Configured Dns over TLS ..... Is this good for privacy?

[linuxyogi]

I was using Dns over Https using Firefox for a long time now. Yesterday I read some articles which say that Dns over TLS is a better solution.
I followed this guide >>>>https://www.linuxbabe.com/ubuntu/ubu...y-dns-over-tls
Only thing is the feature was not working until I disabled IPv6. I didn't get the idea for disabling IPv6 from the internet I was just experimenting .
Nothing was showing up on wireshark until I disabled IPv6.

Q1) Is Dns over TLS better than DoH ?
Q2) Is there any disadvantages of disabling IPv6 ?

[DuckHook]

Wow.

A world of issues to unpack in your questions. Here's my attempt. In no particular order:

IPv6 is the wave of the future. It cannot be avoided. We have run out of IPv4 space and the only option going forward is IPv6. But do I use it? No. I have it turned off. In fact, IPv6 cannot get through my router firewall. Why? Because it opens up an entirely new and massive attack surface. For now, I can get to wherever I want to go using IPv4 alone. So, until I get my head wrapped around IPv6, and until I am forced to use it by necessity, I am too lazy to learn it. But it must be confessed, these are my limitations; not those of IPv6. On its own, IPv6 has awesome potential. Technically, it allows every connectable device to have its own unique IP address. Think about that. No more NATs, no more ugly kludges that break connectivity, no more having to mess around with port forwardings, bindings and other techno‑nonsense. Packets get delivered from one precise point of origin to another precise destination—end of story. Of course, this opens up an entire world of exposure and risk (which I've already alluded to) but that's the price we pay these days for massively better utility.

There are few disadvantages to disabling IPv6. But that's only because the foundational web of today is still mired in IPv4. Those who use IPv6 are way ahead of the game and have access to utility denied to the rest of us. If you run a massive shipping concern that tracks its assets using embedded IoT devices, then IPv6 cannot be turned off. The benefit is that you could see where every pallet of goods is all over the world in real time. But if you are an ordinary Joe like all consumers, then IPv6 will hardly be noticeable… for now.

DoT is not better than DoH. Nor is DoH better than DoT. They do a similar job differently and both have advantages and disadvantages. Both are designed to stop intermediaries and data carriers (like your ISP) from snooping on your DNS queries. They do so through the theoretically simple expedient of leveraging already proven encryption technology to encrypt your DNS traffic which, until now, has generally been sent in the clear. So, while the actual data that you exchange with your bank is encrypted, the fact that you were visiting your banking site was open and accessible to anyone interested in seeing this. But note that while this is theoretically simple, it is applicably complex.

DoT is the older tech, but only slightly. It borrows the TLS mechanism that your browser uses and treats it as a separate tool to encrypt your DNS traffic. The fact that it acts as a separate tool is important. To do so, it must use a port of its own: I believe it is 853. Without getting too arcane, the practical upshot of this is that evil ISPs or oppressive regimes can continue to spy on you because they can easily cripple DoT by blocking port 853. While my ISP allows this port, I have read that some don't. The benefit of DoT is that it is easier to implement than DoH, especially on standalone apps and use cases where a browser would be unwanted.

DoH works by tunnelling DNS through port 443 which is the port used by all HTTPS traffic. Bad ISPs/regimes cannot block port 443 without also blocking the most important parts of the Internet, so in effect, they cannot block DoH. However, my understanding is that it is harder to implement and requires a browser. I could be wrong. I'm not a programmer and my knowledge in this regard comes only from what I've read.

There's a vast ecosystem of technology behind your seemingly simple queries that I haven't touched on. There's DNSSEC and MitM avoidance and browser fingerprinting, and blah‑blah‑blah. The above explanation is only the quickest and dirtiest of summaries. You cannot hope to get your head properly wrapped around these issues by asking on a forum. It involves a lot of reading and research, which is readily available using even the simplest web search. As a launching point, and even though it is regularly scoffed at by real experts, I have found Wikipedia to be invaluable.

