Tools which protect our privacy. Post your tools / ways you are using and opinions.

Discussion in 'Serious Discussion' started by Yen, Jul 23, 2013.

  1. case-sensitive

    case-sensitive MDL Expert

    Nov 7, 2013
    1,681
    738
    60
    Thank you .

    @ sugestion ---- > What about a seperate thread ' DNS security and add and tracking blocking ' ?

    Thoughts / mental confusion / ' brain ' storming ( if they're crap please someone tell me ) ---- >

    I want to get rid of adblock in my browser ........ and have an empty HOST file ........ because ....... they slow my computer / surfing down ? .......... and microsoft has hard coded IP adresses so that they ' go round ' the HOST file = Its ( next to ) useless .

    I dont want to put my security in the hands of others ...... as far as possible ....... so my ISP and any DNS server is suspect :)

    I cant control anything on the net side of my router . My router is the last and best chance i have of blocking anything . I have more control and less risk useing blocks on my router ?

    If i understand right ? ........ my DNS queierys go through my ISPs server = They see where i want to go whatever i do because each quiery has an clear to see IP adress ? ( I used DNSCrypt in the unuk and the ISP = virgin blocked a site = they could see where i wanted to go = DNSCrypt doesnt work ? )

    SO ...... atm my thoughts go in the direction of my own router , with an open source alternative router firmware , DNSCrypt with its block list componant and / or a Pi Hole .

    What i cant understand is ----- > I send a DNS request ....... it goes over my ISPs server whatever i do ? ........ they can see where i'm going ? ........ question = Is it that when i make that request to my chosen DNS server ........ it makes a tunnel so that my ISP cant see any othe requests i make except to the original DNS server ? ........ If not why not ?
     
  2. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    #442 Yen, Nov 16, 2021
    Last edited: Nov 16, 2021
    (OP)
    Your ISP provides you a service to get you to the internet backbone.
    For instance via PPP over Ethernet or DOCSIS protocol. There's nothing like an 'huge ISP-server' that would serve web content...maybe some caching, maybe some own webserver.
    Also DNS is a service.
    OK there is hosting, but that is additional service you have to pay for.

    To get you to the WAN the ISP also provides besides of the interface the infrastructure.
    You get an IP address assigned from the ISP and with that you connect to another one via a special route
    The default is usually to use their DNS which runs on their server.
    The DNS is like a phone book. The job is to get the IP address for the URL you want to reach.

    You can use whatever DNS you want, but default setting is usually the one from the ISP.

    The ISP logs any routing either way. They log which IP address connects to where. And they log to whom (customer) the IP address belongs and when (dynamic allocation)....

    But when you use another DNS they cannot log the name resolving ON a DNS server.
    Except there is a DNS leak, therefore a leak test from above.


    Most globally you can change the DNS on your router.
    Also routers have black and whitelists. But they apply mostly to the entire LAN then....

    What a router can depends on the OS / soft which is running there.
    You can freely choose your own router, the ISP here (Germany) has to accept anyone.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ЯƎHTͶAꟼ

    ЯƎHTͶAꟼ MDL Senior Member

    Jan 29, 2017
    350
    94
    10
    #443 ЯƎHTͶAꟼ, Nov 16, 2021
    Last edited: Nov 16, 2021
    About DNS: https://kb.adguard.com/en/general/dns-providers
    I would take all these DNSCrypt (or at least DoT) with DNSSEC support and sort what is the fastest/trust-able for you.
    If you are lazy, no clue what to do or who to trust, you can simply use Firefox and activate build-In Cloudflare DoH.
    https://kb.adguard.com/en/general/dns-providers#cloudflare-dns (even faster than google btw)
    tls://security.cloudflare-dns.com for DoT

    Cloudflare Standard IPv6
    2606:4700:4700::1112
    2606:4700:4700::1002

    Quad9 DNS with DSNSEC
    IPv4
    2.dnscrypt-cert.quad9.net
    9.9.9.9:8443
    IPv6
    2.dnscrypt-cert.quad9.net
    [2620:fe::fe]:8443

    I would mix it with any similar as fallback in case of downtime, what can happen sometimes..

    Please dont use google, yandex or whatever random exploited bs...
    Its basically the same defenseless as western and china ISP DNSs.

