DNS Providers - Who to trust?

[Zastoff]

Maybe you're confusing me, but don't those ~10 DNS servers need your IP address to send answers for your queries?

If so, it should be rather easy for them to profile you (like any other user/customer).

The DNS servers will not get my ip if you read the links i provided, The DNS servers only get the relays ip. (Maybe ODoH servers can get my ip but only use 1 or 2 servers to add confusion)

 

[Viktor Jaep]

My approach on DNS trust "privacy" is confusion

I love your way of thinking! Please kindly hold my beer while I explain how I've implemented my layer of "privacy"... DNS queries are separated from my normal internet traffic on my internal network and traverse over VPN using "Unbound-over-VPN" to a randomly selected endpoint every single day. My DNS resolver ends up being that random public IP of my VPN endpoint. My normal network traffic traverses across an entirely different VPN provider to another random set of VPN endpoints every single day.

LAN (Normal Internet Traffic) -> Router -> VPN1 -> Public VPN IP1 (Internet)
LAN (Unbound DNS Lookups) -> Router -> VPN2 -> Public VPN IP2 (DNS Resolver) -> DNS Root Servers

Is my traffic still being fingerprinted? Probably. Using the Brave browser does help some in that respect. Am I making life difficult for those tracking me? Probably. Will this make @Tech9 flip his lid? Probably.

 

[Tech9]

You guys can do whatever you like with your DNS. Your network, your decisions. The ISP (physical or virtual) can recreate pretty accurate your browsing history anyway. They connect your IP (physical or virtual connected to your physical) to the IP you want to connect to. If you are involved in interesting business requiring all this 007 play - send me a message.

 

[Viktor Jaep]

You guys can do whatever you like with your DNS. Your network, your decisions. The ISP (physical or virtual) can recreate pretty accurate your browsing history anyway. They connect your IP (physical or virtual connected to your physical) to the IP you want to connect to. If you are involved in interesting business requiring all this 007 play - send me a message.

 

[table45]

I use nextdns (via config profiles that specify DoT where I can). Seems to work well, are there issues with that?

 

[Tech9]

<image>

We care 0 about your skills and 0 about your motivation at work. We've got 7 MON's.

 

[Viktor Jaep]

We care 0 about your skills and 0 about your motivation at work. We've got 7 MON's.

I do enjoy them shaken, not stirred. Ahem. Lol

 

[Zastoff]

The question on this thread was trust of DNS servers (providers) often they claim no logs and so on, but we can not really know for sure.
That is why Anonymized DNS was created (DNSCrypt-Proxy)
The setup i described before was about DNS servers and for those trying to collect data between me and the DNS servers
"The added confusion" since sessions/keys/relays & servers change randomly.
ISP is another matter, Then VPN or ECH comes in to play (DNSCrypt-proxy has the ability to use ECH)

 

[Tech9]

Then VPN

Yes, we had "trust to VPN providers" thread already with similar ideas. In post #57 my advice was to find the balance. Not sure if the difference in life quality is measurable, but contraptions like the examples above very likely lower the user experience and turn the "engineer" into sole sysadmin potentially able to troubleshoot the Rube Goldberg machine. Specific hardware requirement with specific firmware supported by single person plus custom scripts supported by single person and filtering based on unknown persons (community) blocklists add more gears, levers and bearings to care for.

I'm sure I'm not going to get "academy award", but... at the end of the day in modern western societies where "I want" largely exceeds "I can" people offer voluntarily all personal information required to keep the whole "life on credit" machine running. The home, the car on the driveway, the cell phone in the pocket, the new TV in the living room and even the fridge in the kitchen are commonly on contracts, payments, discounts, points, etc. whatever the "deal" offered. This is the immediate surroundings "privacy" most forget about instantly. The real fight for "privacy" in most cases ends like this:

* - There is a "smart" doorbell on the picture, not visible very well. It stores the recordings on a secure server in China for only $5/month.

 

[table45]

I use nextdns, it doesn't take much headspace to use and it blocks ads, malware that relies on DNS, and increases privacy from my ISP as its DNS-over-HTTP or TLS depending on the platform. There's enough gains there to justify a couple of minutes to set it up on a new device.

 

[anotherengineer]

Yes, we had "trust to VPN providers" thread already with similar ideas. In post #57 my advice was to find the balance. Not sure if the difference in life quality is measurable, but contraptions like the examples above very likely lower the user experience and turn the "engineer" into sole sysadmin potentially able to troubleshoot the Rube Goldberg machine. Specific hardware requirement with specific firmware supported by single person plus custom scripts supported by single person and filtering based on unknown persons (community) blocklists add more gears, levers and bearings to care for.

