I try 51.158.168.202 DNS Pi-hole, which blocks ads at the network level, encrypted E2E - Installed on PFsense
@shewolf: i was just starting to explore the ways to limit the telemetry for w10, i am a little in doubt now if i want to continue because of exactly what you said -> M$ can always change this, we were just lucky in the past they did not do it (or not that actively), they got enough ip's to change it every hour if they wanted, any update can put additional telemetry or change existing ones.. i guess i will just disable things a little with the default configuration (i am using NTLite for that) - it's even hard to find the correct configurations for today, there is info out there from 2015 until now, so me as a beginner, got no way to know which is still relevant or not. Disable components, disable task scheduler entries, block ip's or what else? And where to find for each of this the correct scripts... If you can advise me anything, I am all ears, but your comment made me lose much motivation nothing personal lol
You cannot turn off all data collection on your PC (not just windows), but you can control the data output from your system. That's what the firewall is for, windows firewall does it really very well
Cloudflare's DNS servers are the fastest and safest on the world. 1.1.1.1 1.0.0.1 Question 1: Cloudflare's Question 2: DNSSec is a method to encrypt DNS records and it's mainly for websites and DNS Servers not DNS Authoritative. In simple words, it's not related to your usage of Cloudflare's DNS servers to resolve hostnames to IPs; it's for websites admins who want to encrypt their DNS records. And it's perfectly safe and recommended but not all DNS registrars provide that (Cloudflare does and it's free).
Cloudflare's DNS servers are neither the fastest nor the safest in the world. Now DNS over HTTPS is the trendy thing, offered in Chrome and Firefox with CloudFlare or NextDNS built in choices, but it is just a half-measure that sucks balls compared to the proper, complete solution offered by dnscrypt. Just testdrive Simple DNSCrypt implementation, it's actually secure, and does not slow down your browsing since there are plenty of fast proxies available. Pihole is relevant if you have a non-garbage linux machine to dedicate for network tasks.
As far as security goes, every software within the PC will be allowed to make DNS requests, since dnscrypt will merely replace svchost. Lets say a PC will be part of a botnet, malware will be able to get an update of working IPs. VPN is safer.
What does botnets have to do with VPN? You still need to use local internet security suites / enhanced av's behind a VPN. And speaking of VPN, some providers have been caught in the past turning their clients into.. botnets. If you're not paying premium - you're the product. And proper VPN that you've set it up yourself at both ends is indeed safer as in privacy-safer, but you're not talking about that. You're talking about commercial solutions that could eavesdrop, sell data, supply detailed months-old history when subpoenaed at any time. Plus a hefty price tag. Plus limited availability of high-speed proxies. dnscrypt is no VPN and does not compete with VPNs, it merely encrypts dns requests. It's all in your hands to choose from the publicly available and peer-reviewed servers, many hosted at educational institutions around the world, with an exponentially higher trust factor than some almost anonymized vpn provider company behind 10 other shell companies with a PO box address. And once you've made your dns requests, you get to communicate with your target at full internet speed, not bounce back & forth to a VPN. I live in a part of the world where gigabit internet has been a commodity for several years, and I don't think there is any VPN offering to take such "abuse". If it's online games lacking local servers, needing cross-region connectivity in competitions, or accesing media content overseas, then sure, VPN is king. But I don't consider any of them privacy-safe.
Has anyone tried stopping somehow the diagnostic services? In previous versions 1809< you could simply delete the services now on 1903-09 you will get and svchost error with multiple crashes including bsods or cyclic explorer crash. I'm talking about "DiagTrack" - "diagsvc" also if you disable the error reporting service you will get the same errors.
Hope you don't mess with other services named Diagnostic.. by mistake, since those are used for maintenance / power-efficiency tasks. No issues disabling Connected User Experiences and Telemetry and Windows Error Reporting via services or gpedit.msc - must be something on your end. Deleting a service on a live install is not a supported scenario - if you really need stuff gone, do it on an offline image, then install that chopped OS. Then cry when cumulative updates fail to install next month
A couple of years ago I read an anonymous comment somewhere online which made the claim that you can further disable telemetry through undocumented registry keys(?) in some sort of configuration (test? dev key?) Sorry for being unclear but unfortunately I can't find the comment anymore. It was on a blog discussing W10 Telemetry Thoughts? Is there any registry keys known that are undocumented?
Why would you care for DNS-only encryption/protection if you want to hide from MS? AFAIK DNS-related security only prevents ISP's or middle-men from tracking you, but it doesn't prevent MS from obtaining your real IP if you aren't using a VPN. Proper VPN's provide custom DNS addresses that already use protocols mentioned in this post.
Political militants or criminals risking their civil liberty or their lives without the use of tor vpn etc. is beside the point of this topic and the rules you've agreed to when registering to this forum. What we care about is our legitimate, constitutional rights to privacy: ISP/microsoft/google/facebook/twitter/MSS/Schiphol Airport/the buffet in the corner etc. should not take advantage of our browsing history to serve ads, "get to know us", or worse (like your employer/your bank doing queries on what you do in your free time). DNS encryption suffice for that. Less relevant now due to Corona, but when we used to travel a lot, we were constantly exposed to man-in-the-middle attacks. Internet is still very expensive when abroad, so joining public wifi without giving it much thought is something each of us have done in the past. And while solutions existed to secure it for PCs, it was more problematic with mobile devices. This is where DNS over HTTPS straight from the browser comes in. As a practical example, while using a secured VPN to browse your favorite clips on redtube or whatever, only the vpn provider will see it. But it will most like be choppy playback. And it will cost extra. When using DNS encryption, ISP / microsoft might infer you're accessing redtube, but they won't know you're watching Euro Girls on Girls something. And playback will work at full internet speed, without extra costs. On the other hand, visiting forum x or y won't have a considerable speed downside via VPN. In the end, it's a matter of trust. If you find a trustworthy commercial VPN (I haven't found a single one as of yet) with fast enough proxies and at a good price, then go for it, it will protect all your browsing habits. If you trust NSA MPAA RIAA Cloudflare, and is fast enough in your area, then go for it - it's free and will protect details of your browsing. Myself I'm sticking with DNSCrypt and academic hosted proxies.