[TheFu]

A new Firefox was installed here over the weekend and it broke all sorts of things. In my attempt to get it working at all (it wouldn't load any websites remote or local), I ended up flushing the old FF profile and starting fresh - which removed my 10+ about:config tweaks added the last decade.

It still isn't behaving properly, but it is almost usable after I also disabled IPv6. My systems don't support IPv6, so there is definitely a bug in Firefox that it attempts to use IPv6 on a system with that entire stack disabled in the kernel.

I also disabled the built-in DoH ... since my local DNS is necessary to connect to about 15 internal-only websites. I cheat by using a pihole for both an internal DNS server and DNS filter. I like the idea of NOT having internal DNS sitting on a network appliance like a router.

Opening new webpages is only working about 50% of the time. If I take the failed-to-open URL, manually open a new tab, then paste the exact same URL there, it almost always works. A shift-reload in the original tab or pasting back into the original tab doesn't do anything.

I use firejail with firefox and thunderbird. These programs I consider high-risk and want a little extra protection. With the newest FF installed, I had to modify the firejail startup parameters that had been mostly working for 2 yrs. Those new settings are:

Code:

/usr/bin/firejail  --ignore=seccomp --ignore=protocol

There were a few other about:config options that had to be toggled too so access to internal websites like nextcloud would work. Sorry, I don't remember those.

I should mention that Chromium is still working fine. No changes needed, but I dislike using chromium - I'm not comfortable with the addons, so running it inside a firejail --private environment is the only way.

Privacy is a hard thing to finger. Clearly, someone needs to know where your system visits or you'll never have traffic routed there and back. Who do you want privacy from is the first question. The more privacy you want, the more complex the answer and the slower the performance. Do you also the anti-spoofing/anti-malware features in your browsers? For those services to work, who needs to know where you go? Poor DNS performance can make the entire system slower.

[DuckHook]

A new Firefox was installed here over the weekend and it broke all sorts of things. In my attempt to get it working at all (it wouldn't load any websites remote or local), I ended up flushing the old FF profile and starting fresh - which removed my 10+ about:config tweaks added the last decade.

You too!

I thought it was only me. So it was the upgrade. Thought I had done something wrong, but it wasn't me. Now I am seriously cheesed off.

I had to reset too. Lost about the same amount of tweaks as you, which was also years' worth.

I also disabled the built-in DoH ... since my local DNS is necessary to connect to about 15 internal-only websites.

Hmmm.

I do use the built-in DoH and can get to all of my internal LAN websites. I wonder why you can't.

I dislike using chromium - I'm not comfortable with the addons, so running it inside a firejail --private environment is the only way.

I've completely sworn off Chromium. Have substituted Brave. Must say that I'm impressed. It's a slick and well designed piece of work. But, frankly, I don't know how successfully it's been de‑Google‑ized. I tend to use it only for sites on which FF chokes, which, thankfully, are infrequent.

Privacy is a hard thing to finger. Clearly, someone needs to know where your system visits or you'll never have traffic routed there and back. Who do you want privacy from is the first question. The more privacy you want, the more complex the answer and the slower the performance. Do you also the anti-spoofing/anti-malware features in your browsers? For those services to work, who needs to know where you go? Poor DNS performance can make the entire system slower.

I do have all of those features turned on and more besides. I'm not finding DNS performance unduly impacted. Maybe I'm used to it. Mrs DH is always shaking her head when we surf together. I have to consciously permit only very specific scripts to run, and web pages must wait for all of the right buttons to be pressed and knobs to be turned. It drives her bonkers, but I'm so used to it by now that it feels like second nature ("you mean, not everyone surfs this way?").

@linuxyogi

Didn't mean to hijack your thread, but perhaps even this digression gives you some idea of the complexities hidden in your initial queries.

[linuxyogi]

Wow.

