When I'm using my vpn the client has a kill switch and also dns leak protection, tested it quite thoroughly and it doesn't leak. Question is when I'm not on the vpn is there really any benefit (privacy wise) if I use CCC, German / Swiss privacy foundation etc. dns servers? I know that there are certain benefits to using alternative dns servers like malware / phishing protection and if your isp hijacks / redirects traffic. If not using a vpn my isp can see all my traffic even if I'm using something like CCC dns servers correct? Using my isp dns servers for non vpn browsing is the fastest however if there was privacy to be gained out of using an alternative dns server I'd probably go with that.
With no VPN or Tor, your ISP can see all of your traffic, no matter what DNS servers you use. So there's no privacy advantage. But using third-party DNS servers is safer, in case you forget to change when you use a VPN. Maybe try OpenDNS.
Yes, your ISP can see everything. But if there's end-to-end encryption, it can't see content, just IP addresses.
To give you my opinion I would need to know just how bad the speed "hit" is by being on your vpn. My privacy is pretty important to me. I just about never get speeds less than 35 meg leaving a vpn1 exit node. Many times I get double that. My RAW ISP is always over 100, which is lightning, but not enough more for me to connect out in the open for anything at all that I want privacy on. That is my take. For websites like this you would hardly notice 100 meg vs 35 meg being any different. In candor I am more like 9 meg but that is after 5 hops including TOR. Also, as Mirimir noted you still have the IP addresses issue. I say leave your ISP in the dark and let them see your ONE server connection and nothing else.
Thanks a lot for the info! Use Mullvad and just leave the dns leak protection ticked so every time I start the Mullvad client it basically hard codes the adapters (wireless & tap). I have in the past with other vpn's changed dns to help prevent leaks and it worked. But they didn't offer dns leak protection like Mullvad. I would just change the dns in the adapters and leave it (what I have done in the past) however for some reason the latest Mullvad client only seems to work for me if I leave dns set to (obtain dns server automatically). When I run the Mullvad client and check each adapter I can see that it changes them both to their dns sever in the Netherlands. When I disconnect from the the Mullvad client I can see that the Netherlands dns server address is removed from the adapters. Think this is what causes issues when I hard code them with alternate dns addresses. I just wanted to know if using an alternate dns would offer any additional privacy for non vpn traffic and it sounds like it doesn't. THANKS AGAIN!
I use DNScrypt and that encypts all my DNS issues so my ISP can't see my DNS queries. I find it good for privacy when I surf without a VPN/TOR/RDP.
You can avoid DNS servers altogether if you add all the sites you regularly visit and the search engines you use to your hosts file.
Not if I'm using a VPN, TOR, SSH tunnel or a RDP which I do regulary . I find DNScrypt a good privacy tool to stop DNS leaks coming from proxies. ISP can see all the traffic you generate if you don't use one of the methods I outlined above. But I don't want to give them my DNS queires so I use DNScrypt.
Before DNS servers were invented it was necessary to manually map network addresses, this was done in the hosts file. Even though we now usually use DNS servers for that, we can still do it manually in the hosts file if we want to. In Linux the hosts file is /etc/hosts I believe in Windows the host file is C:\Windows\System32\Drivers\etc\hosts You map the address like this in plain text: 74.125.198.104 www.google.com You can see if it is working by mapping googles address to a made up name in your hosts file like this 74.125.198.104 www.abcabcabc.com If you then type www.abcabcabc.com in your browser and the browser goes to google you know it did because your hosts file told it to. You can also use the hosts file to block web ads by mapping their domains to your own localhost address thereby preventing your browser connecting to the real ad server. 127.0.0.1 ads.doubleclick.net You can learn more about doing that here: http://someonewhocares.org/hosts/
I should of added also, if you don't know the ip address of the site you want to add to your hosts file, ping it in a CL terminal. In Windows I think you just type Ping www.google.com The terminal should then tell you the ip address it is pinging.
Everything RockLobster said about hosts-files is correct. Just remember that when using hosts files that they don't unfortunately support wildcards. So for example, if you want to bypass need for DNS request for, let say, yahoo.com then you can't just but *.yahoo.com to your host file. It won't work and DNS request are sended normally. This also applies when using hosts-file to block stuff for the whole domain. In this example, you would have to lists each and every yahoo subdomain (www.yahoo.com, ads.yahoo.com, ns1.yahoo.com, etc....) with their IP address to that hosts file if you wanted to either remove need for DNS request or block stuff from the whole domain. You can use the following online subdomain finder to list all the subdomains and respectively IP addresses (check "Include subdomain details" to get IP) for domain: https://pentest-tools.com/reconnaissance/find-subdomains-of-domain Another way to go (kinda) "ISP DNS free" is to setup your own local DNS server, configure them to pass DNS requests directly to root DNS server(s) and maybe, if you want to, set the time that the results will be cached. For bind DNS server these thing are usually configured out-of-the-box for most major Linux distros. People have also used dnsmasq but I have no experience of it.
Excellent Find Subdomains tool I've just discovered together with the pentest-tools.com site. Thanks.
I don't like DNS services that use filters to block known bad/malware/phishing sites actually. The price is that that info. is being harvested. Just like I disable phishing filters and that "safebrowsing" stuff in Firefox. I used to use Comodo Secure DNS because they do an excellent job of blocking bad sites. Nortons DNS does too. But now I use Swiss/German Privacy Foundation & Chaos Computer Club when not using a VPN. When using the VPN of course I use it's DNS server(s).
See https://www.wikileaks.org/wiki/Alternative_DNS The German Privacy Foundation e.V. ones are gone, though
http://www.privacyfoundation.ch/de/service/server.html Use: 77.109.148.136 - DNS 1 77.109.148.137 - DNS 2
Chaos Computer Club: http://dasalte.ccc.de/censorship/dns-howto/WinXP/WinXPhow-to.htm.de Use: 81.91.162.5 - DNS 1 81.91.161.2 - DNS 2
Implementing some kind of DNS crypt is a good practice especially when you forget to activate your VPN. A flip side of it is whether the DNS server is honeypot. This will then beat the whole purpose using it. But it's less of a concern if you have counter measures like using non-home as your base connection, VM and browser - best to be different each time for the sake of browser fingerprinting.
