blocky icon indicating copy to clipboard operation
blocky copied to clipboard
verified publisher icon 0xERR0R

blocky should run without configuration

Open 0xERR0R opened this issue 4 years ago • 14 comments

All required configuration parameters should have meaningful default values -> blocky should start even if user provides no configuration.

0xERR0R avatar Dec 22 '21 07:12 0xERR0R

This seems kinda risky regarding DNS exposure.

What would the default upstream resolver be?

kwitsch avatar Dec 24 '21 18:12 kwitsch

I think, it is very frustrating for the user if a simple "docker run" fails due to missing config file. It would be better if blocky would start with minimal configuration. We can use "1.1.1.1" as single upstream for example.

0xERR0R avatar Dec 24 '21 21:12 0xERR0R

I think it would be best to use the system DNS resolver as fallback if no default is configured. This way it would start even if no upstream is configured and it could be easily configured(DNS flags/resolve.conf/blocky.conf).

Something similar like #307.

kwitsch avatar Dec 25 '21 10:12 kwitsch

It would be the "safest" way. But when system dns resolver is crappy or misconfigured, it would still not work.

0xERR0R avatar Dec 25 '21 15:12 0xERR0R

If the DNS server of your docker instance isen't configured correctly you propably won't be able to dowload the blocky image 😉

I personally wouldn't feel comfortable to define a default upstream resolver that I'm not associated with. It should at least be logged as a warning, hence it relies on defaults which weren't configured through the user.

Probably only my personal biases against Google and Cloudflare. Sorry for that. 😅

kwitsch avatar Dec 25 '21 17:12 kwitsch

Not sure if using Quad9 or NextDNS as default looks better for @kwitsch ? I understand the concerns about those tech giants 😆

PeterDaveHello avatar Mar 26 '22 17:03 PeterDaveHello

Not sure if using Quad9 or NextDNS as default looks better for @kwitsch ? I understand the concerns about those tech giants 😆

Quad9 is just another big fish 😅

If it's unavoidable maybe OpenNIC, DNS.Watch or FreeDNS 🤔

kwitsch avatar Mar 26 '22 18:03 kwitsch

So sounds like OpenDNS will also have the same concerns.

What about Control D or NextDNS? Otherwise, you only got some smaller options, like LibreDNS, Digitale Gesellschaft DNS, DNS Privacy, Seby DNS or DNS.SB. Without tech giants, the reliability could be another issue.

PeterDaveHello avatar Mar 26 '22 21:03 PeterDaveHello

So sounds like OpenDNS will also have the same concerns.

What about Control D or NextDNS? Otherwise, you only got some smaller options, like LibreDNS, Digitale Gesellschaft DNS, DNS Privacy, Seby DNS or DNS.SB. Without tech giants, the reliability could be another issue.

Didn't mention OpenDNS 😉

I won't use either of them. Was just raising concerns about linking to a company which potentially isn't truth worthy.

Maybe we could agree on a public DNS server that is run by a nonprofit organization as default?

kwitsch avatar Mar 27 '22 02:03 kwitsch

Didn't mention OpenDNS 😉

I know, just some people will use it, so I guess you'd like to exclude it.

Maybe we could agree on a public DNS server that is run by a nonprofit organization as default?

Quad9 is actually kind of nonprofit organization that rely on donations, but I know you have concerns, it really depends.

Maybe the easy way is to provide a minimum config.yml like this:

upstream:
  default:
    - tls://dns.nextdns.io
    - tls://101.101.101.101
    - https://freedns.controld.com/p0

With the Docker cli mount parameter example, it'll be pretty easy to run blocky, and people will know how to modify the upstream by their own. No default DNS built-in that'll raise any kind of concerns.

The config can even be just like this, 3 lines lightweight, that didn't need any bootstrap DNS:

upstream:
  default:
    - tls://101.101.101.101

Using TWNIC as example above, instead of Google, Quad9 and Cloudflare that can also be specified by IP simply, I hope that won't be a big concern for those who cares 😅 (doesn't mean that I don't care 😄 )

BTW, I checked OpenNIC servers here: https://servers.opennic.org/, encrypted protocol doesn't seem to be wildly supported yet.

PeterDaveHello avatar Mar 28 '22 15:03 PeterDaveHello

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Aug 04 '22 09:08 github-actions[bot]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Nov 03 '22 04:11 github-actions[bot]

I think it would be best to use the system DNS resolver as fallback if no default is configured. This way it would start even if no upstream is configured and it could be easily configured(DNS flags/resolve.conf/blocky.conf).

Something similar like #307.

I like the idea to use system DNS config. If I start blocky with docker I can set DNS for a particular service/container.

shizunge avatar Dec 03 '23 07:12 shizunge