Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 47

Thread: Configured Dns over TLS ..... Is this good for privacy?

  1. #21
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Ubuntu Budgie 20.04 Focal Fossa

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Quote Originally Posted by SeijiSensei View Post
    I presume that server-to-server traffic happens in the clear, or is it encrypted these days?
    I think both DoH & DoT encrypts that too.

    Please wait for DuckHook or TheFu for the confirmation.
    Ubuntu Budgie 20.04

  2. #22
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Configured Dns over TLS ..... Is this good for privacy?

    I have no expertise at all in server to server stuff, but here's what I've gleaned from reading:

    • I don't believe that server to server is encrypted out of the box. One must consciously take additional measures to do that. Much of our infrastructure was developed in more innocent times. Sadly, those days are long gone.
    • Server to server is a legitimate worry because it offers an ideal attack surface for supply chain poisoning. In fact, from a consumer standpoint, it's more insidious because the measures to safeguard against MitM attacks that are available to us as consumers can only guard us as far as our DNS resolver endpoint. Anything further up the food chain must rely on the security chops of the DNS service provider. It's one of the (possibly self-serving) reasons often given not to rely on small DNS providers.
    • The technical aspects are a lot murkier to me. I've read that it involves DNSSEC, further more esoteric forms of encryption, keys/certificates and so forth, but I've never investigated it in depth because it is awfully arcane stuff and, let's face it, when is a Joe Ordinary like me ever going to implement something like that? Those administering organizations of 10,000, sure, but running a DNS server for Mrs DH and me? Seriously?
    • I've read about canned "secure" DNS solutions that are meant for big firms. I have no reason to doubt their security bona fides—after all, supplying demand is one of the benefits of free enterprise—but, frankly, I'm just not qualified to even comment of this aspect of security.

    All I can tell you is that such concerns keep me focused on Quad9, Cloudflare, Adguard, etc. I avoid small DNS providers—possibly unfairly—because I don't know enough about them to trust their security savvy.

    As a side note: one of the reasons that I don't use my ISP's DNS service is because of above security concern. They are a big outfit, but their primary business is not DNS.

    A further side note: like TheFu states, DNS leakage happens all over the place, even with VPN. I'm aware of those pitfalls. I don't even use DoH/DoT to stop DNS spying, but to nuke ads. That's the reason my DoH endpoint for mobile is Adguard (which is a smaller outfit) and not Quad9 or Cloudflare.

  3. #23
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Configured Dns over TLS ..... Is this good for privacy?

    The only automatic DNS encryption that we get is from default settings in Firefox which ignore your local DNS settings for that browser. If you are able to hit internal LAN servers that are not available on the internet too, then perhaps you previously disabled the firefox built-in DNS-over-HTTPS which became default over the last year or so. I think they rolled it out slowly and finished sometime last fall.

    linuxyogi, you are trying to create absolute answers where none exist.
    Conclusion :
    1) No matter what measures a user implements achieving 100% privacy is impossible.
    2) The only way to achieve the maximum possible privacy is to use a VPN.
    3) The next best tool after a VPN is Tor but Tor is not effective enough in comparison to a good VPN.
    1) saying that something is 100% impossible isn't factual. There are possible ways, but for normal people, it is highly unlikely and very difficult. YOUR behavior matters.
    2) a VPN doesn't provide privacy from everyone and whether that is maximum would depend on who the goal to be private is from. If you use a VPN, and post your real name, address, telephone numbers and visit all the same places that you visited pre-VPN, there is little chance that motivated person wouldn't be able to discover those things. YOUR behavior matters.
    3) Comparing a VPN and TOR is like comparing a boat and a taxi. They have different purposes. Regardless, YOUR behavior matters with using either and both.

    There are seldom absolutes without 3 pages of caveats included.

    If you don't want your ISP tracking you and that's it, using a VPN with an external DNS that isn't leaked around the VPN, and the VPN has sufficiently strong encryption (AES256 or better) and the VPN doesn't use a known cracked protocol (cough, TLS v1.2), and the VPN exit node is outside your country, but not in another country friendly to yours, and .... and ... and ... and ... then it is safe to watch cartoons and may be safe to do other activities. If the ISP is the parent company of your VPN or the external DNS, all bets are off. If you use ISP email and check it when connected to the VPN, now they know your current IP ... see how YOUR behavior matters? Some govts may have rules to track Internet users, VPN access, because ... I don't know ... they are afraid of any electronic financial transactions using any sorts of privately traded blockchain currencies. Very, very, few of those are untraceable, BTW.