A world of issues to unpack in your questions. Here's my attempt. In no particular order:

IPv6 is the wave of the future. It cannot be avoided. We have run out of IPv4 space and the only option going forward is IPv6. But do I use it? No. I have it turned off. In fact, IPv6 cannot get through my router firewall. Why? Because it opens up an entirely new and massive attack surface. For now, I can get to wherever I want to go using IPv4 alone. So, until I get my head wrapped around IPv6, and until I am forced to use it by necessity, I am too lazy to learn it. But it must be confessed, these are my limitations; not those of IPv6. On its own, IPv6 has awesome potential. Technically, it allows every connectable device to have its own unique IP address. Think about that. No more NATs, no more ugly kludges that break connectivity, no more having to mess around with port forwardings, bindings and other techno‑nonsense. Packets get delivered from one precise point of origin to another precise destination—end of story. Of course, this opens up an entire world of exposure and risk (which I've already alluded to) but that's the price we pay these days for massively better utility.

There are few disadvantages to disabling IPv6. But that's only because the foundational web of today is still mired in IPv4. Those who use IPv6 are way ahead of the game and have access to utility denied to the rest of us. If you run a massive shipping concern that tracks its assets using embedded IoT devices, then IPv6 cannot be turned off. The benefit is that you could see where every pallet of goods is all over the world in real time. But if you are an ordinary Joe like all consumers, then IPv6 will hardly be noticeable… for now.

DoT is not better than DoH. Nor is DoH better than DoT. They do a similar job differently and both have advantages and disadvantages. Both are designed to stop intermediaries and data carriers (like your ISP) from snooping on your DNS queries. They do so through the theoretically simple expedient of leveraging already proven encryption technology to encrypt your DNS traffic which, until now, has generally been sent in the clear. So, while the actual data that you exchange with your bank is encrypted, the fact that you were visiting your banking site was open and accessible to anyone interested in seeing this. But note that while this is theoretically simple, it is applicably complex.

DoT is the older tech, but only slightly. It borrows the TLS mechanism that your browser uses and treats it as a separate tool to encrypt your DNS traffic. The fact that it acts as a separate tool is important. To do so, it must use a port of its own: I believe it is 853. Without getting too arcane, the practical upshot of this is that evil ISPs or oppressive regimes can continue to spy on you because they can easily cripple DoT by blocking port 853. While my ISP allows this port, I have read that some don't. The benefit of DoT is that it is easier to implement than DoH, especially on standalone apps and use cases where a browser would be unwanted.

DoH works by tunnelling DNS through port 443 which is the port used by all HTTPS traffic. Bad ISPs/regimes cannot block port 443 without also blocking the most important parts of the Internet, so in effect, they cannot block DoH. However, my understanding is that it is harder to implement and requires a browser. I could be wrong. I'm not a programmer and my knowledge in this regard comes only from what I've read.

There's a vast ecosystem of technology behind your seemingly simple queries that I haven't touched on. There's DNSSEC and MitM avoidance and browser fingerprinting, and blah‑blah‑blah. The above explanation is only the quickest and dirtiest of summaries. You cannot hope to get your head properly wrapped around these issues by asking on a forum. It involves a lot of reading and research, which is readily available using even the simplest web search. As a launching point, and even though it is regularly scoffed at by real experts, I have found Wikipedia to be invaluable.

As you know any network has two sides. The WAN side & the LAN side. I have disabled IPv6 on the LAN side. When I ping www.google.com I still receive reply from a IPv6 address

Code:

$ ping google.com
PING google.com(ams17s01-in-x0e.1e100.net (2a00:1450:400e:80b::200e)) 56 data bytes
64 bytes from ams17s01-in-x0e.1e100.net (2a00:1450:400e:80b::200e): icmp_seq=1 ttl=106 time=640 ms
64 bytes from ams17s01-in-x0e.1e100.net (2a00:1450:400e:80b::200e): icmp_seq=2 ttl=106 time=596 ms
64 bytes from ams17s01-in-x0e.1e100.net (2a00:1450:400e:80b::200e): icmp_seq=3 ttl=106 time=559 ms
64 bytes from ams17s01-in-x0e.1e100.net (2a00:1450:400e:80b::200e): icmp_seq=4 ttl=106 time=516 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 4 received, 20% packet loss, time 4001ms
rtt min/avg/max/mdev = 515.569/577.403/639.695/45.783 ms

So I see no major downsides to disabling IPv6 on the LAN side.