    However, a good VPN-SP already offers an own DNS, just use the udp.ovpn in router directly.

    Still no answer here: Why should LineAgeOS bad in your view?

    Just to notice, it needs to "unlock" to change the IPv6 DNS entry by "advanced view" on FritzBoxs, for example, otherwise IPv6 DNS leak for Dual-Stack and cable. :)


    but, tbh Fritzbox isnt that great really... not even supports real VPN. A small list about alternative routers:
    https://vpntester.de/wlan-router-fuer-vpn-services/ (german site, using DeepL tranlsate or some)

    Just very outdated, there are already some modern Asus and TP-Link they even can up to 100Mbit 256AES OpenVPN (if your VPN-SP supports this bandwidth) - Off cause expensive af...
    Also only use OpenVPN or IKEv2/SSH with AES, no Wireguard (thats unsecure,) or any ancient protocol.

    Sadly they still building router with lowend cpu crap (basically the same lame as on RPis), for general better performance you will need something like a NUC, so ~300$ and a lot of frickle (no native OpenWRT support for example)

    Checking here if everything is set correctly: https://browserleaks.com/ip
     
  4. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    VPN services also offer no ads (and so on...) service...

    Just sayin'... ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nodnar

    nodnar MDL Expert

    Oct 15, 2011
    1,331
    1,064
    60
    well; to answer your question, my dear yen; it is appllied marketing mechanics, mostly;
    they seem to take a leaf out of m$`book to update every 5 minutes;
    consumers tend to view new! !in preference to old, alas..;)
    [ see the pendulum of xp=>vista, and 7=>8..]
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    #446 Yen, Nov 17, 2021
    Last edited: Nov 17, 2021
    (OP)
    AVM actually makes decent software on their routers (fritzbox), I use AVM products since ISDN was released.
    'real' VPN. Well they do run a VPN server on the box, but not a client and they use a rare protocol (IPsec x-auth). This means you can connect to your home network via VPN wherever you are and use it and the services on the box (for instance land line).

    On the other hand since there is no client, you cannot connect to a VPN server and use a VPN service such as CyberGhost etc etc...

    BTW: Many people think VPN=privacy...BUT..one actually moves the privacy related matters from the ISP to the VPN provider!!!
    So if your ISP would have better privacy conditions than your VPN provider (for instance logging of routing and storing meta data) you actually get it worse!!!

    It's basically the same than not using the DNS of the ISP. If the alternative is worse, you get it worse.


    Yes sure.
    You have to check IPv4 and IPv6 related DNS addresses. AND additionally the fritz box has 2 places where you have to set the DNS, a global one (internet) and a network specific one!!!!

    To check both v4 and v6 also applies when you run your own DNS together with pi-hole on a rasp.....


    Always do a leak test and always check if your DNS queries get still bypassed from the pi-hole by checking the logs...

    I have still native IPv4 from my provider and I disabled anything IPv6 related.....also on the rasp.....I use unbound as my own resolver there, completely independent from any external DNS....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    No, Yen! ISP's are regulated in your country!

    VPNs are usually not. End of.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    #448 Yen, Nov 19, 2021
    Last edited: Nov 19, 2021
    (OP)
    No, both are regulated in the country of location in some way. (I mean why are those in Panama or Togo and such?)
    No to what?
    Regulations are made to either preserve privacy or to lose / give up privacy.

    I was just sayin that you are moving your privacy related conditions from the ISP to the VPN provider.

    And would you use a VPN that is under US authority? Surely not!

    And would I use a VPN of which I am not sure that it really does not log instead of an ISP of which I am very sure that it does log, but has to delete meta data after a certain period of time -regulated- by laws?
    If something is regulated by laws you can rely on it. There are laws made to preserve privacy.

    It depends where you live and where the VPN is located.
    That's all I wanted to say...a VPN does NOT necessarily mean more privacy..especially when you assign real identity to a VPN account in some way...(payment etc etc)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. IXMas

    IXMas MDL Senior Member

    Mar 7, 2021
    259
    239
    10
    #449 IXMas, Nov 19, 2021
    Last edited: Feb 10, 2022
    ??
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    Yen, I meant the fact VPNs are located in Virgin Islands etc. - those are telling, are they not?

