![]() |
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Tasks for the weekend – February 27, 2021 Check your DNS
Home › Forums › AskWoody blog › Tasks for the weekend – February 27, 2021 Check your DNS
Tagged: Patch Lady Posts
- This topic has 38 replies, 17 voices, and was last updated 1 month, 1 week ago by
anonymous.
Viewing 18 reply threads-
AuthorPosts
-
-
February 27, 2021 at 10:36 pm #2346710
Susan Bradley
ManagerYoutube video here There is one command that I have used for many years. It’s the command ipconfig /all. With that command I can see what network I’m
[See the full post at: Tasks for the weekend – February 27, 2021 Check your DNS]Susan Bradley Patch Lady
-
February 27, 2021 at 11:41 pm #2346724
-
February 28, 2021 at 12:33 am #2346734
Paul T
AskWoody MVP-
March 1, 2021 at 1:23 pm #2347197
Michael432
AskWoody_MVPMostly, privacy. Old DNS allows ISPs to easily track you. Also, some DNS providers offer extra features, such as blocking ads, malware, trackers, etc.
Get up to speed on router security at RouterSecurity.org
1 user thanked author for this post.
-
-
February 28, 2021 at 1:15 am #2346741
-
February 28, 2021 at 2:46 am #2346745
Ascaris
AskWoody_MVPI use Cloudflare via HTTPS, using their free cloudflared program for Linux (it also has Windows and Mac versions). On the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.
This means that all DNS for the connection is encrypted and is unknown to the provider (being my ISP or the ISP used by a public internet connection). If the public wifi connection is misconfigured and DNS is not working, it won’t matter, as I’m not using their DHCP-selected server for DNS anyway. That was actually the impetus for me to start investigating DNS over HTTPS, which led to me discovering cloudflared. It’s been a few years since then by now!
Group "L" (KDE Neon Linux 5.21.4 User Edition)
3 users thanked author for this post.
-
February 28, 2021 at 3:14 am #2346746
E Pericoloso Sporgersi
AskWoody PlusOn the front end, cloudflared sets up a local DNS server at 127.0.0.1:53 (127.0.0.1 is localhost, meaning the local computer itself, over port 53, the normal DNS port), which I can then set as the DNS server for the connection in the connection settings. On the back end, it creates a tunnel over HTTPS to the Cloudflare DNS server at 1.1.1.1.
I don’t fully understand all of your post.
I never hit links blindly, but I usually follow trodden paths and demarcated downhill slopes, which is moderately secure behavior, I think. Still, I’m willing to keep tweaking my brain until I do fully understand.
But only if a compelling condition is met:
If I emulate your DNS setup, do I get significantly improved security?
-
February 28, 2021 at 11:31 am #2346812
Susan Bradley
ManagerThese DNS providers prefilter what is offered up to you. So even if you are as careful as you think you can be, they make sure that code being offered up to you is pre-sanitized. They get the big picture view and thus block phishing attacks or other web sites with nefarious intentions.
Susan Bradley Patch Lady
3 users thanked author for this post.
-
February 28, 2021 at 11:25 pm #2346930
Ascaris
AskWoody_MVPThat’s a really complicated topic. You get the benefits of DNS over HTTPS, the virtues of which are the subject of debate.
Mozilla thought DNS over HTTPS was important enough to include it as a default setting, which was controversial. Corporate entities don’t necessarily like it because it bypasses their ability to block certain things by DNS, and others deride it as being a “hacky” kludge (which it kind of is) rather than a real solution, but it’s here and functional right now if you want it.
In general, having things encrypted is potentially beneficial to the user. I say “potentially” because it is only really of benefit if someone is trying to use the DNS data for malicious purposes, and if they are, you probably won’t know about it.
There are many posts and opinions about DNS over HTTPS on the internet, and if you read some of those, you might begin to see why I can’t definitively give a “yes” or “no” answer. It’s… complicated.
Group "L" (KDE Neon Linux 5.21.4 User Edition)
1 user thanked author for this post.
-
March 1, 2021 at 5:50 am #2347003
E Pericoloso Sporgersi
AskWoody PlusIt’s… complicated.
