Configured Dns over TLS ..... Is this good for privacy?

[TheFu]

Lately I read a lot of articles which say that ISPs collect browsing habits of their users so I want privacy from my ISP.
I must mention that after implementing DoT the name resolution process has become comparatively slower.
When I was using DoH (under Firefox) it was quite fast.

DNS providers also collect habits of their users. That was part of my point about who do you want to be private from?
If you want real privacy, don't use the internet.
There are different levels of privacy and how much you want probably doesn't overlap with how much is easy to accomplish. It isn't for me.

When I want privacy,

• I don't do it from home. I use a mom-pop cafe, not a corporate one. Corporate places with free wifi are everywhere. Assume those places are capturing your image, connection, DNS, and browsing. There are mitigations against each.
• Use a full, paid, VPN who you can trust. How to know whether you can trust any VPN isn't easy. You'll need to work into the ownership, logging, and truly who is behind it. Often, the more privacy they claim to provide, the more likely your data ends up in a parent companies hands. Having headquarters in small countries often means the VPN can manipulate the govt there. If the CEO/President and CIO for a VPN provider don't actually live in the country where their HQ is located, I consider that a warning sign too.
• How has the VPN reacted towards legal demands to provide information on the users? If you don't hear anything about them fighting cased in court - what does that mean? To me, it means they handed it all over. I know of only 1 VPN provider who has fought legal battles AND proved they couldn't provide any logs to the govt, so the govt went away.
• When you sign up to pay for a VPN, use anonymous payment methods. Financial tracking is a real thing. Every year or two, I buy a Gift VISA card to buy VPN service. There is a pre-paid service charge for this ... basically I'm paying 10% more to ensure privacy. This card cannot have more money added to it. The cards that support adding are more traceable. To be used on the internet, we have to register the card with a name and ZIP code here. Many VISA payment systems use the ZIP code along with the PIN to validate the correct user. I look up a name and address for a real person, with a common name, somewhere else and "borrow" their name for this 1 transaction.
• For the VPN, there are really 2 secure-enough technical solutions - openvpn and wireguard. I want a provider that does at least 1 of those. I avoid providers using commercial VPN tools. In an old job, I deployed VPN for 25,000 users. We used a commercial solution with a SecurID fob. I watch the IT security announcements and every year one of the commercial VPN tools seems to announce a failure in a deployment that effectively made the VPN useless for some months. OpenVPN can be setup to be very non-secure too. Some of the default settings commonly used have been cracked by govts around the world. The VPN provider I used last year allowed some control by users to drastically improve they crypto for our connections, but it wasn't the default which was used by most people.
• The VPN will slow all connections. There's an extra middle-man between everything, after all.
• There is TOR too, and for many people it is fine. A few years ago, I read an article about TOR that estimated 30-60% of all exit nodes were run by different govt spy agencies. Read up about TOR for why it can be anonymous, but has some very important caveats. For example, if you've ever use TOR and connected to UbuntuForums.org using your normal userid for the login, then you've just broken the veil of privacy. When using TOR, never use any accounts that you've used before. It is best not to post at all, since we each have a writing style that can be "finger printed" on the internet. That will lead back to an individual as well, for a sufficiently motivated searcher.

Privacy is never a yes/no question. It is always on a scale. Always.

But most of us aren't doing anything nefarious or illegal. We just don't think it is anyone else's business. How much is more privacy worth, since it isn't automatic? That's the question.

[DuckHook]

@TheFu / @DuckHook

Do you guys encrypt you DNS ? Which solution are you using ? DoH or DoT ?
If you are using DoT it will give me a sense of confidence.

You don't need us to be using it in order to feel safe. LinuxBabe writes excellent tutorials and I've used some of them to good effect. FWIW, I use DoH, not DoT, but would consider using DoT without any qualms. I found this article which delineates the differences between DoH and DoT. It's a pretty good high‑level overview without too much techno‑babble.

BTW, as an interesting side note, I'm not sure that LinuxBabe is a "babe". Could be a "he", though these days, I suppose there's nothing to stop a he from also being a babe. The point is that privacy and anonymity are the things that make such ambiguity possible. I consider them indispensable qualities that must be defended.

A further exposition that might help:

Though related, anonymity and privacy are not the same thing. People too often mistakenly conflate them. Best to explain with examples.

1. When you sign in to this forum, it is neither private nor anonymous.
2. When you interact with your bank, you must have privacy, but it is not anonymous.
3. When you post on some comment board, you may want anonymity, but it is not private.
4. When you visit a dissidents' site under an oppressive regime, you need both anonymity and privacy.