    In your country they must keep records of everything up to 6 months etc.

    In British Virgin Islands they do not etc.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    It's always about trust. They can advertise what they like, but what they are doing might be different. And there might be issue with payment and staying anonymous.
    The regulation of ISPs is supported by laws.
    No here it's:
    Location related meta data 4 weeks, communication and routing related meta data 10 weeks maximum.
    The law is still under revision, though.

    Either way.
    I'd use a VPN to circumvent geo-blocking if I am keen on getting content which is not available here.

    For a temp privacy related matter rather TOR. And for add blocking / own DNS I have the pi-hole / unbound.

    Depends on personal likes.:) There are good VPNs that's no question. But they are not free.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    #452 gorski, Nov 20, 2021
    Last edited: Nov 20, 2021
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. IXMas

    IXMas MDL Senior Member

    Mar 7, 2021
    259
    239
    10
    #454 IXMas, Nov 26, 2021
    Last edited: Nov 26, 2021
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. ЯƎHTͶAꟼ

    ЯƎHTͶAꟼ MDL Senior Member

    Jan 29, 2017
    350
    94
    10
    Happy new year, here as well guys! :D

    Yea, for normal consumer its good enough, I agree, but if we talking about privacy (most of all VPN) and additional router features.. it goes different. :p
    As you explained with the raspberry as pi-hole, for example: Additional features you need to buy additional hardware and so on, I don't like that.

    In my opinion its always a better choose to move to the VPN, Here is why:

    1. Main thing: Simply because my ISP has everything about me, my whole real identity, bank account,whole traffic to every single IP all the time.
    Decent VPNs just having an IP from any ISP they even don't know. This IP I can change, I can share the access with several people etc etc.
    A lot of VPN services I can pay with much better privacy options (like PayPal, bitcoin, even cash or let some internet friend pay for you etc)
    So the data the VPN has about me is limited to some IPs I had a time I was using it with the one I had from my ISP (what i can change every time.)

    Relate to this:
    2. ISPs are more strict regulated by countries, in Europe they try to force the companies to save data very long time and log/spy more and more...
    Some VPNs are located in countries far away from mine, such as panama, New Zealand, or even just a offshore island in pacific ocean, where nobody really cares about any special logging laws etc.or at least much lesser than here.
    Additional to it, some VPNs are build for/by groups they need this extra privacy and are depended on it, gray-hats and software pirates, investigators (like journalist and hackers, they discover government stuff) or just very paranoid people.
    Here comes to the point in 1. - I can even just create a new account, using different pay method, and much more what leads the VPN Service Provider think, its a different person who logging using it this time then etc.

    Relate to this:
    3. As you wrote about trust. Every company making money. An ISP making money as well. There is no non-profit organization they offer me a DSL-contract. So I need to use what I get.
    So my normal local, country regulated and capitalistic ISP who has my whole data, try to make money as possible, and with data - there are much ways.
    If I choose an VPN, my ISP gets like nothing, the VPN is not forced to give any data out (well except in hard crime off cause), the ISP is, always, and always do it.
    So yes. In my case I trust my VPN provider (who could be a group of human activists who care much about privacy) much more than the big global player ISP. :)

    Also a VPN gives additional "layer" over your connection itself. Some meta information beside the IP also getting lost by using.
    Beside of all the extra features you get with one, like geo-unloick (or optional smart-dns), optional build-in adblocker/malware-blocker/kids-friendly etc)

    4. Optional: You also can cascade several services. A chain between 3 different service provider works like TOR.
    Even just cascade from one single service provider already increase privacy and security.
    Mixing countries, server, protocols, etc, not even losing any significant speed while doing.

    Sadly I'm way late, can you re-upload please?

    Yes. some are free (same time unlimited). ProtonVPN for example.
    Also Sharing with people or waiting for new year day sales, minimize the costs.
    I share a very good VPN and Netflix with friends, cost me lesser than 5€/Month.

    I rather would say WireShark or simply just PeerBlock (it logs all connections your pc makes)
    Windows Firewall, tbh just making my life harder and protect me from nothing, same for defender.

