What is a good, free,private DNS that doesn't log traffic?

[Just Checking]

I've been doing more research on security and privacy and have some basic questions I hope forum members can answer. My research would lead me to believe that using a VPN and proxy servers does not provide the anonymity one would expect. One of the problems is that a record of internet traffic locations can be logged and monitored by the DNS provider (Google, Yahoo, etc.). Even if you use a paid proxy server provider of VPN services, they can log your traffic and patterns. I have been using the Asus DNS since I have Asus routers but I recently switched to 208.67.222.222/208.67.220.220 at the recommendation of of some articles on security I read. Further research indicated that this was a VPN proxy server provider but that they logged traffic to their servers.

Does anyone have suggestions on how to get non-logged DNS service? The more I investigate security issues, the more I realize that I need to pay attention to all these aspects of privacy and security.

Thanks.

 

[sfx2000]

Pretty much everyone logs DNS - mostly to ensure proper operation...

 

[XIII]

I'm using DNSCrypt.eu, "A free DNSSEC enabled, non-logged and uncensored DNSCrypt service by Simon Clausen":

https://dnscrypt.eu

(however I am unable to set that as the default DNS for the third party VPN that I use on my mobile devices, which unfortunately use Google's DNS)

 

[spalife]

Same here use Dnscrypt for DNS Lookups but I do prefer the servers in the below order for their various Non Logging, DNSSEC Validation and NameCoin resolution capabilities.

dnscrypt.org-fr
cloudns-can
cloudns-syd
dnscrypt.eu-dk

You can try using them without dnscrypt-proxy.
A complete list which keeps getting updated is also available @
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

 

[Just Checking]

Same here use Dnscrypt for DNS Lookups but I do prefer the servers in the below order for their various Non Logging, DNSSEC Validation and NameCoin resolution capabilities.

dnscrypt.org-fr
cloudns-can
cloudns-syd
dnscrypt.eu-dk

You can try using them without dnscrypt-proxy.
A complete list which keeps getting updated is also available @
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

Thanks. This is what I was looking for. It was interesting to note the number of "secure" servers in the USA but that all of them had logging. I was surprised that there was one on the list in Canada which didn't have logging since they seem to follow the lead of the USA.

 

[Just Checking]

Same here use Dnscrypt for DNS Lookups but I do prefer the servers in the below order for their various Non Logging, DNSSEC Validation and NameCoin resolution capabilities.

dnscrypt.org-fr
cloudns-can
cloudns-syd
dnscrypt.eu-dk

You can try using them without dnscrypt-proxy.
A complete list which keeps getting updated is also available @
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

Any link to how I can use these without the DNSCrypt proxy? I went to the DNSCrypt.org website and that was not to helpfull. I am still working on it. I'd like to just put a URL into the router and client device DNS sections for primary and secondary DNS servers but can't find them.

 

[System Error Message]

For any sort of service or server to work properly it obviously needs to record information. Take akamai for example and p2p based content which it knows what public files are on your PC. note: "public files". If you were a company and the owner of a service you would have to record and log traffic to ensure you can deal with problems such as finding out who abused your service or looking at the logs that showed errors in order to fix a problem. Another reason is if there was no information recorded not only would this slow things down if there was no cache of sorts but also the feds would take down the service as soon as any breach of "law" is seen because they would be the end of a search. Think of it as if google didnt keep personal information (obviously it does for gmail for things like your IP you used to access your email so you know if its been accessed by someone else, your phone number incase you need to reset your password or to securely access your account, and such) than not only would it not work properly than it would've gone down long ago from lack of functionality and ability to stop any bad traffic. A firewall part of an important service will log and keep details of bad traffic in order to block it.

So while a lot of articles talk about privacy and security you cant have both. Take for instance a service that doesnt keep any records or logs could have a back door or could keep logs without telling you. Instead of searching for a service that doesnt tell you stuff search for one that shows you what is logged and kept and that shows what personal information is kept, basically use a service that is transparent. Although google is always said to breach peoples privacy they are transparent about it and any company regardless must obey the law on it's location. Unless there is a datacenter in international waters (though it would also allow feds to just raid and confiscate it any time since no law) look at the laws where it is and transparency.

dlink routers have backdoors that can be accessed easily and they dont tell you about it so look at your own network first.

 

[spalife]

Any link to how I can use these without the DNSCrypt proxy? I went to the DNSCrypt.org website and that was not to helpfull. I am still working on it. I'd like to just put a URL into the router and client device DNS sections for primary and secondary DNS servers but can't find them.