The only advantage of using DoT when compared to DoH is the fact that when DoT is enabled all network facing apps automatically use DoT. In case of DoH it was on a per app basis for example Firefox. The Chrome/Brave browser has disabled DoH for the Linux platform.

[linuxyogi]

Privacy is a hard thing to finger. Clearly, someone needs to know where your system visits or you'll never have traffic routed there and back. Who do you want privacy from is the first question. The more privacy you want, the more complex the answer and the slower the performance. Do you also the anti-spoofing/anti-malware features in your browsers? For those services to work, who needs to know where you go? Poor DNS performance can make the entire system slower.

Lately I read a lot of articles which say that ISPs collect browsing habits of their users so I want privacy from my ISP.
I must mention that after implementing DoT the name resolution process has become comparatively slower.
When I was using DoH (under Firefox) it was quite fast.

[DuckHook]

When I ping www.google.com I still receive reply from a IPv6 address

Your DNS service seems to be resolving to IPv6. If it makes a real difference to you, you can check with them as to why.

Or your router could be set to resolve to IPv6. If, as you say, this is baked into your router and you cannot fiddle with its settings, you may have to live with IPv6. I don't know how things work in your country and I've already learned once not to jump to erroneous conclusions.

So I see no major downsides to disabling IPv6 on the LAN side.

There should be none…for now.

Lately I read a lot of articles which say that ISPs collect browsing habits of their users so I want privacy from my ISP.

Different countries have different behaviours. The US just recently permitted its ISPs to skim all sorts of info from/about its users. This is scary enough to heighten the impetus for DoH/DoT and push demand for it into overdrive. I believe that most of Europe is less creepy, but I'm not sure what their rules are. I have no idea whether ISPs in your country operate under any restraints.

I must mention that after implementing DoT the name resolution process has become comparatively slower.
When I was using DoH (under Firefox) it was quite fast.

Make sure you are using the fastest DNS server in your area—commensurate with privacy of course. The fastest are usually your ISP's followed by Google's. Since your goal is privacy, both of those are non‑starters. I don't know how fast Quad-9 is in your area. You could also try using Cloudflare if you trust their promises. I use Adguard. But TheFu is right (as usual): at some point, you simply have to trust somebody. Otherwise, you have no choice but to stop using a computer. Or a smartphone. Or even a gaming console.

[linuxyogi]

@TheFu / @DuckHook

Do you guys encrypt you DNS ? Which solution are you using ? DoH or DoT ?
If you are using DoT it will give me a sense of confidence.

[The Cog]

I have disabled IPv6 on the LAN side. When I ping www.google.com I still receive reply from a IPv6 address

Clearly, you have not disabled IPv6. It's still working.

I see no reason to disable IPv6. More and more things are using IPv6, and over time, some services are going to become IPv6 only.
If both protocols are working, then your computer is designed to prefer to use IPv6. Google has both IPv4 and IPv6 addresses, as you can see here (the actual addresses may be different in your area):

~$ host google.com
google.com has address 216.58.205.46
google.com has IPv6 address 2a00:1450:4001:801::200e

You can choose which protocol to ping with by using "ping -4" or "ping -6".

[linuxyogi]

Clearly, you have not disabled IPv6. It's still working.

Before I disabled IPv6 in network manager nothing was showing up on wireshark.
After I disabled IPv6 in network manager & restarted NM wireshark started registering DNS.

Please visit this link >>> https://www.linuxbabe.com/ubuntu/ubu...y-dns-over-tls & scroll down to the section called

How to Check if Your DNS Traffic is Encrypted