  4. #24
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Fresh browser/tor/dns issue.
    https://www.theregister.com/2021/02/...rief_security/

    Browsers are very complex and have bugs. Do not only trust the browser, if you want privacy. They routinely fail.

  5. #25
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,896
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Configured Dns over TLS ..... Is this good for privacy?

    @DuckHook

    You don't run a pfsense router with built-in DNS resolver? I thought this setup was pretty common now a days for even home users. And yes -- I mean -- Serious!

  6. #26
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Quote Originally Posted by kevdog View Post
    @DuckHook

    You don't run a pfsense router with built-in DNS resolver? I thought this setup was pretty common now a days for even home users. And yes -- I mean -- Serious!
    No, I rely on my router almost entirely to provide those services. I am mildly curious about PfSense and now OPNsense (since TheFu mentioned it above), but to be dead honest, it's yet another "thing" I would have to juggle and I'm a lazy sort who just wants something trustworthy that I can set up properly one time, review occasionally, but otherwise largely forget.

    Perhaps it would help if I can provide a really high‑level summary of everything that I've written above:

    • I do not believe that one can realistically "hide" oneself on the Internet. It's possible if one never interacts, but what would be the point?
    • As already stated, I'm not overly concerned about my ISP knowing which sites I visit. I'm a really boring guy. I visit a lot of tech sites, some mainstream media sites, a few of the big online stores—that's about it. I am as exciting as warmed over rice porridge.
    • When I visit important sites like my bank, accountants, lawyers, medical etc, I take special measures constrained to certain browsers.
    • On the exceedingly few occasions that I wish to remain both private and anonymous, I tunnel to my VPN and use TOR Browser.
    • Other than the above, I have no illusions that what I do online is either private or anonymous. Example: I am now hobnobbing with all of you in the clear. No VPN, no TOR. My FF is DoH-ed into Adguard. I do this not to protect my privacy but to nix ads (which can themselves be pernicious ID profilers).

    Another way to look at it is quantitatively. On a 10‑point scale (10 being the most concerning):
    DNS privacy 2
    DNS security 10
    ISP spying 2
    Profiling 11
    Note that none of the "critical" stuff involves doing anything special with routers. Instead, it's all about behaviour and habits. Not much there that involves tinkering with hardware or software.

    Overall, the biggest issue that I see among all of my friends and family is—it can only be stated bluntly—hypocrisy. They too are concerned about profiling, but unwilling to give up any of the drugs that the profilers hand out to reel them in. I mean, what is the point in profile anxiety when you are the one enthusiastically filling out that Facebook profile page? It's even plainly called a "profile" page.

    Most people don't really understand "privacy". They throw very disparate elements together into a big vegetable stew and think that magic apps/devices can make up for their lack of care. /rant

    So, no, I don't use PfSense with its built‑in DNS resolver. I do use DD-WRT with its DNSSEC connection to a big external DNS resolver, in my case, Quad9, and I do so not to hide from anybody, but for packet integrity/security.

  7. #27
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,896
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Configured Dns over TLS ..... Is this good for privacy?

    @DuckHook. I use QuadDNS for DOT. This based on a video done at Lawrence Systems which compared the major DNS providers.

    I agree with the overall assumptions of this thread. It's almost impossible to anonymize oneself since DNS resolution needs to be done somewhere. I'm not exactly sure TOR is the answer since I believe a lot of the nodes are run by various government authorities.

    I see you said you're running DOH with Firefox. I have no problem with that, however I think DNS is better controlled at the router level rather than the individual application level at least for my network since I can control all requests on port 53 and redirect them to port 853 and DOT through Quad 9. I also just think its quicker to DNS resolve at the router level. I don't know if you run any servers/docker containers on your LAN. A local DNS resolver is really really helpful in this situation. In addition segmentation of network traffic via use of VLANs I think is important to segment off the LAN for security purposes.

    I've use pfSense and I'm aware the OPNsense if a fork of pfSense. I don't know a lot about OPNsense but I'm pretty familiar with pfSense. I run my pfSense within a hypervisor for my LAN. It takes definitely a little bit of reading to get things setup and running, however I find it pretty straightforward -- so much so it's pretty set it and forget it now. If I need to add more VLANs or advanced firewalling, I definitely need to go back and read a little bit since it's not something I really mess with but once in great while. I used to used DD-WRT, however I definitely say pfSense way more advanced in terms of features. I'm not sure if you do much traveling or need remote access to your LAN, however the ability to run an OpenVPN server through pfSense is really really good and pretty easy to setup. Supposedly the new version can also do Wireguard, however I'm really pleased with OpenVPN thus far and really don't find a lot of reasons to switch. The ability to use OpenVPN through the home router is also a security measure if ever accessing internet through open unprotected wifi such as hotels or other areas like coffee shops.

