Once upon a time there was discussion about the DNS servers 8.8.8.8 and 8.8.4.4 and how we need to move to a Canadian one. The one passed around was 149.112.121.30, CIRA (protected).

I had said something about going a step further and just using your own via Pi-Hole and Unbound. Someone I do not remember who as that is why I am posting here said yes but the pi still has the DNS server you set it up with, they said they would look into it further at a later date If they did look into it and post something I am truly sorry as I cannot find it.

I have gotten into using less US internet things and I recently got to find out that I needed to figure out my VPN setup a little better. This lead me into a deep valley of infosec and I am trying my darndest to strip things away. Anywho I was looking into something and there was mention of apps possibly falling back to system DNS so I found /etc/resolv.conf where I changed my DNS system on my 3 currently operational pi’s to access DNS like this.

Edit: I fixed some editing and hopefully made the commands more clear

This was bolded (I guess putting the comment marker first in the line makes it bold) but inside of the conf file at /etc/resolv.conf I changed it from,

Generated by NetworkManager

nameserver 9.9.9.9 To

Generated by NetworkManager

nameserver 172.16.1.50 # Primary Pi-hole

nameserver 172.16.1.52 # Secondary Pi-hole

nameserver 149.112.121.30 # Canadian DNS (CIRA Canadian Shield: Protected)

I also needed to add this to the end of /etc/unbound/unbound.conf.d/pi-hole.conf

This is for Canadian and psuedo-Canadian backups.

forward-zone:

name: “.”

forward-addr: 149.112.121.10 # CIRA Canadian DNS

forward-addr: 9.9.9.10 # Quad9 Canadian (with filtering)

forward-first: no

I get into computer projects and find ways to one up myself, I wish I could say I crash tested everything the old fashioned way but I have used ChatGPT to crash test things. Only because I do not have a computer with a strong enough graphics card to run a local LLM and breaking one thing could set me back hours or even days.

  • KingOfTheCouch@lemmy.ca
    2·
    1 day ago

    9.9.9.10 is not a “canadian version”. It’s their “Unsecured: No Malware blocking, no DNSSEC validation (for experts only!)” address. See: https://www.quad9.net/service/service-addresses-and-features for more information about their different DNS addresses.

    Quad9 is a Swiss non-profit. Check the rest of that page for more information on what they do and what they offer.

    CIRA is the government sanctioned registrar overseeing the top level domain “.ca”. As a non-profit built for this purpose, they have branched out to both DNS (as discussed here), as well as operating an Internet Speed Test.

    Whichever way you go, don’t get too hung up on this. Moving away from 8.8.8.8 (or even 1.1.1.1 if anyone uses cloudflares service) is your goal. Even going back to your Canadian ISP’s DNS is going to be adequate as well if you just want to replace Google.

    • ErableEreinte@lemmy.ca
      10·
      3 days ago

      Per their website:

      As a non-profit that engages with a number of stakeholder groups across Canada’s internet, CIRA believes that transparency is essential to good governance.

      They also detail their compensation and expenses further down that page.

      • Avid Amoeba@lemmy.ca
        11·
        3 days ago

        So you’re saying it’s safe to use their DNS without worrying much about data collection? 😂 I like it.

        • Reannlegge@lemmy.caOPEnglish
          3·
          3 days ago

          Being non profit in Canada does mean stuff about their income, Quad9 Canada is a US nonprofit so they are not into looking to sell your data but they are from the US. I do not like my data being seen by others as that is why CIRA is third in the list and Quad9 is forth in the list.

    • Magnus@lemmy.ca
      3·
      2 days ago

      They hassle me every 5-6 years about the details on my .ca’s saying if the details are not correct they are going to pull my site offline.

      They also hassle lots of registrars about things.

      On the flip side, I don’t know what kind of value they bring to Canada.

    • Reannlegge@lemmy.caOPEnglish
      0·
      1 day ago

      Awesome sauce, I can make move quad9 Canada even lower down the list! I did not know that CIRA had 2 addresses for each level, I really should have but you know things get missed!

  • anguo@lemmy.ca
    3·
    3 days ago

    the pi still has the DNS server you set it up with,

    As I understand it, you are solving this with Unbound.

    Edit: but your forward-zone settings now make CIRA your external DNS provider

  • onTerryO@lemmy.caEnglish
    1·
    3 days ago

    Thanks for this, I have updated my settings. BTW you can do this all in the GUI - just copy and paste the addresses into the box at the bottom of the DNS settings page and then click save. Then uncheck all of the boxes for the upstream DNS servers and click save again.

    149.112.121.10
149.112.122.10

    Not sure of the syntax for the IPV6 servers, I will update if I figure them out.

    • Reannlegge@lemmy.caOPEnglish
      1·
      3 days ago

      When the pi was setup it was using Quad9’s 9.9.9.9 as I did not know that there was a Canadian version 9.9.9.10, there could be apps that try to get past pihole by going to the pi’s original DNS resolve address so I changed that, and I updated unbound to get the information from CIRA first and then quad9 Canada second.