Yes, it is frightening alright, what we are compelled to pay for Internet access! How does an ISP fare, when compared with these public DNS services with regard to data retention, sharing and our privacy. That is, when we use the DNS services allocated by our own ISPs instead of using a public DNS of our choice?
It's better to have your traffic and DNS lookups logged in separate places. That's more work for adversaries, and more chance for missing data. Also, ISPs can coordinate with captive DNS servers to redirect ads and hijack URL errors. It's especially important when using VPNs, JonDonym and Tor to prevent leaking information by using ISP-associated DNS servers.
ISP DNS are no better. There just aren't any guarantee that they do not log or do some other things with your DNS queries (like DNS poisoning that Turkish government did some time ago). However, there could be an solution. First, why do we need DNS? It's because without DNS we would have to memorize IP addresses every time we access Google or Wilders security or whatever. Second, where does the DNS request ultimately go? That is, if they are not already cached locally or by the ISP DNS? They go to root DNS servers. The top of the DNS hierarcy. You could have your own local DNS server that contacts those root DNS servers (and caches the results) and skip all the other DNS servers (ISP,public etc...) So, if you are willing to spend time you could build your own little VPN hardware router with your own, local DNS requesting caching server (note: NOT forwarding DNS server. You don't want to forward your DNS queries to Google DNS or whatever. That would be pointless and bring you back to square one). There are tutorials out there how to build VPN (or even Tor/VPN) home router from Raspberry PI, which is an cheap, credit card sized mini computer. And because you are fully in control of that self-made router you can make sure that any possible DNS leaks are blocked and your connection uses only your own DNS server which in turn either fetches results from it's own internal cache or send queries to those root DNS servers. Edit: And besides having control of your DNS stuff that self-made router would also give you some speed benefit because DNS caching.
In the SoftEther forum in answer to a question about DNS leak, it was said that it does not matter if your DNS address is 'seen', so long as your real IP is changed to one allocated to you by the VPN. Because, the owner of the DNS server can only see a DNS request coming from the fictitious IP and not from your real IP. Therefore, your real identity is not recorded at the DNS sever. Is this why you are saying the above? Regards,
I am not sure I understand this fully. When I use my ISP's DNS service, if the VPN changed my IP address, does my ISP still recognize me as the person who made a DNS request, although the request came from the fictitious IP address allocated by the VPN? Thank you,
Thank you for this information about Raspberry PI. Unfortunately I am not in a position to embark on such a project right now. It is possible that I might be bold enough to try this some time in the future. Could you please give me a hint as to where I can find those "tutorials out there" that you mention. For the present, this is valuable information for my poor knowledge bank. Regards,
That is more or less what I meant. With Google and OpenDNS, there is a huge volume of traffic and if it is fed from a shared VPN IP, it is not a problem for most circumstances. Even though the traffic is logged, it is mixed with all the other traffic that uses that server and is coming from a source that is mixing a lot of traffic on one IP. It also doesn't reveal that you are using a VPN on the server side. Torguard, for example, defaults to regional Google DNS or OpenDNS depending on the server. I can use their own DNS that doesn't log anything but a DNS leak test reveals my DNS server. In the case of Torguard it is an IP. With F-Secure and Cyberghost it is a domain associated with their respective services and anyone on the server side can easily see not only that you are using a VPN but what VPN you are using. That could be a problem in some cases. When you are using a VPN, you really want to be Joe Nobody and not even identify yourself too openly as a VPN user.
Let's say that you're using your ISP's DNS server, but all of your traffic (including DNS lookups) exits from the VPN. There are at least two concerns about that situation. One, adversaries observing the VPN server will see your traffic to it, and they will also see your queries exiting to your ISP's DNS server. So they'll know what websites you're browsing. Two, from its DNS server, your ISP will know that one of its customers is probably using some VPN server, and what websites that presumptive customer is browsing. They also see your traffic to the VPN server, and can combine that information (plus timing correlation) to know what websites you're browsing. De nada
Your welcome. Places like adafruit.com, lifehacker.com and other have nice collection of tutorials related to Raspberry Pi. Here's few that I grapped: Raspberry Pi VPN router: http://blog.frd.mn/raspberry-pi-vpn-gateway/ http://lifehacker.com/5978098/turn-...sonal-vpn-for-secure-browsing-anywhere-you-go Raspberry Pi Tor router: https://learn.adafruit.com/onion-pi?view=all Here's also pretty basic, working configuration file for caching, private Bind DNS server if you decide later to setup your own DNS server. https://www.dropbox.com/s/fiv5wub6r3tzm4h/named.conf?dl=0 All the forwarding DNS servers are commented out from that config and it uses the default DNS root servers (listed usually in /var/bind/named.cache file but might be different for different Linux distros. That file contents are also available from http://www.internic.net/domain/named.root). That is from my Gentoo VPS+OpenVPN+Bind+Squid setup. Just remember to adjust it to fit to your own Linux distro/settings. Especially the acl "trusted" part which should only have your own private IP(s) that your OpenVPN server handles. Here, in addition to loopback addresses, my setup accepts connections from private IPs of clients from 10.8.0.0/24 subnet which, AFAIK, is default for OpenVPN server setup. Bind is pretty common DNS server so there are lot's of tutorials for that too. Also dnsmasq is used often by people. That can also works as simple dhcp server so you don't need separate app for that.
