DNS Privacy

Discussion in 'privacy technology' started by navigat0r, Jan 8, 2015.

  1. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
    I'm looking for a VPN service but noticed that many use different solutions for dns.
    Some providers push google servers to the clients, while other services filter google servers. A few providers I found push a couple dns servers (either owned by provider, hoster, or even opendns), and some others push dedicated dns servers which can only be resolved within the vpn. Only one service I found supports dnscrypt.

    So here's my question, which solution is the best in terms of speed and privacy?
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    If your VPN provider gives their own DNS for the connection, I would just stay with that, they can see what you are doing anyways. If not, do not use Google, OpenDNS, or any other corporate DNS, pick one of these:

    http://www.wikileaks.org/wiki/Alternative_DNS

    Chaos Computer Club or the German Privacy Foundation are good choices
     
  3. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
    Thanks for the link krusty, i wonder why cisco and google servers are still on that list o_O

    What would you do if the vpn service has dns servers, but which are not within the vpn network?
    For example there's a service that has vpn servers all over the world but only two dns servers in America and Europe, which means all dns queries will be routed from client to vpn exit and then unencrypted to dns server.
     
  4. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    81
    Location:
    Malaysia
  5. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
    That's good news, definitely will give it a try.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Good news :thumb:
     
  7. GunGunGun

    GunGunGun Registered Member

    Joined:
    Oct 30, 2014
    Posts:
    7
    I think use a local DNS with a huge database (extract from other DNS service by requesting and storing a big number of site) is the most secure way.
     
  8. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    81
    Location:
    Malaysia
    This is rolled out to almost all our servers. Just a few more that we are saving to teach our staff how to implement it :D
     
  9. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
    Will you add new countries to bolehvpn?
    Particularly, I'm thinking of Austria (ORF), Norway (NRK), Liechtenstein and Iceland.
     
  10. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    81
    Location:
    Malaysia
    Any particular reason for those countries? :/
     
  11. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the link. Any opinions about OpenNIC?
     
  12. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    81
    Location:
    Malaysia
    OpenNIC's servers are rather unreliable and depends on your trust on the operator.
     
  13. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
  14. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Yes, I wondering what forum users think about the trustworthiness of OpenNIC.

    krustytheclown2 recommended Chaos Computer Club or the German Privacy Foundation, but if one is not in Germany that seems like it would slow down one's connection.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    It's not a major issue, because machines cache.
     
  16. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks mirmir.

    So do you agree that Chaos Computer Club and the German Privacy Foundation are the best options?

    Also, I don't think I understand what you mean by "machines cache." You mean my system caches DNS addresses locally (on my computer) so mostly it's not connecting to the DNS server? (I use Linux, FYI). Just trying to understand better how a DNS server halfway around the world would not slowdown web pages loading.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Those are good, yes.

    But see https://www.wikileaks.org/wiki/Alternative_DNS for more.
    Yes, after working online for a while, your system has a local DNS cache for sites that you commonly access, so it only hits DNS server(s) for new stuff. Also, just being halfway around the world doesn't add more than 100 msec or so.
     
  18. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I see. Thanks for the explanation. Yes, that was the the link to more DNS servers I was looking at that's linked to above. That's where I got OpenNIC from. Any other services there you think are good?
     
  19. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
  20. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
  21. navigat0r

    navigat0r Registered Member

    Joined:
    Jan 8, 2015
    Posts:
    26
    yes, swiss privacy foundation is a spinoff, the german privacy foundation e.v. has formally been dissolved since june 2013 (they still offer dns servers tho).

    vpn company proxy.sh has two public, dnscrypt capable ICANN/OpenNIC resolvers:
    Primary: dns1.proxy.sh or 146.185.134.104 (Netherlands, Amsterdam)
    Secondary: dns2.proxy.sh or 192.241.172.159 (U.S. New York)
     
  22. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I use both Open NIC and CCC DNS servers for the Tor exit. Both have been very reliable here.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I defer to Wikileaks ;)
     
  24. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the futher thoughts navigat0r and noone_particular.

    The Wikileaks list includes OpenDNS and Google, so I suppose it depends what one is looking for. Wikileaks seems to only be concerned with issues of censorship, so they list DNS servers that don't filter sites (except for some malicious site filtering done by a couple of the services they list like OpenDNS). But Wikileaks does not seem to be conerned about privacy. Hence they list Google, OpenDNS, Comodo, who may have other motivations in providing DNS services.
     
Loading...