Have you tried using the Resolver Address in the dnscrypt resolvers csv file ? i.e.,
212.47.228.136
113.20.6.2
113.20.8.1

 

[Just Checking]

Have you tried using the Resolver Address in the dnscrypt resolvers csv file ? i.e.,
212.47.228.136
113.20.6.2
113.20.8.1

Thanks I will try them tonight. I did finally manage to install DNSCrypt server on one of my servers but I am getting the error message that indicates it isn't working correctly. I am working through that to try to get it to work. Just having URL's of the servers to put into the NIC and in the router FW is much simpler.

 

[Just Checking]

Have you tried using the Resolver Address in the dnscrypt resolvers csv file ? i.e.,
212.47.228.136
113.20.6.2
113.20.8.1

I entered two of the URL's into the Router under LAN => DHCP Server => Primary DNS & Secondary DNS. I checked "No" to router IP advertizing and "No" to allowing upstream DNS to resolve names.

This seems to work just fine in terms of speed to resolve the URL. I have not tried a large variety of sites but it works fine for the main sites I frequent. I also set the Primary & Secondary DNS Resolvers in each of the the ports on a couple of client PC's to test them out and ensure that they are using the DNS that I inputed in the router. It seems to work fine.
I then reset all of my routers to use these DNS server URL's. So far everything seems to be working fine with no problems. I didn't enter any IPv6 DNS locations so that may not work. I'll have to wait and see what happens.

So my next question is whether this is actually accomplishing the stated intent of using the DNSCrypt name servers, or not? If I only enter those URL's into the router, I believe that all the applications and programs on my servers and client devices will use the DNS resolvers that I selected while on that network. Is this correct?

By entering the DNS URL's for the server devices I want into the network connectors on the client devices, I am just assuring that they will use correct URL's when connected to other networks where the routers do not have specific DNS resolvers selected. Is this also correct?

 

[spalife]

1. I think you should enter the DNS IP i.e., Resolver addresses in the Router Administration ->WAN ->Internet Connection DNS Server1 & DNS Server2 fields
You get this options when you click on Connect to the DNS Servers automatically to No (Yes means it will use your ISP provided DNS)

2. Your intent of using a DNS Service which does not log queries will be achieved by the steps you have taken

3. If you want to encrypt DNS queries then you would have to run the dnscrypt-proxy on the router

 

[Just Checking]

I'm using DNSCrypt.eu, "A free DNSSEC enabled, non-logged and uncensored DNSCrypt service by Simon Clausen":

https://dnscrypt.eu

(however I am unable to set that as the default DNS for the third party VPN that I use on my mobile devices, which unfortunately use Google's DNS)

You can change the DNS server permanently if you root an Android device. Here is a quick method for a rooted Android phone.
http://blog.varunkumar.me/2010/09/how-to-change-dns-server-on-android.html

If you do not want to root your Android device, you can still change to different DNS resolver. You have to change it manually every time you link into a different WiFi network which is kind of a pain since you have to remember to manually switch it each time you log on to a different network. Fortunately, if you have your phone remember that network, you only have to switch the DNS resolver one time for each network and it will save it to memory along with the password. Or, you can use DNSSet professional (paid version) which allows you to set and save the DNS resolver for all websites.
http://xslab.com/2013/08/how-to-change-dns-settings-on-android/

 

[Just Checking]

1. I think you should enter the DNS IP i.e., Resolver addresses in the Router Administration ->WAN ->Internet Connection DNS Server1 & DNS Server2 fields
You get this options when you click on Connect to the DNS Servers automatically to No (Yes means it will use your ISP provided DNS)

2. Your intent of using a DNS Service which does not log queries will be achieved by the steps you have taken

3. If you want to encrypt DNS queries then you would have to run the dnscrypt-proxy on the router

1. I did exactly that manually entering the DNS resolver URL's in the routers and in the client servers and devices. That does get tedious when there are a dozen connections on a server and multiple connections on a PC.

2. Is there a way to ping the DNS server to ensure that the query is going to the DNS server I want?

3. I understand what you are saying - that any name resolution requests sent to the DNS server can be intercepted by the ISP or other entities hanging on the entrance node. If the inquiry is not encrypted, it can still be read. That is a very good point. Thanks.

I guess I am going to have to take the time to learn the entware software and how to script. Another thing added to my to-do list.

 

[spalife]

1. I did exactly that manually entering the DNS resolver URL's in the routers and in the client servers and devices. That does get tedious when there are a dozen connections on a server and multiple connections on a PC.