OpenkDNS + DNSCrypt is the worst. Always use your VPN(s) DNS servers. If using chained or multi-hop, use the last one in the chain. When not using a VPN Swiss Privacy Foundation & Chaos Computer Club are my favorites as well. I'm using the former right now in fact. Snappy and trustworthy.
I don't agree with this when a DNS leak test reveals that you are using a VPN and what VPN you are using. Using a Google DNS server through a VPN tunnel doesn't give that away.
Is DNSCrypt tied to OpenDNS servers or could other servers use it too? Also, has anybody here tried this thing called DNSCurve ? https://en.wikipedia.org/wiki/DNSCurve
Now I have my head straightened out! Thank you for being patient. One last question; how do all this figure when not browsing the web, but using a VPN and a bit torrent client to down load content? I got this cleared up too. Thank you for staying with me! One last question again; how does this explanation work out when using a bit torrent client to download content, with a VPN of course? I have seen this in books. What does it mean? Thank you for taking so much trouble over this. I read through the contents of all your links. It has certainly given me incentive to do the project!
I couldn't get the DNS of Swiss Privacy Foundation. Could you please give me a link to their page that has the details? I can see that you are using Windows XP Pro. So do I (in addition to WIN 7), and I intend to continue using it. Could you tell me how you have secured XP after Microsoft stopped support. It would be very helpful. Thank you
BitTorrent peers don't use hostnames, I think, so there's no DNS lookup. But trackers do, so DNS servers see them.
As a practical matter, of course. But it's an idiom. Literally, it means "of nothing", so it's more like "no matter" or "it is nothing" or "don't mention it". Spanish is not my native language
Maybe not. But it's always best to play safe. Use third-party DNS servers directly on your ISP uplink, just in case they accidentally leak. Also, make sure that your VPN traffic uses only the VPN's private DNS servers, or other third-party DNS servers, that you're not using directly on your ISP uplink. And finally, use firewall and rounting rules to make sure that no traffic leaks around the VPN.
You want all your internet traffic to go through the VPN tunnel, not just Web traffic. I'm just a student of of all this myself but as I got more into VPNs, the first thing I wanted to do was set up a VPN tunnel in my router. That insures that everything connected to it goes through the tunnel which includes a variety of media devices in addition to my numerous laptops. That is what finally motivated me to pay for a subscription. Bit torrent is certainly one of the main reasons people are getting VPNs these days. http://torrentfreak.com/aussie-anti-piracy-plans-boost-demand-vpns-150308/ The requirements for protection for bit torrenting are much lower than for protection from government surveillance and most of the VPN providers are geared towards that market. The annual Torrentfreak review of VPNs is a good to look at for a torrent centric review of VPN providers: http://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ What you pay for is the bandwidth needed for torrenting. There are a lot of good free VPN options as long as you don't need a lot of bandwidth.
It depends on the router and the VPN provider. Some VPN providers don't support this at all. All the good ones do. Most require DD-WRT or Tomato USB firmware--I use Tomato but DD-WRT is more common is more actively supported and developed so I would recommend it to anyone who has never used alternative firmware. Some VPN providers sell preconfigured routers for their services which makes it easier. Otherwise, you have to get a router that can be reflashed with a compatible firmware and first flash it and then set it up for your ISP and VPN service. Specific VPN providers that support this that I've checked out are PIA, NordVPN and Torguard--the one I'm using. Torguard has recently added automated scripts for setting up Tomato and DD-WRT supported routers and sells preconfigured routers. It took some time and research to get this going but once set up, it makes VPN use automatic for anything connected to the wifi. I do have to check the connection when I start the router. It fails to establish the VPN tunnel sometimes and I have to restart the router. Once the tunnel is established, it will not let anything through if the tunnel fails. Whether this is an intentional "kill switch" or not, I don't know because this is not a documented feature of the firmware I'm using. I use old WRT54GLS routers that I pick up second hand for next to nothing and reflash. They are extremely reliable but their bandwidth is only around 50mbs on wifi and 100mbs wired which is no problem in the bandwidth ghetto I live in.
Thank you. I had never heard of this firmware before. Just a thought; is it not possible to tunnel all traffic through the VPN by configuring the computer itself. Using the 'Command line' perhaps, or some other method?
Only for that computer if the VPN software installed is good. Using a router takes away the need for VPN client software in individual computers and if you do use it, it is a two hop connection. It also takes care of other devices such as media players and other internet appliances.