Fortunately, I could decide to un-complicate it.
I’ll stick with my ISP’s DNS servers (Telenet.be).
Steve Gibson’s DNS Benchmark tells me they’re the fastest for my location anyway: https://www.grc.com/dns/benchmark.htm
Still, thank you and Susan for the additional info.
1 user thanked author for this post.
-
-
-
February 28, 2021 at 3:57 am #2346747
Microfix
AskWoody MVP -
February 28, 2021 at 4:28 am #2346750
Paul T
AskWoody MVPan encrypted SNI makes me feel better
I think this is the reason most use another DNS.
Apart from a deliberately malicious public wifi unit, there is little danger in using a standard DNS.
cheers, Paul
-
February 28, 2021 at 7:21 am #2346760
Mele20
AskWoody LoungerLiving in Hawaii, I have no choice but to use my ISP’s LOCAL (Honolulu based…I’m on the Big Island) DNS servers. If I run DNS Bench, my LOCAL DNS servers from my ISP are 4-5 times faster than ANY Mainland DNS providers. That’s a result of living in the middle of the Pacific Ocean. I have tried various recommended DNS servers over the years and the slowness because they are not LOCAL like my ISP’s ones are is quite noticeable.
I would NEVER use a router from my ISP or modem. I purchase my OWN equipment.
-
This reply was modified 1 month, 1 week ago by
Mele20.
1 user thanked author for this post.
-
This reply was modified 1 month, 1 week ago by
-
February 28, 2021 at 8:32 am #2346765
Coldheart9020
AskWoody Lounger -
February 28, 2021 at 10:21 am #2346778
-
February 28, 2021 at 10:51 am #2346785
georgea
AskWoody LoungerAnother thing to consider besides security is speed. Depending on where you are, you might find one of the various public DNS servers noted in this thread faster than your ISP. Steve Gibson’s DNS benchmark portable program can help you choose: https://www.grc.com/dns/benchmark.htm
-
February 28, 2021 at 11:27 am #2346809
-
-
February 28, 2021 at 4:36 pm #2346857
AlbertMcCann623
AskWoody PlusIf you are going to use alternate DNS, you should set the IPV6 config as well, Win10 certainly uses it. I have been using the Cloudflair DNS for a while now, including their IPV6, which is also configured into our own router here:
1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001 Google's DNS is: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
-
February 28, 2021 at 8:13 pm #2346909
krism
AskWoody PlusConfused: I am connected laptop to SBR-AC1750 router to SB6141 modem to comcast coax. My computer says 192.168.0.1 which is the addy of my router, and my router says 1.1.1.1 and 8.8.8.8
So what DNS am I actually using?
- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -
-
This reply was modified 1 month, 1 week ago by
krism.
-
February 28, 2021 at 10:00 pm #2346921
E Pericoloso Sporgersi
AskWoody Plusmy router says 1.1.1.1 and 8.8.8.8 So what DNS am I actually using?
Cloudflare as primary and Google as secondary (I think).
1 user thanked author for this post.
-
This reply was modified 1 month, 1 week ago by
-
February 28, 2021 at 10:04 pm #2346922
krism
AskWoody Plusmy router says 1.1.1.1 and 8.8.8.8 So what DNS am I actually using?
Cloudflare as primary and Google as secondary (I think).
That would have been my guess, but wanted to make sure. Thanks!
- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -
-
February 28, 2021 at 11:28 pm #2346935
-
-
February 28, 2021 at 11:28 pm #2346919
anonymous
Guest? says:
i just checked in the terminal using (nmcli device show <interfacename>) and see that they (1&2) are currently provided by comcast. not doing any manhattan project type work from here so is there any disadvantage to running stock ISP provided DNS servers? i also turned IPv6 off in the kernel because i like to be able to more easily identify the traffic…
-
March 1, 2021 at 1:17 pm #2347192
Michael432
AskWoody_MVPDNS is brutally complicated. If you change your computer, be aware that on a laptop, Ethernet might use different DNS than Wifi. And, each WiFi network can be configured to use different DNS. And, the router might over-ride all the settings on the local computer. Or, the DNS settings in a web browser might over-ride both of them. Then too, a VPN and Tor play in the DNS game. Not to mention the transition from old DNS to new DNS. And, Android has a great Secure DNS feature, etc. etc.