2. Is there a way to ping the DNS server to ensure that the query is going to the DNS server I want?

3. I understand what you are saying - that any name resolution requests sent to the DNS server can be intercepted by the ISP or other entities hanging on the entrance node. If the inquiry is not encrypted, it can still be read. That is a very good point. Thanks.

I guess I am going to have to take the time to learn the entware software and how to script. Another thing added to my to-do list.

1. I use the dnscrypt-proxy on the router and with iptables routing and dnsmasq configuration route ALL client dns lookups and resolutions to pass through dnscrypt-proxy.

No need to setup dns on individual clients as long as they are using the router to connect to the web.

It is actually a very EASY setup and not tedious at all.
No need to learn any scripting or to learn entware software.

Take a look @
https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt

&
follow the below thread for any clarification/issues
http://www.snbforums.com/threads/dnscrypt-from-opendns.11645/page-15

2. For easy browser based checking to know which dns is being used you can visit the below sites on the clients both will show the current DNS being used

https://ipleak.net/

or

https://www.dnsleaktest.com/
(select standard or extended test)

or

in a client machine's dos prompt or terminal application do a nslookup such as below it will show you the current dns resolver being used

nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.210.14


3. yes, dnscrypt-proxy was more intended not only for interception at the gateway (or entrance node) of resolutions but more to safe guard against man in the middle attacks or impersonations

 

[spalife]

For entware installation instructions
https://github.com/RMerl/asuswrt-merlin/wiki/Entware

 

[XIII]

You can change the DNS server permanently if you root an Android device.

Thanks for the tip, but I don't have any Android devices (or does the Chromecast run on Android?); only iOS...

 

[Just Checking]

Thanks for the tip, but I don't have any Android devices (or does the Chromecast run on Android?); only iOS...

My apologies. I am not an IOS expert (Nor an expert in anything networking or network security related). I found the following webpages that seems to indicate it is fairly simple to put in a DNS IP address in an iPhone, or iPad.
http://www.iphonehacks.com/2014/08/change-dns-iphone-ipad.html

http://techinch.com/blog/change-your-dns-settings-on-iphone-ipod-touch-and-ipad

Those let you change set the DNS but do not encrypt the query. Better than nothing but not secure against MiTM.

 

[XIII]

Thank you for the additional information. I'm aware that you can set the DNS per WiFi network, but I don't know how to configure them when a VPN is active.

(I would prefer other DNS servers than Google, which is what my VPN provider currently uses - this overrides the per-WiFi settings)

 

[Just Checking]

Thank you for the additional information. I'm aware that you can set the DNS per WiFi network, but I don't know how to configure them when a VPN is active.

(I would prefer other DNS servers than Google, which is what my VPN provider currently uses - this overrides the per-WiFi settings)

I don't own IOS devices but my wife has a work iPhone. I tried this out on her i5 and turned on the VPN. That seemed to work. I don't know if that phone is "jailbroke", or not.

On Android devices (Build 4.2 or higher) you need to either "root" the phone or, change the DNS resolver setting for each WiFi network that you link to. If you do the later, the initial connection is done from the "real" location to the default DNS resolver. That kind of defeats any anonymity and only prevents tracking all your search history.

 

[Just Checking]

Have you tried using the Resolver Address in the dnscrypt resolvers csv file ? i.e.,
212.47.228.136
113.20.6.2
113.20.8.1

I have tried combinations of these IP addresses as primary and secondary DNS settings in the LAN & WAN sections of John9527 Fork ver 14E1 and HGGomes fork off 378.55_0-3 DNS will not resolve and he web browser locks up so I cannot reach the internet. I put it in the IPv4 properties section of each of the ethernet ports on the client devices and it still doesn't work.

The combination that works for me is
DNS Primary: 84.200.83.161
DNS Secondary: 212.47.228.136

When I switch the IP addresses between primary and secondary, the DNS will not resolve and I cannot reach any sites on the internet.

I did a DNSLeaks extended test and found that the IP address was leaking. I think that 84.200.83.161 is not marked DNSSec in the easy DNSCrypt software where I got the IP address from.

Am I doing something wrong? From what I know, I should be able to use any DNS IP address in combinations of primary and secondary and it should still work.

When I use the OpenDNS server IP addresses of:
DNS Primary: 208.67.222.222
DNS Secondary: 208.67.220.220
Those work fine and the time to reach a website is quick. I am concerned that this site logs DNS traffic even though it is supposed to be secure (being secure doesn't mean that they do not log).