  8. #28
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Quote Originally Posted by DuckHook View Post
    I'm a lazy sort who just wants something trustworthy that I can set up properly one time, review occasionally, but otherwise largely forget.
    This is why I use OPNSense. I got tired of consumer routers losing support, so I spent the effort to end that for 10+ yrs at a time, by getting HW specifically designed to be a router, AMD64-compatible, running a BSD router OS with bonehead simple patching and upgrading - AND NO WIFI. I keep wifi separate from routing.

    Quote Originally Posted by DuckHook View Post
    • I am as exciting as warmed over rice porridge.
    Please tell more! I've been meaning to learn to make rice porridge in the rice cooker.

    Quote Originally Posted by DuckHook View Post
    • Other than the above, I have no illusions that what I do online is either private or anonymous. Example: I am now hobnobbing with all of you in the clear. No VPN, no TOR. My FF is DoH-ed into Adguard. I do this not to protect my privacy but to nix ads (which can themselves be pernicious ID profilers).
    I use a pihole with adblocking lists for DNS on the LAN, not the OPNSense router. I stopped running AV on my LAN systems once my professional insurance wasn't needed for clients anymore. E&O professional insurance has all sorts of Windows-centric mandates. Obviously, in my security lab, use of any AV wasn't normal unless that was part of the client's statement of work.

    Quote Originally Posted by DuckHook View Post
    Overall, the biggest issue that I see among all of my friends and family is—it can only be stated bluntly—hypocrisy. They too are concerned about profiling, but unwilling to give up any of the drugs that the profilers hand out to reel them in.
    My family doesn't care at all. They've all given up or feel that whatever Apple provides is sufficient. Even the computer nerds who run servers don't seem to care. The family under about age 35 don't care at all - they accept being followed, always and strive to post "stories" somewhere - which I don't get. Whatever. My friends are about 50/50. Some try to be private and secure, but the other half have given up. Many friends are CISSPs and work as security consultants or in enterprise security teams. The vast majority have every social networking account possible. One friend worked in SIGINT and he will get ranting about people using centralized accounts anywhere .... from this gmail account. <forehead slap!>

    Quote Originally Posted by DuckHook View Post
    So, no, I don't use PfSense with its built‑in DNS resolver. I do use DD-WRT with its DNSSEC connection to a big external DNS resolver, in my case, Quad9, and I do so not to hide from anybody, but for packet integrity/security.
    dd-wrt that is patched at least quarterly is probably 99% more secure than what most people do at home. For a few years, I used dd-wrt and it was great, until the angel who created the firmware updates got a new router and stopped supporting my hardware. Sure, I could have setup a build environment and become the maintainer for that device going forward or switched to using x86/amd64 releases of dd-wrt and been just as secure.

    Along the way, I had a client that needed excellent QoS control for their campus which had about 6 enterprise wifi APs and up to 80 people. Across the street was a CCP-Chinese compound keeping track of the exiled Tibetan Buddhist Monks in the monastery and their internet use. Anyways, they cared about internet security and the privacy of their communications. It wasn't just some thought exercise. Any day they left the compound, a van could abduct them on the tiny road that these too compounds shared and nobody would know that happened. Ever.

  9. #29
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Quote Originally Posted by kevdog View Post
    I'm not exactly sure TOR is the answer since I believe a lot of the nodes are run by various government authorities.
    This is the usual concern. I can't say it is without substance, hence the VPN double layer.
    I see you said you're running DOH with Firefox.
    …But, as said, for reasons other than privacy. I may as well fully digress from OP's topic.

