DNS privacy question...

Discussion in 'privacy technology' started by Phil McCrevis, Jul 2, 2015.

  1. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    When I'm using my vpn the client has a kill switch and also dns leak protection, tested it quite thoroughly and it doesn't leak. Question is when I'm not on the vpn is there really any benefit (privacy wise) if I use CCC, German / Swiss privacy foundation etc. dns servers? I know that there are certain benefits to using alternative dns servers like malware / phishing protection and if your isp hijacks / redirects traffic.

    If not using a vpn my isp can see all my traffic even if I'm using something like CCC dns servers correct? Using my isp dns servers for non vpn browsing is the fastest however if there was privacy to be gained out of using an alternative dns server I'd probably go with that.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    With no VPN or Tor, your ISP can see all of your traffic, no matter what DNS servers you use. So there's no privacy advantage. But using third-party DNS servers is safer, in case you forget to change when you use a VPN. Maybe try OpenDNS.
     
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    So can my isp see my traffic if i'm using yandex dns?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, your ISP can see everything. But if there's end-to-end encryption, it can't see content, just IP addresses.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594



    To give you my opinion I would need to know just how bad the speed "hit" is by being on your vpn. My privacy is pretty important to me. I just about never get speeds less than 35 meg leaving a vpn1 exit node. Many times I get double that. My RAW ISP is always over 100, which is lightning, but not enough more for me to connect out in the open for anything at all that I want privacy on. That is my take.

    For websites like this you would hardly notice 100 meg vs 35 meg being any different. In candor I am more like 9 meg but that is after 5 hops including TOR.

    Also, as Mirimir noted you still have the IP addresses issue. I say leave your ISP in the dark and let them see your ONE server connection and nothing else.
     
  6. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    Thanks for that info
     
  7. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    Thanks a lot for the info!

    Use Mullvad and just leave the dns leak protection ticked so every time I start the Mullvad client it basically hard codes the adapters (wireless & tap). I have in the past with other vpn's changed dns to help prevent leaks and it worked. But they didn't offer dns leak protection like Mullvad.

    I would just change the dns in the adapters and leave it (what I have done in the past) however for some reason the latest Mullvad client only seems to work for me if I leave dns set to (obtain dns server automatically). When I run the Mullvad client and check each adapter I can see that it changes them both to their dns sever in the Netherlands. When I disconnect from the the Mullvad client I can see that the Netherlands dns server address is removed from the adapters. Think this is what causes issues when I hard code them with alternate dns addresses.

    I just wanted to know if using an alternate dns would offer any additional privacy for non vpn traffic and it sounds like it doesn't.

    THANKS AGAIN!
     
  8. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    I use DNScrypt and that encypts all my DNS issues so my ISP can't see my DNS queries. I find it good for privacy when I surf without a VPN/TOR/RDP.
     
  9. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    But can't your isp still see all the sites you visit?
     
  10. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    Yes, they can.
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    You can avoid DNS servers altogether if you add all the sites you regularly visit and the search engines you use to your hosts file.
     
  12. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
    Thanks for the info!
     
  13. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Not if I'm using a VPN, TOR, SSH tunnel or a RDP which I do regulary :D. I find DNScrypt a good privacy tool to stop DNS leaks coming from proxies.

    ISP can see all the traffic you generate if you don't use one of the methods I outlined above. But I don't want to give them my DNS queires so I use DNScrypt.
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    Please explain a bit more in depth
     
  15. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Before DNS servers were invented it was necessary to manually map network addresses, this was done in the hosts file. Even though we now usually use DNS servers for that, we can still do it manually in the hosts file if we want to.
    In Linux the hosts file is /etc/hosts
    I believe in Windows the host file is C:\Windows\System32\Drivers\etc\hosts
    You map the address like this in plain text:
    74.125.198.104 www.google.com

    You can see if it is working by mapping googles address to a made up name in your hosts file like this
    74.125.198.104 www.abcabcabc.com

    If you then type www.abcabcabc.com in your browser and the browser goes to google you know it did because your hosts file told it to.

    You can also use the hosts file to block web ads by mapping their domains to your own localhost address thereby preventing your browser connecting to the real ad server.
    127.0.0.1 ads.doubleclick.net
    You can learn more about doing that here: http://someonewhocares.org/hosts/
     
  16. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    I should of added also, if you don't know the ip address of the site you want to add to your hosts file, ping it in a CL terminal.
    In Windows I think you just type
    Ping www.google.com
    The terminal should then tell you the ip address it is pinging.
     
  18. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    Everything RockLobster said about hosts-files is correct.
    Just remember that when using hosts files that they don't unfortunately support wildcards.

    So for example, if you want to bypass need for DNS request for, let say, yahoo.com then you can't just but *.yahoo.com to your host file.
    It won't work and DNS request are sended normally.
    This also applies when using hosts-file to block stuff for the whole domain.

    In this example, you would have to lists each and every yahoo subdomain (www.yahoo.com, ads.yahoo.com, ns1.yahoo.com, etc....) with their IP address to that hosts file if you wanted to either remove need for DNS request or block stuff from the whole domain.

    You can use the following online subdomain finder to list all the subdomains and respectively IP addresses (check "Include subdomain details" to get IP) for domain:
    https://pentest-tools.com/reconnaissance/find-subdomains-of-domain

    Another way to go (kinda) "ISP DNS free" is to setup your own local DNS server, configure them to pass DNS requests directly to root DNS server(s) and maybe, if you want to, set the time that the results will be cached. For bind DNS server these thing are usually configured out-of-the-box for most major Linux distros. People have also used dnsmasq but I have no experience of it.
     
    Last edited: Jul 21, 2015
  19. PallMall

    PallMall Guest

    Excellent Find Subdomains tool I've just discovered together with the pentest-tools.com site. Thanks.
     
  20. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I don't like DNS services that use filters to block known bad/malware/phishing sites actually. The price is that that info. is being harvested. Just like I disable phishing filters and that "safebrowsing" stuff in Firefox. I used to use Comodo Secure DNS because they do an excellent job of blocking bad sites. Nortons DNS does too. But now I use Swiss/German Privacy Foundation & Chaos Computer Club when not using a VPN. When using the VPN of course I use it's DNS server(s).
     
  21. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,134
    Location:
    USA
    Never heard of this, got a link?
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
  23. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Last edited: Jul 22, 2015
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
  25. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    Implementing some kind of DNS crypt is a good practice especially when you forget to activate your VPN.

    A flip side of it is whether the DNS server is honeypot. This will then beat the whole purpose using it. But it's less of a concern if you have counter measures like using non-home as your base connection, VM and browser - best to be different each time for the sake of browser fingerprinting.
     
Loading...