I'm sure I'm not going to get "academy award", but... at the end of the day in modern western societies where "I want" largely exceeds "I can" people offer voluntarily all personal information required to keep the whole "life on credit" machine running. The home, the car on the driveway, the cell phone in the pocket, the new TV in the living room and even the fridge in the kitchen are commonly on contracts, payments, discounts, points, etc. whatever the "deal" offered. This is the immediate surroundings "privacy" most forget about instantly. The real fight for "privacy" in most cases ends like this:

View attachment 70811

* - There is a "smart" doorbell on the picture, not visible very well. It stores the recordings on a secure server in China for only $5/month.

Indeed.

I don't really care if my ISP sees me going to SNB/techpowerup several times a day.

I do care about identity theft or personal banking info leaking and filtering nasty/inappropriate stuff from my kids..........have I done enough for that? I don't know, I hope so, I'm not a network/internet security pro.

 

[Tech9]

filtering nasty/inappropriate stuff from my kids

You have to do this on kids' devices. Both Android and iOS have parental control options and they work on any network including the mobile operator. Doing it on the router is a waste of time. The result will be similar to the picture above. Few clicks and all your filtering is gone.

 

[Notconnected]

Well I hope a US chip maker gets together with other US suppliers and makes a router.
Might result in less models of chips to support for open source developers, who will hopefully take the opportunity to support them. I realise nearly everything comes from China, that is an immense problem, and should be tackled at every oppotunity. EU is no different, too dependendant on others, which is fine as long as the relationship doesnt sour or the leaverage is not too big, as it stands both are huge issues.

 

[anotherengineer]

You have to do this on kids' devices. Both Android and iOS have parental control options and they work on any network including the mobile operator. Doing it on the router is a waste of time. The result will be similar to the picture above. Few clicks and all your filtering is gone.

Forgot about those on cell service, was thinking their laptop and/or desktop since they are on those 90% of the time.

 

[Zastoff]

Forgot about those on cell service, was thinking their laptop and/or desktop since they are on those 90% of the time.

Did a guide how i made some parental contol..(free version)
Together with setting their mobile devices under my account with family link app it works nice here.
Link

 

[Tech9]

laptop and/or desktop

Same thing, on-device approach is the best.

Microsoft Family Safety | Microsoft 365

Create a safe and healthy environment for your family with digital content filtering, screen time limits, and location sharing with Microsoft Family Safety.

www.microsoft.com

Set up content and privacy restrictions in Screen Time on Mac

In Screen Time on your Mac, restrict explicit content, purchases, apps, and downloads.

support.apple.com

When my kids were young the options were limited. I believe registering accounts for almost all online services have minimum age requirement now. Family Safety plan has to be on parents' "To Do" list these days. This means all devices registered to parents' accounts and whatever kids hold in their hands with restrictions according to parents' intentions. The tools needed are available now.

Otherwise on your router with Asuswrt-Merlin you can set Diversion with known DoH servers and proxy/VPN blocklists, DNS Director to intercept and redirect requests to router's own DNS proxy, something like CleanBrowsing DNS service upstream, ASUS own Parental Controls enabled... and hope for the best it will serve the purpose and won't break whatever your kids use on their devices.

 

[Tech9]

Forgot about those on cell service

You may want to take a look at solutions like this:

How to set up parental controls using AdGuard

In our quick guide to the parental control features in AdGuard, we’ll show you how you can keep your family safe online.

adguard.com

There are some password protected App options.

 

[Viktor Jaep]

Same thing, on-device approach is the best.

Microsoft Family Safety | Microsoft 365

Create a safe and healthy environment for your family with digital content filtering, screen time limits, and location sharing with Microsoft Family Safety.

www.microsoft.com

Set up content and privacy restrictions in Screen Time on Mac

In Screen Time on your Mac, restrict explicit content, purchases, apps, and downloads.

support.apple.com

When my kids were young the options were limited. I believe registering accounts for almost all online services have minimum age requirement now. Family Safety plan has to be on parents' "To Do" list these days. This means all devices registered to parents' accounts and whatever kids hold in their hands with restrictions according to parents' intentions. The tools needed are available now.

Otherwise on your router with Asuswrt-Merlin you can set Diversion with known DoH servers and proxy/VPN blocklists, DNS Director to intercept and redirect requests to router's own DNS proxy, something like CleanBrowsing DNS service upstream, ASUS own Parental Controls enabled... and hope for the best it will serve the purpose and won't break whatever your kids use on their devices.

On-device is the way to go... with another extra layer for web filtering on the router's end... Microsoft Family safety works well. Here's the one for Google, or any android device you might have:

Family Link from Google - Family Safety & Parental Control Tools

Family Link provides tools that respect families’ individual choices with technology, helping them create healthy, positive digital habits. With easy‑to‑use tools, you can understand how your child is spending time on their device, share location, manage privacy settings, and find the right…

families.google

 

[Centrifuge]

The approach I took was to use a nextdns profile I built for kids and set their devices to point to it. They're android, so it was the private dns setting, and shutting down browser DoH. That should get me a few years until they defeat it simply by entering their own dns. I also use google family link for parental control. Cool thing about nextdns profiles is that you can tailor them to your needs, and view logs. I'm not a control freak but you have that level of control if you want.