    Using adblocker/pi-hole/adguard/whatever software - and adding extra lists against malware, doing good enough already.
    If you dont trust popular global well-known download sites they provide executables, better go along with Linux then. ;)

    Regards
     
  16. ЯƎHTͶAꟼ

    ЯƎHTͶAꟼ MDL Senior Member

    Jan 29, 2017
    350
    94
    10
    Well... you can also use an internal network one for internet. There is nothing new. This option is just good if you have a lot of internal domains, so an alternative one can manage this instead of the box. Like in bigger companies.

    Yea, this is extreme slow and insecure (IKEv1). In every case it much more sense to use an eternal device for doing this job what also can handle IKEv2 or OpenVPN and fast enough.
    So external VPN Service, where you connect as client to fast server over modern protocol I meant with "Real" VPN, yes. :)

    What brings to my main line above:
    Every function that brings more features or safety, its better to use an external device instead of the box.
    So the Fritzboxes are much better than usual stuff you get from ISP (well except for Europe and cable, there you get exactly these), but overall there are better devices and systems.
    What I can recommend for private/consumer usage with benefits for privacy and several: Asus, D-Link, GliNet, Linksys, Netgear, TP-Link what supports OpenWRT.
    Newer devices easily can easily reach 50-100 Mbps (OpenVPN AES256Bit) and costs around 150-250€.

    For PiHole, a Raspberry Zero (W) is already enough, costs around 15€.
    If you have already a synology server, there are addons for it as well.
    If you have the chance, I would recommend Adguard as DNS and DHCP manager.

    Ahh as Browser Addon I can recommend Trace.
    That blocks a lot of tracker/canvas stuff and more.
     
  17. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    Synology HW has to be powerful, as its procesor has to be able to support a certain type of encryption, in order to be able to do this (use VPN for the whole network, thereby encrypting it)...

    They say it is possible but I haven't managed it....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. ЯƎHTͶAꟼ

    ЯƎHTͶAꟼ MDL Senior Member

    Jan 29, 2017
    350
    94
    10
    Additional stuff:

    Some Lists:
    https://www.iblocklist.com/lists
    https://filterlists.com/

    https://github.com/easylist

    More:
    http://wiki.vorratsdatenspeicherung.de/VDS-umgehen#Internet-Zugang (German)
    https://www.vpnranks.com/vpn-comparison/

    if you want/need higher security, the provider will not listed in these lists, there are basically profits-based only.
    You also can reach higher in just cascade them, at least 3. I tested with some, the speed was the same.
    (Mixed some europe-countries: 40ms, 50Mbit [one of them limiting it to])

    And nope: Not every hacker is a black hat.

    Addon:
    https://addons.mozilla.org/en-US/firefox/addon/absolutedouble-trace/

    Mail:
    https://mail.ru/
    https://protonmail.com/
    (Take care, its safe against others and supports a lot of secure features, but protonmail is forced to work together with law-agencies)
    https://temporarymail.com/

    Play-Store without Google:
    https://www.aurorastore.pro/

    Youtube without Age-Check or similar b.s.:
    - Simply download the video.

    Cloud:
    https://cloud.mail.ru/
    https://mega.io/
    (Take care, its safe against others but mega is controlled by china-government)

    Search-Engines:
    https://duckduckgo.com/
    https://yandex.ru/
    (Take care, its safe against others but yandex is controlled by russia-government)

    DNS:
    See list above I posted by adguard-home.
    Alternative: Cloudflare
     
  19. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,547
    1,473
    180
    This really needs reading!!!

    https://twitter.com/AthertonKD/status/1491954797846618145

    Avi Asher-Schapiro

    "Senators Wyden & Heinrich reveal CIA has a bulk surveillance program: “entirely outside the statutory framework that Congress & the public believe govern this collection, & without any of the judicial, congressional or even executive branch oversight." https://wyden.senate.gov/news/press...ms-with-cia-handling-of-americans-information "

    And then the response:
    Kelsey D. Atherton

    "you ever think about how CIA was caught spying on the Senate's investigation of CIA torture & then the CIA's Inspector General was told by Deputy NatSec Advisor Avril Haines not to discipline the personnel who did it, & then the Senate confirmed Haines to be Biden's DNI"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. case-sensitive

    case-sensitive MDL Expert

    Nov 7, 2013
    1,681
    738
    60