Tools which protect our privacy. Post your tools / ways you are using and opinions.

Discussion in 'Serious Discussion' started by Yen, Jul 23, 2013.

  1. case-sensitive

    case-sensitive MDL Expert

    Nov 7, 2013
    1,060
    422
    60
    Thank you .

    @ sugestion ---- > What about a seperate thread ' DNS security and add and tracking blocking ' ?

    Thoughts / mental confusion / ' brain ' storming ( if they're crap please someone tell me ) ---- >

    I want to get rid of adblock in my browser ........ and have an empty HOST file ........ because ....... they slow my computer / surfing down ? .......... and microsoft has hard coded IP adresses so that they ' go round ' the HOST file = Its ( next to ) useless .

    I dont want to put my security in the hands of others ...... as far as possible ....... so my ISP and any DNS server is suspect :)

    I cant control anything on the net side of my router . My router is the last and best chance i have of blocking anything . I have more control and less risk useing blocks on my router ?

    If i understand right ? ........ my DNS queierys go through my ISPs server = They see where i want to go whatever i do because each quiery has an clear to see IP adress ? ( I used DNSCrypt in the unuk and the ISP = virgin blocked a site = they could see where i wanted to go = DNSCrypt doesnt work ? )

    SO ...... atm my thoughts go in the direction of my own router , with an open source alternative router firmware , DNSCrypt with its block list componant and / or a Pi Hole .

    What i cant understand is ----- > I send a DNS request ....... it goes over my ISPs server whatever i do ? ........ they can see where i'm going ? ........ question = Is it that when i make that request to my chosen DNS server ........ it makes a tunnel so that my ISP cant see any othe requests i make except to the original DNS server ? ........ If not why not ?
     
  2. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,610
    13,256
    340
    #442 Yen, Nov 16, 2021
    Last edited: Nov 16, 2021
    (OP)
    Your ISP provides you a service to get you to the internet backbone.
    For instance via PPP over Ethernet or DOCSIS protocol. There's nothing like an 'huge ISP-server' that would serve web content...maybe some caching, maybe some own webserver.
    Also DNS is a service.
    OK there is hosting, but that is additional service you have to pay for.

    To get you to the WAN the ISP also provides besides of the interface the infrastructure.
    You get an IP address assigned from the ISP and with that you connect to another one via a special route
    The default is usually to use their DNS which runs on their server.
    The DNS is like a phone book. The job is to get the IP address for the URL you want to reach.

    You can use whatever DNS you want, but default setting is usually the one from the ISP.

    The ISP logs any routing either way. They log which IP address connects to where. And they log to whom (customer) the IP address belongs and when (dynamic allocation)....

    But when you use another DNS they cannot log the name resolving ON a DNS server.
    Except there is a DNS leak, therefore a leak test from above.


    Most globally you can change the DNS on your router.
    Also routers have black and whitelists. But they apply mostly to the entire LAN then....

    What a router can depends on the OS / soft which is running there.
    You can freely choose your own router, the ISP here (Germany) has to accept anyone.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Scr4tch

    Scr4tch MDL Junior Member

    Jan 29, 2017
    88
    16
    0
    #443 Scr4tch, Nov 16, 2021
    Last edited: Nov 16, 2021
    About DNS: https://kb.adguard.com/en/general/dns-providers
    I would take all these DNSCrypt (or at least DoT) with DNSSEC support and sort what is the fastest/trust-able for you.
    If you are lazy, no clue what to do or who to trust, you can simply use Firefox and activate build-In Cloudflare DoH.
    https://kb.adguard.com/en/general/dns-providers#cloudflare-dns (even faster than google btw)
    tls://security.cloudflare-dns.com for DoT

    Cloudflare Standard IPv6
    2606:4700:4700::1112
    2606:4700:4700::1002

    Quad9 DNS with DSNSEC
    IPv4
    2.dnscrypt-cert.quad9.net
    9.9.9.9:8443
    IPv6
    2.dnscrypt-cert.quad9.net
    [2620:fe::fe]:8443

    I would mix it with any similar as fallback in case of downtime, what can happen sometimes..

    Please dont use google, yandex or whatever random exploited bs...
    Its basically the same defenseless as western and china ISP DNSs.

    However, a good VPN-SP already offers an own DNS, just use the udp.ovpn in router directly.

    Still no answer here: Why should LineAgeOS bad in your view?

    Just to notice, it needs to "unlock" to change the IPv6 DNS entry by "advanced view" on FritzBoxs, for example, otherwise IPv6 DNS leak for Dual-Stack and cable. :)


    but, tbh Fritzbox isnt that great really... not even supports real VPN. A small list about alternative routers:
    https://vpntester.de/wlan-router-fuer-vpn-services/ (german site, using DeepL tranlsate or some)

    Just very outdated, there are already some modern Asus and TP-Link they even can up to 100Mbit 256AES OpenVPN (if your VPN-SP supports this bandwidth) - Off cause expensive af...
    Also only use OpenVPN or IKEv2/SSH with AES, no Wireguard (thats unsecure,) or any ancient protocol.

