updates means that the most common GPG configs were borked overnight.

I just tried setting up GPG in thunderbird, such a nightmare i just gave up. It refuses to use my existing keys forcing me to make new ones

 

[Flatline]

Does anyone have any very good recommendations for a mail client that supports both macOS and Linux?

I'm in the same boat and found there is no decent GUI program that works on Linux and macOS besides Thunderbird. If you're comfortable with the command line, you could try mutt/neomutt. The config files can be shared between machines and the program works on most Unix-based systems.

 

[notafederalagent]

Does anyone have any very good recommendations for a mail client that supports both macOS and Linux? FOSS isn't a hard requirement but would be nice

Claws Mail works well for the GPG stuff. There's a section in their FAQ for compiling for macos. I have no idea how it handles high volumes of mail/spam because I use it with some cock.li addresses that get around 15 emails per month max.

 

[1996 Toyota Camry]

If you're comfortable with the command line, you could try mutt/neomutt. The config files can be shared between machines and the program works on most Unix-based systems.

Claws Mail works well for the GPG stuff.

I'll give both these a peep

 

[Dread First]

I've firmly pivoted back into Firefox territory. I'm sorry, Pappy Nool but Brave just can't cut it for me. Mozilla's a festering cesspool of degenerate cuckolds with no executive function whatsoever, but Firefox just caters to my autistic inclinations in a way that no other browser, not even Brave, can match. I guess it takes an entire gaggle of autistic developers to understand exactly what other autistic faggots on the internet want in a web browser.

(1) FF Profile essentially makes Arkenfox (almost) redundant, because now you're able to create your own prefs.js almost the same way as Arkenfox, but without breaking things you might actually wanna use (i.e. WebGL games, streaming video, etc). It also allows you to get the bare minimum of extensions necessary without having to manually install them all one by one (i.e. uBlock Origin, CanvasBlocker, CookieAutoDelete). The remaining things that the profile generator doesn't handle are all things you can easily toggle off in about:preferences

(2) Privacy Settings allows you to toggle about:config flags on the fly to fix webpages that might break if you have stuff like privacy.resistFingerprinting or privacy.FirstPartyIsolate to "true." This makes actually using a hardened Firefox profile much more practical because now you can toggle certain flags on/off the same way you can toggle third-party scripts on/off in uBlock Origin's Medium Mode. Granted, this extension exists for Chromium too but the Chromium flags that it toggles aren't anywhere near as robust as the ones it can toggle in Firefox.

(3) Finally, there's just no viable analogue to Multi-Account Containers on Chromium-based browsers. Being able to segregate the accounts that I actually use most frequently into their own container tabs is an absolute godsend. I don't necessarily hate leaving cookies for the sites I use most frequently alone, but I'm not comfortable with the idea of Google/Facebook/Amazon/Netflix/Hulu having their cookies intermingling. Yes, I have p.FPI on so theoretically it does nothing from a privacy standpoint but my YouTube recommendations on Brave are noticeably different from Firefox with the proper container tabs set up (i.e. I see "recommended for you" in the related section of any YT video while using Brave but not Firefox). Small, unverifiable anecdote but that's more than enough reason for me to adopt the igneous vulpine once more.

Mozilla's fucking terminally exceptional, and I curse them for all their incompetence through the last decade. But holy shit, is Firefox itself still genuinely worth using.

 

[notafederalagent]

(3) Finally, there's just no viable analogue to Multi-Account Containers on Chromium-based browsers. Being able to segregate the accounts that I actually use most frequently into their own container tabs is an absolute godsend.

FF is definitely the way to go. Even with Arkenfox set to all the defaults and no user-overrides.js file, I find that it doesn't break anything here on KF.

I found out last week that in the settings for the containers, you can set your own proxy per container. I thought it was limited to the Mozilla VPN for the longest time because I never poked around in there.