It is more clarifying to break things down in such detail because it allows for different methods/tools/strategies for each.

DoH and DoT give you limited privacy, but they do not give you anonymity. Why is it only limited? Because at some point, a service provider has to take your DNS request and translate it into the actual IP address of the site you want to reach. That service provider will know what you are visiting. This is why TheFu states that you can only push the trust issue further up the food chain, you cannot mask it entirely. You can use DNS resolvers who make a big deal about how "private" they are. I'm more naïve about this than TheFu and am willing to put some level of trust in providers like Quad9.

But although this limitation exists, you can go a long way to eliminating the sheer number of intermediaries by using a VPN provider. A VPN tunnels all traffic between your machine (or your router if it is set up that way) and their server. Neither your ISP nor anyone else in between can see anything that's transmitted. Your VPN provider will likely run their own DNS resolver too, so you don't even need to trust a third party like Cloudflare or Quad9.

Like TheFu, my choice of VPN provider is based on who has actually been trooped before a court and has demonstrated in front of a judge that they simply do not keep logs. This means that they physically lack the means to track me even under duress. This is as close to private as we are going to get.

For anonymity, the number one rule is to minimize interactivity. This is hard. It's way harder than most people realize, because the Internet's raison d'etre is interacting with stuff. Why else do we go online? But like TheFu states, we can be identified in any of dozens of myriad ways, some incredibly cunning. TOR Browser is a good first guard but too many use it ignorantly. Do not use it in anything other than its default configuration. Do not add any extensions. Do not resize it on your desktop. Do not enter any info while using it. If you are going to fill in some form or sign‑in, you will have entirely defeated the point of TOR Browser and may as well have used a regular browser.

I too have read many articles calling TOR Browser's bona fides into question. Many are just grinding their axe, but a few raise legitimate concerns. If enough nodes fall into the clutches of a three‑letter agency, then it is possible to analyze the data packets to match up point of origin and destination. It's a known weakness in the TOR model. TOR themselves state outright that their objective is to have so many nodes signed up and operating that it becomes pragmatically impossible for any one player to pull off such an analytical deconstruction. So, for what it's worth, take this into consideration when using TOR.

You can layer strategies to achieve even better results. Running TOR over a VPN will yield a very tough nut indeed. I'm convinced that nothing is uncrackable, but that combo would come close, always provided that the operator is not an idiot.

That last point is key: the weakest security/anonymity/privacy link in any chain is the one between the keyboard and the chair. 90% of privacy/security/identity breaches is due to our own carelessness. This should put the current discussion in a more sobering context. Because, while it is important to understand measures like DoT/DoH, they are useless without good user habits. If you reuse passwords between different sites, then obsessing over DoT vs DoH is like rearranging deck chairs on the Titanic.

[TheFu]

You have not disabled IPv6 if you didn't modify the kernel options passed in by grub. The old ways stopped working around the time that systemd was forced onto us.

Code:

$ ping google.com
PING google.com (142.250.105.102) 56(84) bytes of data.
64 bytes from 142.250.105.102: icmp_seq=1 ttl=56 time=28.8 ms
64 bytes from 142.250.105.102: icmp_seq=2 ttl=56 time=13.2 ms
^C

is what no IPv6 looks like.

I use DoH on 2 of my systems. The others point at a pihole for DNS and updating the config for that to use some encrypted DNS is on my list of things to do.

DuckHook did a good job explaining things. One more thing. VPNs almost always leak DNS queries. I've not seen any VPN available to home users that didn't leak DNS without extra care, extra settings, required.

[DuckHook]

I can't help feeling uneasy about this whole exchange. While it is useful to look into DoT/DoH, by overly focusing on your ISP, I think there's a real danger of missing the forest for the trees.

To be dead honest, I'm not really that worried about my ISP knowing who I bank with. In my neck of the woods, there are only a handful of banks. If they narrow it down to one, it will hardly be surprising and only marginally useful info. They already have my credit card info for my monthly charges. They know where I live, what my bandwidth and usage patterns are, and they are perfectly positioned to do deep packet inspection of every byte that passes into or out of my house. Even if encrypted via VPN, modern analytical tools can extrapolate data of surprising relevancy using only statistical models and side channels.

If my ISP or some three‑letter agency decides that they are after my data, there's very little that I or Joe Ordinary can do about it. This is what makes the conspiracy nuts so laughable: if the government is really targeting you, your best course of action is to call them up and say: "I have no idea why you find me a 'person of interest', but whatever it is, you have my full cooperation". These agencies are too massive and too powerful to fight.

