privacy issues with a static dns

Discussion in 'privacy problems' started by Timmy98, Mar 29, 2015.

  1. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    Hello. I am worried about my privacy on the Internet, it bothers me that someone can watch what I do, log, or anything else. So I decided to get vpn. I went with privateinternetaccess after reading good reviews, and thier no log policy. However I am having issues setting it up. There solution was actually found by a client of theirs to utililize a script in startup. However, to use this script I need to set a static DNS for my internet to go for. This is where my concerns come in. I am by no means a computer guy.
    From my thinking, setting a static DNS to someone's server before it gets to my Vpn server is just running all my information to a third party that could be stirring my information. And while my Von provider may be encrypting my information, this would hit the other persons static server first, where they will get all my information and could store it. Where as if I did. It have a static DNS, then it's not going to one person who could watch everything I do and log all my activities because it would be spread out rather than centralized. That was part of the appeal of this particular Vpn, they mention that they group several people together on one IP address so that it's hard for anyone to single anyone out. Also, that they do not keep any logs of any kind. But my concerns are if the server in between us is keeping the logs, then it's even worse because now one person gets all the information . Please tell me your thoughts.
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Who is the DNS provider, PIA or a third party? If it's a third party, is it Google or OpenDNS (bad for privacy), or somebody else like OpenNIC or CCC (good)?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    DNS servers translate hostnames (such as "wilderssecurity.com") into IP addresses ("104.236.97.180" for "wildersecurity.com"). You don't actually connect through them, as you do with VPN servers. When you're using a VPN, you can use two (or two sets of) DNS servers. One handles only direct DNS lookups, that don't use the VPN tunnel. That allows you to connect to, for example, VPN servers specified by hostnames.

    The other DNS server (or set thereof) handles only DNS lookups through the VPN tunnel. Good VPN clients will block all non-VPN traffic while the VPN is connected. And so you will be using only the second DNS server (or set thereof). Good VPN services provide DNS servers with private IP addresses (such as 10.X.X.X) that can only be reached through the VPN tunnel.

    It's hard to do what I've just described securely without using custom firewall rules or router VMs (such as pfSense). The easiest workaround, used by adrelanos' VPN-Firewall for Linux, simply blocks all Internet connections except through the VPN tunnel. One can tweak the firewall rules to allow access to some DNS servers directly and others only through the VPN tunnel. But that's in Linux, and you're probably using Windows. Maybe someone else can comment on the possibility there.
     
    Last edited: Mar 30, 2015
  4. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    They said I could whatever DNS I wished. But, why does that make a difference? Doesnt it just provide a reliable point to watch me from?
     
  5. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    Thank you for the detailed reply. I am afraid that I am not smart enough to understand it all. But from what I got, was that the DNS is what does the searching for the place to connect. Sifting through the various information on the net. And let's me see words and web site names rather than a string of numbers?
    So connecting to the DNS, as a static dns to be able to connect to my vpn, the DNS is what is translate the web sites, but being its static, that just lets one set of servers collect my data and search results right? Or did I really miss this one?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    What you typically know are website URLs, such as the one for this thread: https://www.wilderssecurity.com/threads/privacy-issues-with-a-static-dns.374722/ But Internet routers just understand IP addresses. So what they need to see is https://104.236.97.180/threads/privacy-issues-with-a-static-dns.374722/ Whatever server you get "104.236.97.180" from is going to know that you're accessing Wilders. If you're using a VPN service to reach Wilders, you probably don't want a DNS server operated by your ISP to see that you're looking up "www.wilderssecurity.com". Right?
     
  7. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    So if I don't have a static DNS enabled in my router, my searches and Internet is going through my ISP servers? Does it go through the DNS server first or my VPN first?

    Sorry about all the questions, and I really appreciate the help and advice
     
  8. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    If it's safer to use, what static dns do you recommend I set my router too? Google as they are recommending or my vpn s server? Or somewhere else?
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If you haven't specified a DNS server in your router, or in your computer etc, you're almost certainly using your ISP's DNS server(s). It's not that you're stuff is "going through" your ISP's DNS server(s). It's just that your computer etc uses them to lookup the IP addresses for Internet hosts that you're accessing. But that's just when you're not using a VPN. Or at least, it should be just when you're not using a VPN.
    When you're using a VPN, your computer etc should be using the VPN's DNS server, and everything should be going through the VPN tunnel. If your computer etc connected to your ISP's DNS server through the VPN tunnel, that would compromise the (limited) privacy that you get from using a VPN service.
    No problem :) We all start somewhere ;)
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I recommend OpenDNS for your router: 208.67.220.220 and 208.67.222.222
     
  11. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    Is it private or do they log what I do, and search?
     
