Contemplating DNS Resolvers

That is why you trust VPN’s with proper audits and open-source codes. The people who are monitoring your network traffic is your ISP. That is why people are using VPNs. Unless you live in a 3rd world country, downloading pirated stuff will get you a hefty fine, also even in the 1st world countries speaking against specific kinds of people on social platforms can get you a nice jail time.

That is why privacy and VPNs are important.

You can trust whoever you want :smile:

But if someone here asks me why I decidet what I did I must reply. And this is the answer to it (for now).
Some day it might change, or maby not. The decisions I make are not static… Anyway;

And still:

But, encouraging anyone who wants to open a discussion on that topic/those links.

Maby it will be controversial :thinking:

Stay safe ladys and gents

If ad blocking on a network is your goal, I just recently did some tests with free adblocking DNS, both of which are recommended with PG.

Personally, I use both paid and free Control D DNS.

Free Adblock DNS

Control D Free DNS

  • d3ward 97/100
  • adblock-tester 63/100

AdGuard DNS

  • d3ward 76/100
  • adblock-tester 52/100

Testing Sites

Testing Notes

  • DNS Testing, Clean browser with no extensions

This ^ is a good approach to life and learning.


IF I were not using a VPN (I do), and IF I didn’t trust my ISP (I don’t), I’d be looking for other ways to solve some of the same problems a VPN solves with respect to privacy & security.

  1. HTTPS only mode to secure/encrypt web traffic
  2. DoH or DoT (or better yet ODoH) to secure/encrypt DNS traffic
  3. ECH to partially close a loophole that undermines HTTPS + DoH/DoT

That still leaves at least two remaining areas of vulnerability:

  1. Websites/remote servers will still see your true-IP
  2. There is nothing stopping a man-in-the-middle from determining the sites you visit based on the IPs, even if they can’t see your DNS traffic or the SNI. ECH would prevent this for all sites behind Cloudflare (and theoretically other CDNs in the future) but ECH isn’t a solution for servers you connect to directly, and only works when both the client and the server support it.

Maby of relevance:

Never know who fundet it though, just a cautious reminder to be cautious :wink:

1 Like

Partially? It fully closes it.

Well running a test with Control D free 30 day trial.
After that I can go with “some control”.
I will see…what I find interesting is this:

It will also block domains that resolve to known harmful IP Addresses

Not as I understand it. Are we on the same page that the goal and problem we are trying to solve is preventing MitM such as an ISP or untrusted network from being able to see the websites/domains you visit?

If so, consider that, even once you’ve enabled:

  1. HTTPS only mode (so all HTTP traffic is encrypted)
  2. DoH/DoT (so all DNS traffic is encrypted)
  3. Enabled ECH (so the SNI is encrypted/hidden)

You still have to account for the facts that:

  1. ECH requires both ends of the connection to support and enable it. Fortunately Cloudflare does by default and that covers about ~20% of all websites. If every other reverse proxy service enabled ECH that number could increase to maybe 25-30% of all websites. (src)
  2. Even if every single CDN/reverse proxy service did support it. That still leaves the other 75% to 80% of websites. I’m less clear on what these websites would need to do to enable ECH, but I believe that they would need to configure that themselves and the steps would depend on the reverse proxy they use and the TLS version.
  3. Even if this other ~80% do enable ECH on their own, you’ve still got the problem that ECH can protect the SNI, but it can’t do anything about hiding the IP of the site/server you connect to. In the case of any of the 20% of sites using a CDN/reverse proxy service, that is okay, because your ISP or whatever other MitM you care about will just see the IP of cloudflare’s reverse proxy server, and won’t be able to derive the sites you visit. But in the case of any website/server not sitting behind a reverse proxy service or CDN, the IP address of the server you are connecting to is observable to a MitM and from that IP they domain name can be derived assuming its the only website hosted on that IP.

This is why I call it only partial protection. As I understand it, the absolute best case scenario is that ECH can close the loophole for all websites that share an IP with other websites (such as those behind a reverse proxy service or CDN, but fundamentally can’t solve the whole problem for websites with their own dedicated IP). ECH addresses the immediate problem it is intended to solve, but it is fundamentally limited by factors outside its control. I’m still learning so If you think I’ve misunderstood or overlooked something, let me know.

3 Likes

After ECH, there isn’t much in the TLS standard to mitigate, as far as encryption goes. To my knowledge, ECH fully closes the last remnants of the most sensitive metadata (the ClientHello) sent in plain text. Overall, TLS + HTTP can do better but any changes to it are hamstrung by non-compliant middleboxes (protocol ossification). QUIC + HTTP is a necessary and important attempt at overcoming ossification.

As to your other valid and correct points (reverse IP lookups, hiding IP address), those aren’t the concerns for QUIC + HTTP or TLS + HTTP. As in, these protocols can never ever fill the deficiencies you point out, and so, they can only ever “partially close” loopholes within that broad framework.

2 Likes

Back on the VPN, different provider though. Got some figuring out to do.
Comes time comes ideas.

On the DNS Resolver Topic, here is a suggestion that hasnt been considered by me and that I wanted to put out there.
Adguard.
Free DNS and paid Plan exist.
Free DNS is strong, as per test …
https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt

I am unclear as to Apple’s use of DoH ? In the article it says Big Sur onwards is natively supported. Am I correct in assuming that the setting needs to be enabled ? which is different than default use. ( probably not a correct term, am not in the computer field )

I am using Monterey 12.7.4, does that qualify ?

Nice to hear of docs.quad9.net and through it official mobileconfig profiles.

I haven’t used recent enough macOS, but if it’s anything like iOS (which it should be), you open the page in Safari (not any other browser), click the configuration profile link you want and it should warn you about wanting to download a configuration profile which you accept. Alternatively it will just download it and it’s double clicked Windows style?

Anyway next it should appear in Settings or Control panel as a banner of new configuration profile, where it should be acceptable again after which it’s either used or there will be something akin to Settings - > General - > VPN & DNS where under DNS you should see which profile you downloaded.

And it can be confirmed on https://on.quad9.net which was another thing I didn’t know of.

1 Like

I believe it’s in Settings → Privacy & Security → Profiles.

Yeah, this works fine with any browser on macOS, not sure why they want you to use Safari specifically. Actually—at least with Lockdown Mode enabled—Safari just downloads the file as if it were a regular download too, so it literally makes no difference what browser you use.

1 Like

Lately (it feels like the whole weekend) I have been contemplating DNS Resolvers again, particularly ECS, no ECS or anonymized ECS, which in the context of PrivacyGuides would be AdGuard, Cloudflare, DNS0, Mullvad and Quad9 (especially Quad9 with it’s multiple options of secure, insecure, secure+ecs, insecure + ecs, although secure fits my thinking of layered defence).

So far I think I have my thoughts on the matter on my website’s unlisted notes section, but this morning I have been constantly adding things there (regardless of being supposed to be studying) and I would appreciate feedback as there are arguments for all three, even if in the end it comes down to personal choice and personal values.

https://aminda.eu/n/dns

It lives on GitHub pages so there is a changelog.

Have settled on Control D, not the easiest to setup but once there I am pleased so far …
Certainly lots of freedom for configurations which should be topmost I am thinking.
With a Malware filter that seems extensive, this is my aim for use by less tech users that demand great malware protection.
Am using with Firefox, custom setup.