There are a number of DNS tester websites listed here
https://routersecurity.org/testdns.php
But, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.
Get up to speed on router security at RouterSecurity.org
-
This reply was modified 1 month, 1 week ago by
Michael432.
3 users thanked author for this post.
-
March 1, 2021 at 2:58 pm #2347228
Microfix
AskWoody MVPBut, again, the browser could be using one DNS provider and the OS outside of that browser could be using a different DNS provider.
so creating a personal DNS system for individual devices, needs and functions for the operating system/s and however many browsers are on what systems and so on from your own home.
-
March 1, 2021 at 4:51 pm #2347264
Michael432
AskWoody_MVP-
March 3, 2021 at 4:35 pm #2347812
wavy
AskWoody PlusOK
From your siteIt is commonly thought that if the Operating System specifies DNS servers, they will get used. This is not always the case. Some routers (such as the Pepwave Surf SOHO) can force clients to use the DNS servers specified in the router. That said, in my experience has been that this only applies to old DNS. Browsers that specified DoH type DNS servers had their requests honored.
Yet you would recommend Pepwave? This seems a scary transgression to me!
🍻
Just because you don't know where you are going doesn't mean any road will get you there.-
March 3, 2021 at 5:48 pm #2347829
Michael432
AskWoody_MVPYes, I recommend Peplink/Pepwave. Their routers only do legacy plain text DNS, which is true of most routers. Given that, they can force router clients to use the DNS servers the router is configured with. This is a good thing, at least to me. Its optional, however, if you think its a bad thing.
Get up to speed on router security at RouterSecurity.org
-
-
-
-
March 1, 2021 at 6:52 pm #2347286
anonymous
Guest-
March 3, 2021 at 5:51 pm #2347832
Michael432
AskWoody_MVPThank you. That is one strange IP address you have for a DNS server. I know that 127.0.0.1 is always your computer, but I have no idea what the other 127s are.
Get up to speed on router security at RouterSecurity.org
-
This reply was modified 1 month, 1 week ago by
Michael432.
-
March 3, 2021 at 7:17 pm #2347841
anonymous
Guest? says:
Michael,
the second 127.0.1.1:# (port) is actually :53 similar to Ascaris’ set-up shown in post 2346745 above. i’m using firefox which has Cloudflare option in Preferences>General>Network Settings>Settings>Connection Settings>Proxy. on a speed note running through Cloudflare does slow down the connection by roughly 25%. i have another linux with Chromium browser which more accurately utilizes the ISP’s 100Mbps advertised download speed.
-
This reply was modified 1 month, 1 week ago by
-
-
This reply was modified 1 month, 1 week ago by
-
March 1, 2021 at 5:11 pm #2347267
krism
AskWoody PlusAgain, laptop -rj45- SBR-AC1750 router -rj45- SB6141 modem – comcast coax.
I find that it is slowest if I change the laptop from default (the router addy) to 1.1.1.1, 8.8.8.8 .
Medium speed is laptop default (dns=router addy), and the router says dns= 1.1.1.1, 8.8.8.8 .
Fastest speed is laptop default and router default for DNS. (all tests to gmail.com)
It is 12 hops (VisualRoute Lite Edit.) no matter what.
Given that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!
- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -
-
March 1, 2021 at 5:40 pm #2347276
Ascaris
AskWoody_MVPGiven that my isp is comcast, I am quite sure they know exactly what I am doing, regardless of if I use 1.1.1.1 or not. Am I wrong? Thanks!
They know the IP endpoints, necessarily (they have to in order to know where to send the packets), but if the connections are encrypted via HTTPS, they would not be able to see what data exactly you sent and received.
Group "L" (KDE Neon Linux 5.21.4 User Edition)
-
March 1, 2021 at 8:35 pm #2347315
Michael432
AskWoody_MVPIf you are worried about DNS speed, you are taking advice from the wrong people.
Without a VPN or Tor, your ISP can spy on you easily with DNS. Without DNS, spying is much harder. They can see the IP addresses of computers you interact with but I really doubt that that tells them much.
With HTTP they see everything. With HTTPS they may be able to see the domains you visit, depending on whether a site uses HTTP version 1.2 or 1.3. With mobile apps you have no way to tell if its HTTP or good HTTPS or bad HTTPS.
If privacy is a concern, use a VPN or Tor. They are not perfect, but they do hide your activities from the ISP.
Get up to speed on router security at RouterSecurity.org
1 user thanked author for this post.
-
March 1, 2021 at 8:40 pm #2347318
Kirsty
ManagerI remember checking my speed options when Cloudflare started the 1.1.1.1 DNS, using GRC’s DNS Benchmark, and due to location, the speeds were significantly degraded using such services directly.
-
March 3, 2021 at 6:00 pm #2347835
Michael432
AskWoody_MVPThe DNS speed test is old, legacy un-encrypted DNS only. Also, if you are using a VPN or Tor you have no choice about DNS servers. I have not yet seen anything about the performance of encrypted DNS. Certainly the first request will be very slow, then it depends on how long the HTTPS connection to the server is maintained. I suppose encrypted DNS is like a VPN, in that if you want the privacy, you agree to a performance hit.
Get up to speed on router security at RouterSecurity.org
-
-
March 1, 2021 at 9:12 pm #2347329
krism
AskWoody PlusPrivacy is not really a concern, though I did put 1.1.1.1, 8.8.8.8 back into the router dns setting.
I would go with a vpn but last time I checked, even the expensive ones were about 50% overhead, so I’ll pass on that.
- ThinkPad T530-2394-3J8, i5-3380M 2.9GHz, UEFI/GPT: (Win10 20H2 Pro x64), 8GB(15GB/s), Sammy 500GB SSD. -
-
-
-
March 1, 2021 at 9:10 pm #2347328
Perq
AskWoody PlusThis website will tell you your currently assigned ISP or VPN IP address as well as what DNS service you are actually using from your computer (regardless of what you think you have set):
:W10Pro 20H2 19042.867
Dell OptiPlex 990-
March 1, 2021 at 10:51 pm #2347339
Kirsty
ManagerHave you read @michael432‘s webpage linked above? He has a number of such resources, with various information about them 🙂
DNSLeakTest is the first listed.3 users thanked author for this post.
-
-
-
AuthorPosts
Viewing 18 reply threads - This topic has 38 replies, 17 voices, and was last updated 1 month, 1 week ago by
-
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Search Newsletters
Search Forums
Recent Replies
doriel on How to determine data type?
Just nowPaul T on Firefox SSD capacity usage ?
21 minutes agoBrerBear on Firefox SSD capacity usage ?
1 hour, 17 minutes agoanonymous on MS-DEFCON 2 – Deferring the April Updates
2 hours, 51 minutes agoanonymous on MS-DEFCON 2 – Deferring the April Updates
2 hours, 51 minutes agoFractalZ on MS-DEFCON 2 – Deferring the April Updates
2 hours, 52 minutes agoSusan Bradley on MS-DEFCON 2 – Deferring the April Updates
3 hours, 42 minutes agoanonymous on MS-DEFCON 2 – Deferring the April Updates
3 hours, 42 minutes agoHamsa Vicerra on How can I locate Bitlocker key in OEM refurb HP laptop?
3 hours, 48 minutes agoAscaris on How much RAM does your computer have?
