Finally. A ethical, free as in freedom and free as in free beer DNS that protects your privacy and is secure by design.
Our privacy policy is simple and in English, not legalese:
We do not collect any data whatsoever. That's it
Secure: instead of writing our own security systems there are certain things (called best practices) that must be followed first. All the time in the world can be spent writing a perfect security system but that's really just extra work. If you don't apply the currently accepted practices and instead code your own that's stupid
Glassrom is currently the only public dns resolver to implement almost all of these. No other "big" DNS provider has gone beyond dnssec or aggressive nsec
Only modern TLS (TLSv1.3) is supported. No support for TLSv1.2 or older.
What's the matter? Oh you don't trust a no-name company that suddenly popped up overnight
Got a tinfoil hat? We've got you covered. Message me privately and get the dns server configs. The config you'll receive will be exactly the same as the one running on the glassrom server. All you have to do is buy your own server and run the dns server as per the configuration
What about adblocking?
Glassrom DNS came out of the idea to resist censorship and spying - wherever, whenever and however it occurs. Blocking ads is technically censorship and we will not step away from our ideals to provide uncensored internet access even if it means we won't block ads
That being said you might be able to locally run a pi-hole server that connects to the glassrom dns server for upstream DNS. We are currently exploring this possibility
The last thing. Don't most services have to store some logs to improve their quality?
Yes they do have to and since glassrom doesn't collect that data we just expect the absolute worst and prepare for it. Since the server has no tracking, no analytics, no collection whatsoever we can't even tell if you used our dns
You aren't 100% invisible. Any intelligence agency (Read: NSA) listening on the wires can tell that you did connect to our dns service. If you use DoH or DoT they can't tell what data you transmitted or what website you connected to but as the NSA says: "metadata is how we ***** people"
No VPN or DNS service is resistant to such external monitoring. If you don't want to be monitored it is advised to use a VPN and tor in addition to this. Even then you might not be 100% invisible. Be careful
The glassrom server disables dns prefetching to resist a certain attack where an external party could query the server and calculate the amount of time it takes to return a request. The attack works like this: if a dns server has prefetch enabled it will prefetch the IP address for some popular websites as per the users using the DNS server and the response time will be abnormally short. An attacker with sufficient resources can see that certain queries take lesser time to return and deduce what websites are frequently visited. Disabling this optimisation makes the dns server slower but we have disabled it regardless
The glassrom server will cache dns requests for anywhere from just 2 minutes to 1 hour in ram. This data will never be written out to the disk and the cached request will only store the address -> IP mapping and no additional data
Standard DNS at 217.61.104.90 or [2a03:a140:0010:2c5a:0000:0000:0000:0001] (port 53) (TCP/UDP)
DNS over TLS: https://dns.glassrom.pw:853
DNS over HTTPS: https://dns.glassrom.pw/dns-query
This was created using unbound, nginx and doh-proxy
Chromium based browsers: please request developers to add support for glassrom DNS
Firefox: open about:config and change these values
network.trr.mode 3
network.trr.uri https://dns.glassrom.pw/dns-query
network.trr.bootstrapAddress 217.61.104.90
network.security.esni.enabled true
Android 9 private dns: TLSv1.3 support is spotty on android 9. Use stunnel and a dns changer app that uses the vpnservice api to use encrypted DNS
Systemd on Linux: read the documentation. Your systemd MUST be linked against an up-to-date openssl/gnutls to be able to use TLSv1.3
Alternative Linux method: use stunnel and use openresolv to change your dns to 127.0.0.1 or run unbound yourself with glassrom as an upstream dns server running on port 853
Windows: if you care about privacy and security you wouldn't be using this. We have no windows instructions so if somebody wants to contribute reply below
Donate:
If you like our dns service why not donate to keep it running? Donations will allow improvement of service quality
https://donorbox.org/glassrom
Remember that since we don't collect data the success of this project will be determined by the donations received
Our privacy policy is simple and in English, not legalese:
We do not collect any data whatsoever. That's it
Secure: instead of writing our own security systems there are certain things (called best practices) that must be followed first. All the time in the world can be spent writing a perfect security system but that's really just extra work. If you don't apply the currently accepted practices and instead code your own that's stupid
Glassrom is currently the only public dns resolver to implement almost all of these. No other "big" DNS provider has gone beyond dnssec or aggressive nsec
Only modern TLS (TLSv1.3) is supported. No support for TLSv1.2 or older.
What's the matter? Oh you don't trust a no-name company that suddenly popped up overnight
Got a tinfoil hat? We've got you covered. Message me privately and get the dns server configs. The config you'll receive will be exactly the same as the one running on the glassrom server. All you have to do is buy your own server and run the dns server as per the configuration
What about adblocking?
Glassrom DNS came out of the idea to resist censorship and spying - wherever, whenever and however it occurs. Blocking ads is technically censorship and we will not step away from our ideals to provide uncensored internet access even if it means we won't block ads
That being said you might be able to locally run a pi-hole server that connects to the glassrom dns server for upstream DNS. We are currently exploring this possibility
The last thing. Don't most services have to store some logs to improve their quality?
Yes they do have to and since glassrom doesn't collect that data we just expect the absolute worst and prepare for it. Since the server has no tracking, no analytics, no collection whatsoever we can't even tell if you used our dns
You aren't 100% invisible. Any intelligence agency (Read: NSA) listening on the wires can tell that you did connect to our dns service. If you use DoH or DoT they can't tell what data you transmitted or what website you connected to but as the NSA says: "metadata is how we ***** people"
No VPN or DNS service is resistant to such external monitoring. If you don't want to be monitored it is advised to use a VPN and tor in addition to this. Even then you might not be 100% invisible. Be careful
The glassrom server disables dns prefetching to resist a certain attack where an external party could query the server and calculate the amount of time it takes to return a request. The attack works like this: if a dns server has prefetch enabled it will prefetch the IP address for some popular websites as per the users using the DNS server and the response time will be abnormally short. An attacker with sufficient resources can see that certain queries take lesser time to return and deduce what websites are frequently visited. Disabling this optimisation makes the dns server slower but we have disabled it regardless
The glassrom server will cache dns requests for anywhere from just 2 minutes to 1 hour in ram. This data will never be written out to the disk and the cached request will only store the address -> IP mapping and no additional data
Standard DNS at 217.61.104.90 or [2a03:a140:0010:2c5a:0000:0000:0000:0001] (port 53) (TCP/UDP)
DNS over TLS: https://dns.glassrom.pw:853
DNS over HTTPS: https://dns.glassrom.pw/dns-query
This was created using unbound, nginx and doh-proxy
Chromium based browsers: please request developers to add support for glassrom DNS
Firefox: open about:config and change these values
network.trr.mode 3
network.trr.uri https://dns.glassrom.pw/dns-query
network.trr.bootstrapAddress 217.61.104.90
network.security.esni.enabled true
Android 9 private dns: TLSv1.3 support is spotty on android 9. Use stunnel and a dns changer app that uses the vpnservice api to use encrypted DNS
Systemd on Linux: read the documentation. Your systemd MUST be linked against an up-to-date openssl/gnutls to be able to use TLSv1.3
Alternative Linux method: use stunnel and use openresolv to change your dns to 127.0.0.1 or run unbound yourself with glassrom as an upstream dns server running on port 853
Windows: if you care about privacy and security you wouldn't be using this. We have no windows instructions so if somebody wants to contribute reply below
Donate:
If you like our dns service why not donate to keep it running? Donations will allow improvement of service quality
https://donorbox.org/glassrom
Remember that since we don't collect data the success of this project will be determined by the donations received
Last edited:
