News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Tasks for the weekend – February 27, 2021 Check your DNS

    Home Forums AskWoody blog Tasks for the weekend – February 27, 2021 Check your DNS

    Viewing 18 reply threads
    • Author
      Posts
      • #2346710
        Susan Bradley
        Manager

        Youtube video here There is one command that I have used for many years. It’s the command ipconfig /all. With that command I can see what network I’m
        [See the full post at: Tasks for the weekend – February 27, 2021 Check your DNS]

        Susan Bradley Patch Lady

      • #2346724
        abbodi86
        AskWoody_MVP

        I use Cloudflare since day 1

      • #2346734
        Paul T
        AskWoody MVP

        What is the advantage of changing away from your ISP provided DNS?

        cheers, Paul

        • #2347197
          Michael432
          AskWoody_MVP

          Mostly, privacy. Old DNS allows ISPs to easily track you. Also, some DNS providers offer extra features, such as blocking ads, malware, trackers, etc.

          Get up to speed on router security at RouterSecurity.org

          1 user thanked author for this post.
      • #2346741
        Alex5723
        AskWoody Plus

        Primary DNS my ISP
        Secondary DNS Google DNS 8.8.8.8

      • #2346745
        Ascaris
        AskWoody_MVP

        I use Cloudflare via HTTPS, using their free cloudflared program for Linux (it also has Windows and Mac versions). On the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.

        This means that all DNS for the connection is encrypted and is unknown to the provider (being my ISP or the ISP used by a public internet connection). If the public wifi connection is misconfigured and DNS is not working, it won’t matter, as I’m not using their DHCP-selected server for DNS anyway. That was actually the impetus for me to start investigating DNS over HTTPS, which led to me discovering cloudflared. It’s been a few years since then by now!

        Group "L" (KDE Neon Linux 5.21.4 User Edition)

        3 users thanked author for this post.
      • #2346746
        E Pericoloso Sporgersi
        AskWoody Plus

        On the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.

        I don’t fully understand all of your post.

        I never hit links blindly, but I usually follow trodden paths and demarcated downhill slopes, which is moderately secure behavior, I think. Still, I’m willing to keep tweaking my brain until I do fully understand.

        But only if a compelling condition is met:
        If I emulate your DNS setup, do I get significantly improved security?

         


        • #2346812
          Susan Bradley
          Manager

          These DNS providers prefilter what is offered up to you.  So even if you are as careful as you think you can be, they make sure that code being offered up to you is pre-sanitized.  They get the big picture view and thus block phishing attacks or other web sites with nefarious intentions.

          Susan Bradley Patch Lady

          3 users thanked author for this post.
        • #2346930
          Ascaris
          AskWoody_MVP

          That’s a really complicated topic. You get the benefits of DNS over HTTPS, the virtues of which are the subject of debate.

          Mozilla thought DNS over HTTPS was important enough to include it as a default setting, which was controversial. Corporate entities don’t necessarily like it because it bypasses their ability to block certain things by DNS, and others deride it as being a “hacky” kludge (which it kind of is) rather than a real solution, but it’s here and functional right now if you want it.

          In general, having things encrypted is potentially beneficial to the user. I say “potentially” because it is only really of benefit if someone is trying to use the DNS data for malicious purposes, and if they are, you probably won’t know about it.

          There are many posts and opinions about DNS over HTTPS on the internet, and if you read some of those, you might begin to see why I can’t definitively give a “yes” or “no” answer. It’s… complicated.

          Group "L" (KDE Neon Linux 5.21.4 User Edition)

          1 user thanked author for this post.
      • #2346747
        Microfix
        AskWoody MVP

        There are better alternatives to the standard DNS provider lists with some researching..without ruining your task for the weekend 😉
        A DNS with a Security blocklist, DNSSEC, TLS 1.3 with an encrypted SNI makes me feel better.

        DNSsecure

        Attachments:
      • #2346750
        Paul T
        AskWoody MVP

        an encrypted SNI makes me feel better

        I think this is the reason most use another DNS.

        Apart from a deliberately malicious public wifi unit, there is little danger in using a standard DNS.

        cheers, Paul

      • #2346760
        Mele20
        AskWoody Lounger

        Living in Hawaii, I have no choice but to use my ISP’s LOCAL (Honolulu based…I’m on the Big Island) DNS servers. If I run DNS Bench, my LOCAL DNS servers from my ISP are 4-5 times faster than ANY Mainland DNS providers. That’s a result of living in the middle of the Pacific Ocean. I have tried various recommended DNS servers over the years and the slowness because they are not LOCAL like my ISP’s ones are is quite noticeable.

        I would NEVER use a router from my ISP or modem. I purchase my OWN equipment.

        • This reply was modified 1 month, 1 week ago by Mele20.
        1 user thanked author for this post.
      • #2346765
        Coldheart9020
        AskWoody Lounger

        I’ve been using the OpenDNS servers for a little over a year now.

      • #2346778
        Dave
        AskWoody Plus

        OpenDNS for a number (6 or 7) yars now. I own my equipment which is cheaper in the long run, they can’t lock me out of security settings or open “guest” access on my link.

      • #2346785
        georgea
        AskWoody Lounger

        Another thing to consider besides security is speed.  Depending on where you are, you might find one of the various public DNS servers noted in this thread faster than your ISP.  Steve Gibson’s DNS benchmark portable program can help you choose:  https://www.grc.com/dns/benchmark.htm

      • #2346857
        AlbertMcCann623
        AskWoody Plus

        If you are going to use alternate DNS, you should set the IPV6 config as well, Win10 certainly uses it. I have been using the Cloudflair DNS for a while now, including their IPV6, which is also configured into our own router here:

        1.1.1.1
        1.0.0.1
        2606:4700:4700::1111
        2606:4700:4700::1001
        
        Google's DNS is:
        
        8.8.8.8
        8.8.4.4
        2001:4860:4860::8888
        2001:4860:4860::8844
      • #2346909
        krism
        AskWoody Plus

        Confused: I am connected laptop to SBR-AC1750 router to SB6141 modem to comcast coax. My computer says 192.168.0.1 which is the addy of my router, and my router says 1.1.1.1 and 8.8.8.8

        So what DNS am I actually using?

        - ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

        • This reply was modified 1 month, 1 week ago by krism.
      • #2346922
        krism
        AskWoody Plus

        my router says 1.1.1.1 and 8.8.8.8 So what DNS am I actually using?

        Cloudflare as primary and Google as secondary (I think).

        That would have been my guess, but wanted to make sure. Thanks!

        - ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

        • #2346935
          Ascaris
          AskWoody_MVP

          Yes. The router is acting as the DNS server for the network, configured by DHCP most likely (Dynamic Host Configuration Protocol), and it forwards the DNS requests to 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google).

          Group "L" (KDE Neon Linux 5.21.4 User Edition)

      • #2346919
        anonymous
        Guest

        ? says:

        i just checked in the terminal using (nmcli device show <interfacename>) and see that they (1&2) are currently provided by comcast. not doing any manhattan project type work from here so is there any disadvantage to running stock ISP provided DNS servers? i also turned IPv6 off in the kernel because i like to be able to more easily identify the traffic…

      • #2347192
        Michael432
        AskWoody_MVP

        DNS is brutally complicated. If you change your computer, be aware that on a laptop, Ethernet might use different DNS than Wifi. And, each WiFi network can be configured to use different DNS. And, the router might over-ride all the settings on the local computer. Or, the DNS settings in a web browser might over-ride both of them. Then too, a VPN and Tor play in the DNS game. Not to mention the transition from old DNS to new DNS. And, Android has a great Secure DNS feature, etc. etc.

        There are a number of DNS tester websites listed here

        https://routersecurity.org/testdns.php

        But, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.

        Get up to speed on router security at RouterSecurity.org

        • This reply was modified 1 month, 1 week ago by Michael432.
        3 users thanked author for this post.
        • #2347228
          Microfix
          AskWoody MVP

          But, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.

          so creating a personal DNS system for individual devices, needs and functions for the operating system/s and however many browsers are on what systems and so on from your own home.

          • #2347264
            Michael432
            AskWoody_MVP

            I don’t follow.

            Get up to speed on router security at RouterSecurity.org

            1 user thanked author for this post.
            • #2347812
              wavy
              AskWoody Plus

              OK
              From your site

              It is commonly thought that if the Operating System specifies DNS servers, they will get used. This is not always the case. Some routers (such as the Pepwave Surf SOHO) can force clients to use the DNS servers specified in the router. That said, in my experience has been that this only applies to old DNS. Browsers that specified DoH type DNS servers had their requests honored.

              Yet you would recommend Pepwave? This seems a scary transgression to me!