    Sadly they still building router with lowend cpu crap (basically the same lame as on RPis), for general better performance you will need something like a NUC, so ~300$ and a lot of frickle (no native OpenWRT support for example)

    Checking here if everything is set correctly: https://browserleaks.com/ip
     
  4. gorski

    gorski MDL Guru

    Oct 21, 2009
    4,722
    1,259
    150
    VPN services also offer no ads (and so on...) service...

    Just sayin'... ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nodnar

    nodnar MDL Expert

    Oct 15, 2011
    1,226
    955
    60
    well; to answer your question, my dear yen; it is appllied marketing mechanics, mostly;
    they seem to take a leaf out of m$`book to update every 5 minutes;
    consumers tend to view new! !in preference to old, alas..;)
    [ see the pendulum of xp=>vista, and 7=>8..]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,610
    13,256
    340
    #446 Yen, Nov 17, 2021
    Last edited: Nov 17, 2021
    (OP)
    AVM actually makes decent software on their routers (fritzbox), I use AVM products since ISDN was released.
    'real' VPN. Well they do run a VPN server on the box, but not a client and they use a rare protocol (IPsec x-auth). This means you can connect to your home network via VPN wherever you are and use it and the services on the box (for instance land line).

    On the other hand since there is no client, you cannot connect to a VPN server and use a VPN service such as CyberGhost etc etc...

    BTW: Many people think VPN=privacy...BUT..one actually moves the privacy related matters from the ISP to the VPN provider!!!
    So if your ISP would have better privacy conditions than your VPN provider (for instance logging of routing and storing meta data) you actually get it worse!!!

    It's basically the same than not using the DNS of the ISP. If the alternative is worse, you get it worse.


    Yes sure.
    You have to check IPv4 and IPv6 related DNS addresses. AND additionally the fritz box has 2 places where you have to set the DNS, a global one (internet) and a network specific one!!!!

    To check both v4 and v6 also applies when you run your own DNS together with pi-hole on a rasp.....


    Always do a leak test and always check if your DNS queries get still bypassed from the pi-hole by checking the logs...

    I have still native IPv4 from my provider and I disabled anything IPv6 related.....also on the rasp.....I use unbound as my own resolver there, completely independent from any external DNS....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. gorski

    gorski MDL Guru

    Oct 21, 2009
    4,722
    1,259
    150
    No, Yen! ISP's are regulated in your country!

    VPNs are usually not. End of.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,610
    13,256
    340
    #448 Yen, Nov 19, 2021
    Last edited: Nov 19, 2021
    (OP)
    No, both are regulated in the country of location in some way. (I mean why are those in Panama or Togo and such?)
    No to what?
    Regulations are made to either preserve privacy or to lose / give up privacy.

    I was just sayin that you are moving your privacy related conditions from the ISP to the VPN provider.

    And would you use a VPN that is under US authority? Surely not!

    And would I use a VPN of which I am not sure that it really does not log instead of an ISP of which I am very sure that it does log, but has to delete meta data after a certain period of time -regulated- by laws?
    If something is regulated by laws you can rely on it. There are laws made to preserve privacy.

    It depends where you live and where the VPN is located.
    That's all I wanted to say...a VPN does NOT necessarily mean more privacy..especially when you assign real identity to a VPN account in some way...(payment etc etc)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. IXMas

    IXMas MDL Member

    Mar 7, 2021
    150
    188
    10
    #449 IXMas, Nov 19, 2021
    Last edited: Nov 24, 2021
    One of the better ways is to choose one of the DNS services as Quad9.
    Second step is to control and block the possible walking of your settings on the internet.
    You do this successfully with Windows Firewall.

    This cript will create inbound and outbound rules in the Windows Firewall to
    block all the IPv4 and/or IPv6 addresses listed in an input text file (BlockList.txt).

    You can complete the list however you want. Now these IP are in it. + Snort IP


    Download Import-Firewall-Blocklist script with BlockList.txt.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. gorski

    gorski MDL Guru

    Oct 21, 2009
    4,722
    1,259
    150
    Yen, I meant the fact VPNs are located in Virgin Islands etc. - those are telling, are they not?

    In your country they must keep records of everything up to 6 months etc.

    In British Virgin Islands they do not etc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    12,610
    13,256
    340
    It's always about trust. They can advertise what they like, but what they are doing might be different. And there might be issue with payment and staying anonymous.
    The regulation of ISPs is supported by laws.
    No here it's:
    Location related meta data 4 weeks, communication and routing related meta data 10 weeks maximum.
    The law is still under revision, though.

    Either way.
    I'd use a VPN to circumvent geo-blocking if I am keen on getting content which is not available here.

    For a temp privacy related matter rather TOR. And for add blocking / own DNS I have the pi-hole / unbound.

    Depends on personal likes.:) There are good VPNs that's no question. But they are not free.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. gorski

    gorski MDL Guru

    Oct 21, 2009
    4,722
    1,259
    150
    #452 gorski, Nov 20, 2021
    Last edited: Nov 20, 2021
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. gorski

    gorski MDL Guru

    Oct 21, 2009
    4,722
    1,259
    150
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. IXMas

    IXMas MDL Member

    Mar 7, 2021
    150
    188
    10
    #454 IXMas, Nov 26, 2021 at 11:48
    Last edited: Nov 26, 2021 at 12:44
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...