4 hours, 2 minutes agorebop2020 on MS-DEFCON 2 – Deferring the April Updates
4 hours, 10 minutes agocastiel on The ides of March
4 hours, 25 minutes agoSueska on The ides of March
4 hours, 56 minutes ago280park on The ides of March
6 hours, 5 minutes agoanonymous on 2000013: How to clear the Windows Update queue in Win10
6 hours, 18 minutes agoPKCano on MS-DEFCON 2 – Deferring the April Updates
6 hours, 21 minutes agoMrToad28 on MS-DEFCON 2 – Deferring the April Updates
6 hours, 33 minutes agoAscaris on The ides of March
6 hours, 38 minutes agopnshldn on MS-DEFCON 2 – Deferring the April Updates
6 hours, 54 minutes agocastiel on The ides of March
6 hours, 59 minutes agokrism on Question about allowing/stopping laptop from turning off USB device
6 hours, 59 minutes agokrism on Question about allowing/stopping laptop from turning off USB device
7 hours, 1 minute agoPKCano on 2000013: How to clear the Windows Update queue in Win10
7 hours, 5 minutes agoanonymous on 2000013: How to clear the Windows Update queue in Win10
7 hours, 45 minutes agoAscaris on How much RAM does your computer have?
8 hours, 5 minutes agoPKCano on MS-DEFCON 2 – Deferring the April Updates
8 hours, 6 minutes agoMrToad28 on MS-DEFCON 2 – Deferring the April Updates
8 hours, 23 minutes agob on The ides of March
8 hours, 26 minutes agoPKCano on 2000013: How to clear the Windows Update queue in Win10
8 hours, 39 minutes agob on Outlook cannot read the calendar
8 hours, 44 minutes ago
Recent Topics
-
How to customize and manage your Microsoft Account
10 minutes ago
-
New smartphone? Great! Now don’t charge it past 80%
12 minutes ago
-
Check or change Win10’s file-sharing encryption level
14 minutes ago
-
Freeware Spotlight — Killer
16 minutes ago
-
Known Issue Rollback
18 minutes ago
-
Dism RestoreHealth shows two “Versions” and Q re 20H2 “Experience”
10 hours, 6 minutes ago
-
Firefox SSD capacity usage ?
22 minutes ago
-
Android : New Wormable Malware Spreads by Creating WhatsApp Auto-Replies
15 hours, 30 minutes ago
-
KB4092436 – can neither install it or hide it
13 hours, 37 minutes ago
-
MS-DEFCON 2 – Deferring the April Updates
2 hours, 52 minutes ago
-
Tasks for the weekend – April 10, 2021 – change your Office
21 hours, 42 minutes ago
-
Grandma, what big updates you have!
1 day ago
-
Mapping a drive
1 day ago
-
vssvc?
19 hours, 51 minutes ago
-
Inside tech support scams
9 hours, 59 minutes ago
-
Hackers hacked Swarmshop stolen credit cards database
1 day, 22 hours ago
-
DuckDuckGo updates its plugin to block Google’s creepy FLoC
20 hours, 9 minutes ago
-
Initial Apple M1 SoC Support Aims For Linux 5.13 Kernel
1 day, 21 hours ago
-
How much RAM does your computer have?
4 hours, 3 minutes ago
-
odd optional update
2 days, 5 hours ago
-
Editing a PDF in Mint
12 hours, 3 minutes ago
-
20H2 and and OOB optional March 18 printer problem update
10 hours, 27 minutes ago
-
20H2 and 2020-02 CU for .NET
2 days, 3 hours ago
-
20H2 and Adobe Flash Player
14 hours, 33 minutes ago
-
How to set MLB homepage in Edge Chromium
2 days, 12 hours ago
-
Scraped data of 500 million LinkedIn users being sold online
2 days, 13 hours ago
-
Question about allowing/stopping laptop from turning off USB device
7 hours ago
-
Office 2010 Installer “Wanted”
14 hours, 18 minutes ago
-
Subscribed topics
1 day, 23 hours ago
-
New age olympics – hacking contest
2 days, 7 hours ago
Search for Topics
Recent blog posts
- How to customize and manage your Microsoft Account
- New smartphone? Great! Now don’t charge it past 80%
- Check or change Win10’s file-sharing encryption level
- Freeware Spotlight — Killer
- Known Issue Rollback
- MS-DEFCON 2 – Deferring the April Updates
- Tasks for the weekend – April 10, 2021 – change your Office
- Inside tech support scams
Key Links
Copyright © 2004 – 2021 AskWoody Tech LLC. All rights reserved.