My real worries are twofold:

First are the small and medium fry. From script kiddies to mob syndicates, they are the ones that can give me a really bad day. I'm worried about MitM attacks. My ISP isn't going to do that. I'm worried about ransomware. My ISP isn't going to do that. I'm worried about identity theft. My ISP isn't going to do that either. So, in these regards, focusing on my ISP is not only misdirected, but a waste of time and resources.

Second are the meta‑dangers. I don't like having a shadow version of me floating around out there being sold over and over to whoever waves a nickle under some nameless company's nose. See this. It's a fascinating/frightening look at how each of us has a virtual simulacrum walking around who looks like us, walks like us and quacks like us. We never gave it permission to spring into being, we have no control over how it's abused, and we are basically powerless to get rid of it. What we can do is prevent—or at least stunt—its creation in the first place. We can also stop contributing to its continuing sustenance.

The ISP is part of this second danger, but it's only one of many villains. In my opinion, this is far and away the larger danger because it is both pernicious and chronic. But just blinding the ISP does little to remedy it. It grows every time we buy online, every time we leave our e‑mail address, every time we sign up/sign in to something. But this trail is nothing—and I mean NOTHING—compared to how much our participation in social media feeds it. If you use Facebook, Twitter, Whatsapp, Snapchat, Instagram, Google‑anything, blah‑blah‑blah, then why are you even thinking about your ISP? You've got way bigger problems than your service providers. Unless you take measures far beyond DoT/DoH, you haven't even begun to nibble away at this danger. I would say that social media today (plus Google) is over 90% of the real danger. Your ISP just brings up the rear.

I realize that this has gone far beyond your initial inquiry. Apologies if it is a bit of a hijack. But placing your concerns within a larger context may prove both useful and food for further thought.

With that, I think I'll keep quiet now.

[linuxyogi]

Conclusion :
1) No matter what measures a user implements achieving 100% privacy is impossible.
2) The only way to achieve the maximum possible privacy is to use a VPN.
3) The next best tool after a VPN is Tor but Tor is not effective enough in comparison to a good VPN.

Thanks to both of you.

[DuckHook]

1) No matter what measures a user implements achieving 100% privacy is impossible.

Correct.

2) The only way to achieve the maximum possible privacy is to use a VPN.

Correct.

3) The next best tool after a VPN is Tor but Tor is not effective enough in comparison to a good VPN.

Almost but not quite.

• If used correctly, TOR is for anonymity (with a bit more privacy).
• If used correctly, VPN is for privacy (with a bit more anonymity).
• If used correctly, the two together kick serious butt.

Now I really will be quiet for a while.

[SeijiSensei]

All my DNS queries go to a server on my local network running BIND. From my reading of this discussion, encrypting DNS only affects the traffic between the client and the DNS server. As a result I don't use encryption and don't think I need to.

[linuxyogi]

As a result I don't use encryption and don't think I need to.

I too was using unencrypted DNS for a very long time until I read articles like this >> https://blog.cloudflare.com/dns-encryption-explained/

Unencrypted DNS
Ever since DNS was created in 1987, it has been largely unencrypted. Everyone between your device and the resolver is able to snoop on or even modify your DNS queries and responses. This includes anyone in your local Wi-Fi network, your Internet Service Provider (ISP), and transit providers. This may affect your privacy by revealing the domain names that are you are visiting.

[linuxyogi]

• if you've ever use TOR and connected to UbuntuForums.org using your normal userid for the login, then you've just broken the veil of privacy. When using TOR, never use any accounts that you've used before. It is best not to post at all, since we each have a writing style that can be "finger printed" on the internet. That will lead back to an individual as well, for a sufficiently motivated searcher.

Yes I agree but that makes me think. What is the role of a solution like this ? >> https://magpi.raspberrypi.org/articles/tor-router
That will route everything a person does via the Tor nerwork.

[SeijiSensei]

I too was using unencrypted DNS for a very long time until I read articles like this >> https://blog.cloudflare.com/dns-encryption-explained/

Everyone between your device and the resolver is able to snoop on or even modify your DNS queries and responses.

There isn't anyone between me and the DNS server; that was my point. I generally don't have other people on my wifi network either, and those that do connect have no interest in my DNS queries.

I'm more interested in what happens between my local DNS server and the upstream servers it consults when resolving a name. I presume that server-to-server traffic happens in the clear, or is it encrypted these days?