Encrypt your DNS traffic

Hi Johnny, thank you for input, honestly I never heard of any browser supporting this feature.
probably because I don't use firefox.

According to mozilla LINK :

Benefits
DoH improves privacy by hiding domain name lookups from someone lurking on public WiFi, your ISP, or anyone else on your local network.
DoH, when enabled, ensures that your ISP cannot collect and sell personal information related to your browsing behavior.

Click to expand...

So yes, this is the same thing, except that firefox uses DoH.

There are 2 types of DNS encryption:
DoH: DNS over HTTPS
and
DoT: DNS over TLS

Each of these 2 types have cons and pros.

Interesting what you say,
well, AFAIK google supports DoH too, so if you do not want to put trust into those
not so well known DNS servers published on dnscrypt-proxy page then simply
set your server to google DNS over HTTPS:



As for VPN which you mentioned, well doesn't the same thing apply to VPN?
There are free VPN services which are actually a gateway to malware.

Paid VPN servers probably do not fall into that group but we have no info about their security or intentions either so what's the point?
It really boils down how much security you need and yes as you said all this security measures
potentially lead to "Red flag" that is, it potentially puts you on a list of "most wanted".

I think unless you're working on some top secret project, or do some illegal stuff, there is no need for VPN.

If you're that worried about your Internet foot print, why would you use Google which is one of the biggest offenders of collecting personal data on people on the planet. I'm amazed with how people talk about security and in the same breath have devices such as Alexa, Google Assistant, Nest, Siri all happily collecting personal data in their homes.

And what people refer to as VPNs is so misleading. I blame the industry pushing their proxy services for this. The use of a term everyone associates with security (Virtual Private Networks) with their services is just a flat out lie and a bunch of shell games. I have a sticky at the top of this sub forum and the networking one which goes into an explanation of what these proxy services are.

As far as I'm concerned, there's no need for any of this stuff all tied to some sort of proxy service whether that be Internet traffic or DNS queries. There is only one use case that a proxy service for Internet service is justified. The vast majority of people don't fall into this category. Most of the time, they're trying hide illegal or less than flattering activity.

If you're (also in a general sense) not concerned about companies such as Google, Microsoft, your ISP, etc knowing your activities, then there is no reason to use any of these proxy services to include the subject of this thread with proxy DNS services.

Employing these additional layers unduly complicates your network setup for no advantage. When you have issues with hitting a resource on the Internet, is it your ISP? Is it these proxy services? You're going to be caught in a finger pointing situation and you'll know for sure your ISP isn't going to do much more when they find out you're using a third party DNS server. Also, your performance can suffer depending on how slammed these proxy DNS services are and the design of their infrastructure. You can be pretty certain many of these places are not going to throw out a ton of money building out a robust infrastructure.

With all that said, I do run my own internal DNS server. I do so because I have things requiring a domain server along with some applications requiring the use of Active Directory. Pretty much all of my DNS look ups occur on my domain controller which is running DNS. I've configured my domain controller to use the root name servers or my ISP's DNS servers. It all works fine but I've done this because I have a need and I can as I have experience doing these types of things.

No mistake here friend, I agree for almost anything you have said.

I said I'm not concerned about google or MS and similar (there are not many such companies btw.) but,
that doesn't include ISP, which is unlike google and MS for most people a foreign company,
also meaning less power for someone to learn this data, among other possible things.

And you know, many ISP's will in addition to giving you internet also give you a modem or router (as part of a price you pay),
can you trust this hardware which they provide, and to which you directly connect your machine?

most people don't buy advanced gateway hardware.
that's just one reason I consider relevant.

Anyway whether we agree or not, I'm sure a lot of people will find this conversation useful in one way or another.

I don't follow your logic about ISPs. Your traffic is going to traverse over their circuits anyways. And ISPs are local. I've never heard of any ISP providing Internet access to a customer whether it be a consumer or business that isn't a local entity. Also, I know Microsoft doesn't have their own circuits into the Internet. I don't know to what extent Google is using their own pipes for Internet access. But wouldn't be surprised for their data center connectivity it is contracted out. I find it ridiculous concerning this mistrust in ISPs. Most of this was spurred out of people running torrents or other P2P type services which was largely to download copyrighted material. ISPs became the villains because of their legal obligation to shut down detected illegal activity or to turn over the names of customers engaged in said activity by decree of the DMCA. Your Internet traffic is going to traverse multiple ISPs. There's no way around it.

I don't know what you're worried about with the hardware. If you don't trust the hardware, then don't use it. I haven't seen many ISPs set up in such a manner which requires you to use their equipment. I have Comcast and Mediacom service. Both services I use my own modem and firewall. If you're that paranoid with the hardware, then don't buy anything made in China. Good luck with that. I've worked in the US Federal Government in some very secure environments. These projects require the hardware to conform to TAA requirements at a minimum. There are other certs which the Feds require which can be FIPS 140-2, USGv6, Common Criteria, JTIC, etc. With all that and what I know about supply chain interception, I don't lose any sleep using non TAA compliant equipment. The only thing I steer away from are products made by Huawei and now ZTE.

My reply above is to a post that's been removed.

But this is new:

Firefox turns encrypted DNS on by default to thwart snooping ISPs
https://arstechnica.com/information...ed-dns-on-by-default-to-thwart-snooping-isps/

I tried DoH, no problems but opted out.

Now it's to become a default setting.

Do the benefits outweigh the risks?