    I try to have as few extensions loaded on FF as I can. There was suspicion some time ago the ad blockers were themselves reporting back to mothership. So it becomes a game of weighing whether I distrust ad blockers or Adguard more. I chose Adguard over ad blockers.
    …I don't know if you run any servers/docker containers on your LAN. A local DNS resolver is really really helpful in this situation.
    A number of servers, but all for internal use. I just started my first external a couple of months ago with Nextcloud. Prior to that, all I needed was a router solution that completely closed off every incoming port.
    In addition segmentation of network traffic via use of VLANs I think is important to segment off the LAN for security purposes.
    DD-WRT can do that. I will look into it. Thanks for the heads‑up.
    I used to used DD-WRT, however I definitely say pfSense way more advanced in terms of features.
    I have no doubt that it is. We are comparing an appliance to a full fledged platform. Sorta like comparing a scooter to a Ferrari. The latter is bound to be more powerful.
    I'm not sure if you do much traveling or need remote access to your LAN, however the ability to run an OpenVPN server through pfSense is really really good and pretty easy to setup. Supposedly the new version can also do Wireguard, however I'm really pleased with OpenVPN thus far and really don't find a lot of reasons to switch. The ability to use OpenVPN through the home router is also a security measure if ever accessing internet through open unprotected wifi such as hotels or other areas like coffee shops.
    I'm retired, so travel is all pleasure. When travelling, I've hitherto wanted to leave all home cares behind, so little need for connection. Hitherto mind you.

    I'm now testing Nextcloud because I'm uneasy about having my stuff on someone else's platform. I had long ago dropped Google, but my photos are on Piwigo, and I'm not happy even with that. My initial feelings about Nextcloud have been phenomenal. But it does require me to look very carefully at security. For the first time, ports have been forwarded into my LAN. They go straight to an unprivileged LXD contained instance of Nextcloud with fail2ban, forced SSL and only one login (me), but it still constitutes a penetration of my firewall and I readily admit that that makes me squirm.

    Quote Originally Posted by TheFu View Post
    Please tell more! I've been meaning to learn to make rice porridge in the rice cooker.
    Since we are now in full hijack mode, I will keep it short: rice cooker→ixnay. They are designed to get rice just right, which obviously is not a runny liquidy porridge state. Better to use a deep pot, very little rice, lots of water (I really mean a palmful of rice to 4 litres of water), absolutely minimal heat so that it's just slightly simmering and NO lid. Otherwise, it is guaranteed to foam, boil over and ruin your day. Takes a while, so start early.

    I use a pihole with adblocking lists for DNS on the LAN, not the OPNSense router. I stopped running AV on my LAN systems once my professional insurance wasn't needed for clients anymore. E&O professional insurance has all sorts of Windows-centric mandates. Obviously, in my security lab, use of any AV wasn't normal unless that was part of the client's statement of work.
    Security lab. Right. You just confirmed for me that you come from a very different universe to that of mere mortals like me.

    My family doesn't care at all. They've all given up or feel that whatever Apple provides is sufficient. Even the computer nerds who run servers don't seem to care. The family under about age 35 don't care at all - they accept being followed, always and strive to post "stories" somewhere - which I don't get. Whatever. My friends are about 50/50. Some try to be private and secure, but the other half have given up. Many friends are CISSPs and work as security consultants or in enterprise security teams. The vast majority have every social networking account possible. One friend worked in SIGINT and he will get ranting about people using centralized accounts anywhere .... from this gmail account. <forehead slap!>
    It's sad. In my more despondent moments, I feel like the profilers have won through sheer attrition. They've worn down even the most dedicated of us by making it impossible to avoid them. These days, a professional who must engage with others is forced to have a LinkedIn page, a Twitter account, a half dozen social media profiles and twenty different messaging/chatting connections. There's no real‑world alternative because refusing to do so means no food on the table. Look what we went through last year: Zoom has more holes than Swiss cheese, but is completely unavoidable for most people.

    I'm lucky that I'm retired. It gives me the freedom to tell them to go stuff it. I've been trying (with varying success) to at least switch my retired friends to Signal and XMPP-based messaging. But it's hard. Their kids are all on Whatsapp, Twitter, Instagram, Facebook… So the choice is messaging either solely with me or with the rest of their friends and family. My personality is not magnetic enough to force that issue.
    dd-wrt that is patched at least quarterly is probably 99% more secure than what most people do at home. For a few years, I used dd-wrt and it was great, until the angel who created the firmware updates got a new router and stopped supporting my hardware. Sure, I could have setup a build environment and become the maintainer for that device going forward or switched to using x86/amd64 releases of dd-wrt and been just as secure.
    I'm not going to pretend that I upgrade every quarter, but I do keep my ear to the ground and upgrade about once a year. More frequently if a nasty exploit is discovered. I purchased a newish model recently. It should remain supported for at least a few years. If not, I will certainly consider then going to Pf/OPNsense.

    I sure hope that linuxyogi isn't too upset at our shameless hijack.

  10. #30
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,896
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Configured Dns over TLS ..... Is this good for privacy?

    Hey about that Nextcloud thing -- yeah just stick a VPN in front of it -- and you don't have to worry about opening it up to the world!!

Page 3 of 5 FirstFirst 12345 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •