Tasks for the weekend – February 27, 2021 Check your DNS

[Susan Bradley]

Youtube video here There is one command that I have used for many years. It’s the command ipconfig /all. With that command I can see what network I’m
[See the full post at: Tasks for the weekend – February 27, 2021 Check your DNS]

Susan Bradley Patch Lady

Reply | Quote

[abbodi86]

I use Cloudflare since day 1

Reply | Quote

[Paul T]

What is the advantage of changing away from your ISP provided DNS?

cheers, Paul

Reply | Quote

[Michael432]

Mostly, privacy. Old DNS allows ISPs to easily track you. Also, some DNS providers offer extra features, such as blocking ads, malware, trackers, etc.

Get up to speed on router security at RouterSecurity.org

1 user thanked author for this post.

RTEsysadmin

Reply | Quote

[Alex5723]

Primary DNS my ISP
Secondary DNS Google DNS 8.8.8.8

Reply | Quote

[Ascaris]

I use Cloudflare via HTTPS, using their free cloudflared program for Linux (it also has Windows and Mac versions). On the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.

This means that all DNS for the connection is encrypted and is unknown to the provider (being my ISP or the ISP used by a public internet connection). If the public wifi connection is misconfigured and DNS is not working, it won’t matter, as I’m not using their DHCP-selected server for DNS anyway. That was actually the impetus for me to start investigating DNS over HTTPS, which led to me discovering cloudflared. It’s been a few years since then by now!

Group "L" (KDE Neon Linux 5.21.4 User Edition)

3 users thanked author for this post.

AlexEiffel, Perturbance, wavy

Reply | Quote

[E Pericoloso Sporgersi]

Ascaris wrote:

On the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.

I don’t fully understand all of your post.

I never hit links blindly, but I usually follow trodden paths and demarcated downhill slopes, which is moderately secure behavior, I think. Still, I’m willing to keep tweaking my brain until I do fully understand.

But only if a compelling condition is met:
If I emulate your DNS setup, do I get significantly improved security?

 

Reply | Quote

[Susan Bradley]

These DNS providers prefilter what is offered up to you.  So even if you are as careful as you think you can be, they make sure that code being offered up to you is pre-sanitized.  They get the big picture view and thus block phishing attacks or other web sites with nefarious intentions.

Susan Bradley Patch Lady

3 users thanked author for this post.

E Pericoloso Sporgersi, AlbertMcCann623, DrBonzo

Reply | Quote

[Ascaris]

That’s a really complicated topic. You get the benefits of DNS over HTTPS, the virtues of which are the subject of debate.

Mozilla thought DNS over HTTPS was important enough to include it as a default setting, which was controversial. Corporate entities don’t necessarily like it because it bypasses their ability to block certain things by DNS, and others deride it as being a “hacky” kludge (which it kind of is) rather than a real solution, but it’s here and functional right now if you want it.

In general, having things encrypted is potentially beneficial to the user. I say “potentially” because it is only really of benefit if someone is trying to use the DNS data for malicious purposes, and if they are, you probably won’t know about it.

There are many posts and opinions about DNS over HTTPS on the internet, and if you read some of those, you might begin to see why I can’t definitively give a “yes” or “no” answer. It’s… complicated.

Group "L" (KDE Neon Linux 5.21.4 User Edition)

1 user thanked author for this post.

E Pericoloso Sporgersi

Reply | Quote

[E Pericoloso Sporgersi]

Ascaris wrote:

It’s… complicated.

Fortunately, I could decide to un-complicate it.

I’ll stick with my ISP’s DNS servers (Telenet.be). 

Steve Gibson’s DNS Benchmark tells me they’re the fastest for my location anyway: https://www.grc.com/dns/benchmark.htm

Still, thank you and Susan for the additional info.

1 user thanked author for this post.

krism

Reply | Quote

[Microfix]

There are better alternatives to the standard DNS provider lists with some researching..without ruining your task for the weekend 😉
A DNS with a Security blocklist, DNSSEC, TLS 1.3 with an encrypted SNI makes me feel better.

Attachments:

You must be logged in to access attached files.

Reply | Quote

[Paul T]

Microfix wrote:

an encrypted SNI makes me feel better

I think this is the reason most use another DNS.

Apart from a deliberately malicious public wifi unit, there is little danger in using a standard DNS.

cheers, Paul

Reply | Quote

[Mele20]

Living in Hawaii, I have no choice but to use my ISP’s LOCAL (Honolulu based…I’m on the Big Island) DNS servers. If I run DNS Bench, my LOCAL DNS servers from my ISP are 4-5 times faster than ANY Mainland DNS providers. That’s a result of living in the middle of the Pacific Ocean. I have tried various recommended DNS servers over the years and the slowness because they are not LOCAL like my ISP’s ones are is quite noticeable.

I would NEVER use a router from my ISP or modem. I purchase my OWN equipment.

• This reply was modified 1 month, 1 week ago by Mele20.

1 user thanked author for this post.

Perturbance

Reply | Quote

[Coldheart9020]

I’ve been using the OpenDNS servers for a little over a year now.

Reply | Quote

[Dave]

OpenDNS for a number (6 or 7) yars now. I own my equipment which is cheaper in the long run, they can’t lock me out of security settings or open “guest” access on my link.

Reply | Quote

[georgea]

Another thing to consider besides security is speed.  Depending on where you are, you might find one of the various public DNS servers noted in this thread faster than your ISP.  Steve Gibson’s DNS benchmark portable program can help you choose:  https://www.grc.com/dns/benchmark.htm

Reply | Quote

[anonymous]

@Mele20 ‘s post above illustrates your point very well.

2 users thanked author for this post.

Ascaris, Mele20

Reply | Quote

[AlbertMcCann623]

If you are going to use alternate DNS, you should set the IPV6 config as well, Win10 certainly uses it. I have been using the Cloudflair DNS for a while now, including their IPV6, which is also configured into our own router here:

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

Google's DNS is:

8.8.8.8
8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

Reply | Quote

[krism]

Confused: I am connected laptop to SBR-AC1750 router to SB6141 modem to comcast coax. My computer says 192.168.0.1 which is the addy of my router, and my router says 1.1.1.1 and 8.8.8.8

So what DNS am I actually using?

- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

• This reply was modified 1 month, 1 week ago by krism.

Reply | Quote

[E Pericoloso Sporgersi]

krism wrote:

my router says 1.1.1.1 and 8.8.8.8 So what DNS am I actually using?

Cloudflare as primary and Google as secondary (I think).

1 user thanked author for this post.

Ascaris

Reply | Quote

[krism]

E Pericoloso Sporgersi wrote:

krism wrote:

my router says 1.1.1.1 and 8.8.8.8 So what DNS am I actually using?

Cloudflare as primary and Google as secondary (I think).

That would have been my guess, but wanted to make sure. Thanks!

- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

Reply | Quote

[Ascaris]

Yes. The router is acting as the DNS server for the network, configured by DHCP most likely (Dynamic Host Configuration Protocol), and it forwards the DNS requests to 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google).

Group "L" (KDE Neon Linux 5.21.4 User Edition)

Reply | Quote

[anonymous]

? says:

i just checked in the terminal using (nmcli device show <interfacename>) and see that they (1&2) are currently provided by comcast. not doing any manhattan project type work from here so is there any disadvantage to running stock ISP provided DNS servers? i also turned IPv6 off in the kernel because i like to be able to more easily identify the traffic…

Reply | Quote

[Michael432]

DNS is brutally complicated. If you change your computer, be aware that on a laptop, Ethernet might use different DNS than Wifi. And, each WiFi network can be configured to use different DNS. And, the router might over-ride all the settings on the local computer. Or, the DNS settings in a web browser might over-ride both of them. Then too, a VPN and Tor play in the DNS game. Not to mention the transition from old DNS to new DNS. And, Android has a great Secure DNS feature, etc. etc.

There are a number of DNS tester websites listed here

https://routersecurity.org/testdns.php

But, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.

Get up to speed on router security at RouterSecurity.org

• This reply was modified 1 month, 1 week ago by Michael432.

3 users thanked author for this post.

AlbertMcCann623, Kirsty, Microfix

Reply | Quote

[Microfix]

Michael432 wrote:

But, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.

so creating a personal DNS system for individual devices, needs and functions for the operating system/s and however many browsers are on what systems and so on from your own home.

Reply | Quote

[Michael432]

I don’t follow.

Get up to speed on router security at RouterSecurity.org

1 user thanked author for this post.

Perq

Reply | Quote

[wavy]

OK
From your site

It is commonly thought that if the Operating System specifies DNS servers, they will get used. This is not always the case. Some routers (such as the Pepwave Surf SOHO) can force clients to use the DNS servers specified in the router. That said, in my experience has been that this only applies to old DNS. Browsers that specified DoH type DNS servers had their requests honored.

Yet you would recommend Pepwave? This seems a scary transgression to me!

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

[Michael432]

Yes, I recommend Peplink/Pepwave. Their routers only do legacy plain text DNS, which is true of most routers. Given that, they can force router clients to use the DNS servers the router is configured with. This is a good thing, at least to me. Its optional, however, if you think its a bad thing.

Get up to speed on router security at RouterSecurity.org

Reply | Quote

[anonymous]

? says:

thank you, Michael. went to your webpage and ran:

nslookup askwoody.com
Server:        127.0.1.1
Address:    127.0.1.1#(port)
Non-authoritative answer:
Name:    askwoody.com
Address: 167.71.243.126

on laptop wifi and firefox browser. nice website, by the way…

Reply | Quote

[Michael432]

Thank you. That is one strange IP address you have for a DNS server.  I know that 127.0.0.1 is always your computer, but I have no idea what the other 127s are.

Get up to speed on router security at RouterSecurity.org

• This reply was modified 1 month, 1 week ago by Michael432.

Reply | Quote

[anonymous]

? says:

Michael,

the second 127.0.1.1:# (port) is actually :53 similar to Ascaris’ set-up shown in post 2346745 above. i’m using firefox which has Cloudflare option in Preferences>General>Network Settings>Settings>Connection Settings>Proxy. on a speed note running through Cloudflare does slow down the connection by roughly 25%. i have another linux with Chromium browser which more accurately utilizes the ISP’s 100Mbps advertised download speed.

Reply | Quote

[krism]

Again, laptop -rj45- SBR-AC1750 router -rj45- SB6141 modem – comcast coax.

I find that it is slowest if I change the laptop from default (the router addy) to 1.1.1.1, 8.8.8.8 .

Medium speed is laptop default (dns=router addy), and the router says dns= 1.1.1.1, 8.8.8.8 .

Fastest speed is laptop default and router default for DNS. (all tests to gmail.com)

It is 12 hops (VisualRoute Lite Edit.) no matter what.

Given that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!

- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

Reply | Quote

[Ascaris]

krism wrote:

Given that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!

They know the IP endpoints, necessarily (they have to in order to know where to send the packets), but if the connections are encrypted via HTTPS, they would not be able to see what data exactly you sent and received.

Group "L" (KDE Neon Linux 5.21.4 User Edition)

Reply | Quote

[Michael432]

If you are worried about DNS speed, you are taking advice from the wrong people.

Without a VPN or Tor, your ISP can spy on you easily with DNS. Without DNS, spying is much harder. They can see the IP addresses of computers you interact with but I really doubt that that tells them much.

With HTTP they see everything. With HTTPS they may be able to see the domains you visit, depending on whether a site uses HTTP version 1.2 or 1.3. With mobile apps you have no way to tell if its HTTP or good HTTPS or bad HTTPS.

If privacy is a concern, use a VPN or Tor. They are not perfect, but they do hide your activities from the ISP.

Get up to speed on router security at RouterSecurity.org

1 user thanked author for this post.

Kirsty

Reply | Quote

[Kirsty]

I remember checking my speed options when Cloudflare started the 1.1.1.1 DNS, using GRC’s DNS Benchmark, and due to location, the speeds were significantly degraded using such services directly.

Reply | Quote

[Michael432]

The DNS speed test is old, legacy un-encrypted DNS only. Also, if you are using a VPN or Tor you have no choice about DNS servers. I have not yet seen anything about the performance of encrypted DNS. Certainly the first request will be very slow, then it depends on how long the HTTPS connection to the server is maintained.  I suppose encrypted DNS is like a VPN, in that if you want the privacy, you agree to a performance hit.

Get up to speed on router security at RouterSecurity.org

Reply | Quote

[krism]

Privacy is not really a concern, though I did put 1.1.1.1, 8.8.8.8 back into the router dns setting.

I would go with a vpn but last time I checked, even the expensive ones were about 50% overhead, so I’ll pass on that.

- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -

Reply | Quote

[Perq]

This website will tell you your currently assigned ISP or VPN IP address as well as what DNS service you are actually using from your computer (regardless of what you think you have set):

https://www.dnsleaktest.com/

:W10Pro 20H2 19042.867
Dell OptiPlex 990

Reply | Quote

[Kirsty]

Have you read @michael432‘s webpage linked above? He has a number of such resources, with various information about them 🙂
DNSLeakTest is the first listed.

3 users thanked author for this post.

AlbertMcCann623, Microfix, Perq

Reply | Quote

[Author]

Posts