  12. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    If I got my vpn (I was gonna use private Internet access) to give me there DNS numbers, would I get more anonymity or less than the open DNS?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Your guess is as good as mine. I assume that someone logs everything :eek:
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    With PIA running, you should be using PIA's DNS servers. If your router is configured with OpenDNS, you use that when you're not connected to PIA.
     
  15. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
    Now I'm even more confused. If I run through pia when I'm using their Vpn. Why do they say I need to set a static dns on my router to use thier service?
     
  16. Timmy98

    Timmy98 Registered Member

    Joined:
    Mar 29, 2015
    Posts:
    9
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    When you are connected to PIA, you are using their DNS lookups. Go to this website and scroll down and click on "Initiate standard DNS spoofability test". https://www.grc.com/dns/dns.htm See how many servers are listed. And it will show you where they are from.

    I am using PIA right now. But mine shows Mullvad. I have Mullvad installed and I went into settings and told it to use only Mullvad's DNS. And even though I am not even running Mullvad right now it is somehow able to select that DNS server only for my computer. I never use my ISP DNS. Even with my bare connection.

    But anyway, right click on your PIA icon in the tray and choose settings. When the window pops up, click on Advanced. Then check the box "DNS leak protection". And also check "VPN kill switch" and then "Save".. "VPN kill switch" blocks your internet connection if the VPN fails for some reason.
     
  18. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    Well, if the VPN provider does have it's own DNS servers (and they should!) then it is usually okay to use them. Ofcourse, nothing prevents you to use some other third party DNS server later.

    In my humble opinion, from privacy perspective, from worst to best the choises are:

    1. ISP DNS
    2. Google / OpenDNS
    3. Some other third party DNS or DNS given to you by your VPN provider.
    4. Your very own DNS server running over offshore VPS server under your own control.
    5. hosts file :D (you don't need/use DNS here at all)


    Most people are happy with option 2. and 3.
    Some will choose option 4.
    And only very crazy people (or people that visit only handfull of sites daily, ever) ever choose option 5.

    P.S.
    Nothing of course prevent you from using both, hosts file and DNS server and I would actually recommend of setting few site IP addresses to hosts file that you absolute *must* be able to have access, no matter what happens .... DNS down, DNS blocked by your ISP, DNS start's censoring stuff etc....
     
    Last edited: Mar 31, 2015
  19. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    What's your view of something I've been wondering about - less from a privacy, more from a tamper-aware perspective:- using multiple DNS queries about the same domain to different DNS services, coupled with a knowledge of the history of the site's IP address plus it's certificate history and details. Effectively I'd like a local DNS service under my control which performs those multiple queries plus has knowledge of history, so that any attempts at dodgy substitutions would likely be flagged.

    For example, for a banking domain, I'd like to know if their IP or certificate has changed, even if there are valid reasons for that. And I'd also want to know if the IP was in the range of those registered to that institution etc.
     
  20. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    Well, if you are in a hostile environment (DNS censorship, DNS cache poisoning) then simple static hosts file is more than enough to defeat those kind of tampering.
    Of course it only works if you have only few sites that you visit. Otherwise keeping it updated becomes a really major PITA.

    Unfortunately I only have played with setting up basic DNS servers.
    Nothing more sophisticated than what you describe (altought checking IP from the organization IP pool is simple enough with whois command).

    I would definetely be interested of how to setup such system.
     
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Maybe off topic, but it made me recall some products. Perspectives Firefox addon can be used to see changes in certificate. DNSSCE/TLSA validator makes query to many (if not all) root DNS server and so. Emsisoft Online Armor also asks to some different DNS to prevent DNS poisoning. I thought Chrome asks some DNS too. These can be privacy threat depending on your setup (using Tor etc.), but can prevent some DNS attack and MITM.
    As to IP change history, I don't know a product which checks it. In a sense, RPKI validator addon serves somewhat similar purpose tho.
     
  22. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    Thanks Yuki !
    New tools for my toolbox :)
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Good to hear it served to you.:)
     
Loading...