              🍻

              Just because you don't know where you are going doesn't mean any road will get you there.
              • #2347829
                Michael432
                AskWoody_MVP

                Yes, I recommend Peplink/Pepwave. Their routers only do legacy plain text DNS, which is true of most routers. Given that, they can force router clients to use the DNS servers the router is configured with. This is a good thing, at least to me. Its optional, however, if you think its a bad thing.

                Get up to speed on router security at RouterSecurity.org

        • #2347286
          anonymous
          Guest

          ? says:

          thank you, Michael. went to your webpage and ran:

          nslookup askwoody.com
          Server:        127.0.1.1
          Address:    127.0.1.1#(port)
          Non-authoritative answer:
          Name:    askwoody.com
          Address: 167.71.243.126

          on laptop wifi and firefox browser. nice website, by the way…

          • #2347832
            Michael432
            AskWoody_MVP

            Thank you. That is one strange IP address you have for a DNS server.  I know that 127.0.0.1 is always your computer, but I have no idea what the other 127s are.

            Get up to speed on router security at RouterSecurity.org

            • This reply was modified 1 month, 1 week ago by Michael432.
            • #2347841
              anonymous
              Guest

              ? says:

              Michael,

              the second 127.0.1.1:# (port) is actually :53 similar to Ascaris’ set-up shown in post 2346745 above. i’m using firefox which has Cloudflare option in Preferences>General>Network Settings>Settings>Connection Settings>Proxy. on a speed note running through Cloudflare does slow down the connection by roughly 25%. i have another linux with Chromium browser which more accurately utilizes the ISP’s 100Mbps advertised download speed.

      • #2347267
        krism
        AskWoody Plus

        Again, laptop -rj45- SBR-AC1750 router -rj45- SB6141 modem – comcast coax.

        I find that it is slowest if I change the laptop from default (the router addy) to 1.1.1.1, 8.8.8.8 .

        Medium speed is laptop default (dns=router addy), and the router says dns= 1.1.1.1, 8.8.8.8 .

        Fastest speed is laptop default and router default for DNS. (all tests to gmail.com)

        It is 12 hops (VisualRoute Lite Edit.) no matter what.

        Given that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!

        - ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

        • #2347276
          Ascaris
          AskWoody_MVP

          Given that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!

          They know the IP endpoints, necessarily (they have to in order to know where to send the packets), but if the connections are encrypted via HTTPS, they would not be able to see what data exactly you sent and received.

          Group "L" (KDE Neon Linux 5.21.4 User Edition)

        • #2347315
          Michael432
          AskWoody_MVP

          If you are worried about DNS speed, you are taking advice from the wrong people.

          Without a VPN or Tor, your ISP can spy on you easily with DNS. Without DNS, spying is much harder. They can see the IP addresses of computers you interact with but I really doubt that that tells them much.

          With HTTP they see everything. With HTTPS they may be able to see the domains you visit, depending on whether a site uses HTTP version 1.2 or 1.3. With mobile apps you have no way to tell if its HTTP or good HTTPS or bad HTTPS.

          If privacy is a concern, use a VPN or Tor. They are not perfect, but they do hide your activities from the ISP.

          Get up to speed on router security at RouterSecurity.org

          1 user thanked author for this post.
          • #2347318
            Kirsty
            Manager

            I remember checking my speed options when Cloudflare started the 1.1.1.1 DNS, using GRC’s DNS Benchmark, and due to location, the speeds were significantly degraded using such services directly.

            • #2347835
              Michael432
              AskWoody_MVP

              The DNS speed test is old, legacy un-encrypted DNS only. Also, if you are using a VPN or Tor you have no choice about DNS servers. I have not yet seen anything about the performance of encrypted DNS. Certainly the first request will be very slow, then it depends on how long the HTTPS connection to the server is maintained.  I suppose encrypted DNS is like a VPN, in that if you want the privacy, you agree to a performance hit.

              Get up to speed on router security at RouterSecurity.org

          • #2347329
            krism
            AskWoody Plus

            Privacy is not really a concern, though I did put 1.1.1.1, 8.8.8.8 back into the router dns setting.

            I would go with a vpn but last time I checked, even the expensive ones were about 50% overhead, so I’ll pass on that.

            - ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

      • #2347328
        Perq
        AskWoody Plus

        This website will tell you your currently assigned ISP or VPN IP address as well as what DNS service you are actually using from your computer (regardless of what you think you have set):

        https://www.dnsleaktest.com/

        :W10Pro 20H2 19042.867
        Dell OptiPlex 990

    Viewing 18 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Tasks for the weekend – February 27, 2021 Check your DNS

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.