manukatree.eu Service

About the Manuka tree

Hello,
you may wonder why this service has such an exquisite name. It is, due to the beauty of the New Zealand tree, called manuka. Its white or blue tiny flowers create a great vision in New Zealand landscape. If you are interested in this plant and happen to live close to Stuttgart, give the Wilhelma zoological and botanical garden a visit, which is home to a fully grown manuka tree. Its exceptionalism in Europe brought the idea to make it the naming source for this webservice.

About this service

This service is an individual's project, which aims at providing privacy by employing state of the art technologies. Its main focus is to allow for private and secure name service provision by using latest technology in securing DNS connections. Currently, this service runs an unbound 1.13 DNS server, which is configured to resolve domains recursively. Service is only provided for DNS-over-TLS on port 853. Currently, the software enforces a rate limit of 100 queries per IP address and second. If you run a larger infrastructure, such as a tor exit node, you might be willing to split your dns queries to multiple partners.

DNS service

The DNS service provided is uncensored and only filtered for advertising, malvertising and tracking domains. Currently, the following filter lists are read twice a week and combined to a large filter list:

• https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
• https://adaway.org/hosts.txt
• https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
• https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
• https://urlhaus.abuse.ch/downloads/hostfile/
• https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
• https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
• https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
• https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt
• https://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0
• https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
• https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
• https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt
• https://v.firebog.net/hosts/Prigent-Ads.txt
• https://v.firebog.net/hosts/Prigent-Crypto.txt
• https://v.firebog.net/hosts/Easyprivacy.txt
• https://v.firebog.net/hosts/AdguardDNS.txt
• https://v.firebog.net/hosts/Admiral.txt
• https://v.firebog.net/hosts/static/w3kbl.txt
• https://v.firebog.net/hosts/neohostsbasic.txt
• https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
• https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
• https://raw.githubusercontent.com/justdomains/blocklists/master/lists/easylist-justdomains.txt
• https://raw.githubusercontent.com/justdomains/blocklists/master/lists/adguarddns-justdomains.txt
• https://raw.githubusercontent.com/justdomains/blocklists/master/lists/easyprivacy-justdomains.txt
• https://raw.githubusercontent.com/craiu/mobiletrackers/master/list.txt
• https://blocklistproject.github.io/Lists/alt-version/tiktok-nl.txt
• https://blocklistproject.github.io/Lists/facebook.txt
• https://blocklistproject.github.io/Lists/alt-version/tracking-nl.txt
• https://blocklistproject.github.io/Lists/alt-version/fraud-nl.txt
• https://blocklistproject.github.io/Lists/alt-version/gambling-nl.txt
• https://blocklistproject.github.io/Lists/alt-version/scam-nl.txt
• https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt

Domains included in any of the filter lists will return the following records:

• A: 127.0.0.1
• AAAA: ::1

The servers used to resolve the domains are:

• Digitale Gesellschaft
  • 185.95.218.42
  • 185.95.218.43
  • 2a05:fc84::42
  • 2a05:fc84::43
• dismail.de
  • 80.241.218.68
  • 159.69.114.157
  • 2a02:c205:3001:4558::1
  • 2a01:4f8:c17:739a::2
• Digitalcourage
  • 5.9.164.112
  • 2a02:2970:1002::18
• Censurfri DNS
  • 89.233.43.71
  • 2a01:3a0:53:53::
• BlahDNS
  • 78.46.244.143
  • 2a01:4f8:c17:ec67::1
  • 45.91.92.121
  • 2a0e:dc0:6:23::2
• dnsforge.de
  • 2a01:4f8:141:316d::117
  • 2a01:4f8:151:34aa::198
  • 176.9.93.198
  • 176.9.1.117
• dns.sb
  • 185.222.222.222
  • 185.184.222.222
  • 2a09::
  • 2a09::1
• Applied Privacy
  • 146.255.56.98
  • 2a02:1b8:10:234::2
• Freifunk München
  • 5.1.66.255
  • 2001:678:e68:f000::
  • 185.150.99.255
  • 2001:678:ed0:f000::
• mullvad.net
  • 194.242.2.3
  • 2a07:e340::3
• dns.njal.la
  • 95.215.19.53
  • 2001:67c:2354:2::53

All requests to the previously mentioned DNS servers are made using DNS-over-TLS, thus creating a chain of encrypted DNS traffic. Domain validation uses the DNS root servers from a.root-servers.net to m.root-servers.net. The unbound server is configured to not log any queries and its error log is set to 0, which means only fatal errors are logged.

Addresses

The addresses to use this server are:

• IPv4: 159.69.41.58
• IPv6: 2a01:4f8:c2c:7bfc::1

The port required is: 853/tcp

Configuration with unbound

To use this instance in unbound, please add the following to your /etc/unbound/unbound.conf:

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 2a01:4f8:c2c:7bfc::1@853#manukatree.eu
forward-addr: 159.69.41.58@853#manukatree.eu

Configuration with stubby

To use this instance in stubby, please add the following configuration to the /etc/stubby/stubby.yaml:

upstream_recursive_servers:
- address_data: 159.69.41.58
tls_auth_name: "manukatree.eu"
- address_data: 2a01:4f8:c2c:7bfc::1
tls_auth_name: "manukatree.eu"

In case you are running stubby on an OpenWRT instance, the configuration in the /etc/config/stubby file is as follows:

config resolver
option address "2a01:4f8:c2c:7bfc::1"
option tls_auth_name "manukatree.eu"
config resolver
option address "159.69.41.58"
option tls_auth_name "manukatree.eu"

Since the certificates used for the DNS-over-TLS encryption are renewed periodically, as they are signed by the Let's Encrypt CA and are only valid for 90 days, no PKI values are published.

Configuration with Android

The DNS server can be set as private DNS in Android, for which you have to add the domain name manukatree.eu to the respective menu in the Android settings.
After the expiration of Let's Encrypt certificates, the server ceased to work. The issue has been resolved by regenerating the server certificates. Doing so requires the following option to be set:
--preferred-chain "ISRG ROOT X1"
Which yields the following command, when run completely:
sudo certbot renew --force-renewal --preferred-chain "ISRG ROOT X1"
The solution may be found in the following reddit.com thread:
https://www.reddit.com/r/LineageOS/comments/pz4f87/lets_encrypt_is_dst_root_ca_x3_expiration_30th/