DNS Providers - Who to trust?

[Zastoff]

Maybe you're confusing me, but don't those ~10 DNS servers need your IP address to send answers for your queries?

If so, it should be rather easy for them to profile you (like any other user/customer).

The DNS servers will not get my ip if you read the links i provided, The DNS servers only get the relays ip. (Maybe ODoH servers can get my ip but only use 1 or 2 servers to add confusion)

 

[Viktor Jaep]

My approach on DNS trust "privacy" is confusion

I love your way of thinking! Please kindly hold my beer while I explain how I've implemented my layer of "privacy"... DNS queries are separated from my normal internet traffic on my internal network and traverse over VPN using "Unbound-over-VPN" to a randomly selected endpoint every single day. My DNS resolver ends up being that random public IP of my VPN endpoint. My normal network traffic traverses across an entirely different VPN provider to another random set of VPN endpoints every single day.

LAN (Normal Internet Traffic) -> Router -> VPN1 -> Public VPN IP1 (Internet)
LAN (Unbound DNS Lookups) -> Router -> VPN2 -> Public VPN IP2 (DNS Resolver) -> DNS Root Servers

Is my traffic still being fingerprinted? Probably. Using the Brave browser does help some in that respect. Am I making life difficult for those tracking me? Probably. Will this make @Tech9 flip his lid? Probably.

 

[Tech9]

You guys can do whatever you like with your DNS. Your network, your decisions. The ISP (physical or virtual) can recreate pretty accurate your browsing history anyway. They connect your IP (physical or virtual connected to your physical) to the IP you want to connect to. If you are involved in interesting business requiring all this 007 play - send me a message.

 

[Viktor Jaep]

You guys can do whatever you like with your DNS. Your network, your decisions. The ISP (physical or virtual) can recreate pretty accurate your browsing history anyway. They connect your IP (physical or virtual connected to your physical) to the IP you want to connect to. If you are involved in interesting business requiring all this 007 play - send me a message.

 

[table45]

I use nextdns (via config profiles that specify DoT where I can). Seems to work well, are there issues with that?

 

[Tech9]

<image>

We care 0 about your skills and 0 about your motivation at work. We've got 7 MON's.

 

[Viktor Jaep]

We care 0 about your skills and 0 about your motivation at work. We've got 7 MON's.

I do enjoy them shaken, not stirred. Ahem. Lol

 

[Zastoff]

The question on this thread was trust of DNS servers (providers) often they claim no logs and so on, but we can not really know for sure.
That is why Anonymized DNS was created (DNSCrypt-Proxy)
The setup i described before was about DNS servers and for those trying to collect data between me and the DNS servers
"The added confusion" since sessions/keys/relays & servers change randomly.
ISP is another matter, Then VPN or ECH comes in to play (DNSCrypt-proxy has the ability to use ECH)

 

[Tech9]

Then VPN

Yes, we had "trust to VPN providers" thread already with similar ideas. In post #57 my advice was to find the balance. Not sure if the difference in life quality is measurable, but contraptions like the examples above very likely lower the user experience and turn the "engineer" into sole sysadmin potentially able to troubleshoot the Rube Goldberg machine. Specific hardware requirement with specific firmware supported by single person plus custom scripts supported by single person and filtering based on unknown persons (community) blocklists add more gears, levers and bearings to care for.

I'm sure I'm not going to get "academy award", but... at the end of the day in modern western societies where "I want" largely exceeds "I can" people offer voluntarily all personal information required to keep the whole "life on credit" machine running. The home, the car on the driveway, the cell phone in the pocket, the new TV in the living room and even the fridge in the kitchen are commonly on contracts, payments, discounts, points, etc. whatever the "deal" offered. This is the immediate surroundings "privacy" most forget about instantly. The real fight for "privacy" in most cases ends like this:

* - There is a "smart" doorbell on the picture, not visible very well. It stores the recordings on a secure server in China for only $5/month.

 

[table45]

I use nextdns, it doesn't take much headspace to use and it blocks ads, malware that relies on DNS, and increases privacy from my ISP as its DNS-over-HTTP or TLS depending on the platform. There's enough gains there to justify a couple of minutes to set it up on a new device.