General Safe-Guarding YOURSELF ONLINE

Gass

Member
Don't take DNS (global - Domain Name System) for granted.

This is geared for the device user (internet capable devices) and not for a website/webpage owner.

Put very simply, the job of DNS (Domain Name System), of the servers/resolvers is to resolve the public web addresses and/or domains names to their underlying TCP/IP numerical addresses. Again, the DNS is like a phonebook to the Internet and plays a critical role translating domain names, which are easy for people to remember (e.g. websites) into numerical IP (Internet Protocol) addresses that computers need to know to communicate with each other.

This sounds like a straightforward process, but there are a number of variables that affect it's performance and security. The most obvious of these is simply the round-trip time between a client device and the DNS server itself, which will depend on geographical proximity as well as response times from any other DNS infrastructure involved in a query.
By default, a computer will use the default DNS server of the network it is connected to, which will be provided by the service provider or ISP. The user can manually adjust that setting, either on a one-off basis or indefinitely. DNS assignment really is a matter of preference by the single computer user.

What settings should I use?
If you are changing your DNS settings to something in particular, then you should already know the settings you require (for example a SmartDNS provider will tell you the settings you need in order to use its service).

Note:
If using a VPN, as all DNS requests should be sent through the encrypted VPN tunnel direct to your VPN provider’s DNS servers. If this is not happening then you have a DNS leak. Knowing how to change your DNS settings can still be useful, however – for example when a VPN drops its connection and then cannot re-establish it because your DNS settings still point to your VPN provider (which it cannot contact because the VPN is not working).

This DNS translation process is usually performed by your ISP, but when using a VPN all DNS requests should be sent through your encrypted VPN tunnel, to be handled by your VPN provider instead. Using the right scripts, a website can determine which server resolved a DNS request directed to it. This will not allow it to pinpoint your exact real IP address, but will foil attempts to geo-spoof your location. Most VPN providers run their own dedicated DNS servers in order to perform this DNS translation task themselves, but some make use of public DNS services such as Google DNS instead. Although not ideal, this is not the privacy nightmare it might seem at first, as the DNS requests appear to come from your VPN provider, not your real IP. Unfortunately, internet traffic does not always get sent through the VPN tunnel as it is supposed to, and is instead resolved by your ISP.
You can read more here in these specifics- https://www.bestvpn.com/a-complete-guide-to-ip-leaks/

Note the "Smart Multi-Homed Name Resolution" a Windows 8 OS and onwards system problem, in the above link.
Under Windows 7 all DNS requests were made in simple order of DNS server preference, but this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sends out DNS requests to all available interfaces, but only uses non-preferred servers if the main DNS server failed to respond.
This makes Windows 8.x systems somewhat liable to DNS leaks, but Windows 10 makes the situation much worse as it simply chooses whichever DNS request responds quickest. In addition to being major security risk, there are also reports of Windows 10 users suffering slow page loading and timeouts due to this issue
A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.
This problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.

Public DNS services - worthy of your privacy
DNS.Watch
Available on 84.200.69.80 and 84.200.70.40 , DNS.Watch is almost unique in offering an alternative DNS service without the website logging found on most others. We quote: “We're not interested in shady deals with your data. You own it. We're not a big corporation and don't have to participate in shady deals. We're not running any ad network or anything else where your DNS queries could be of interest for us.” https://dns.watch/index

VeriSign Public DNS
Not to be outdone, VeriSign recently started offering public servers on 64.6.64.6 and 64.6.65.6 - Interestingly, the company made a big point in saying it would not collect data on users of the service, a sign that privacy is starting to become something companies believe they can market themselves on. What VeriSign gets from this setup is intelligence on the sorts of malicious sites real users attempt to visit. https://www.verisign.com/en_US/security-services/public-dns/index.xhtml

Freenom World http://www.freenom.world is a fast and anonymous Public DNS resolver on 80.80.80.80 and 80.80.81.81
ISP's or large advertising networks can use your DNS requests to track your viewing habits, insert targeted ads or even throttle your connection. Point your DNS settings to Freenom World and protect your privacy. Unlike other DNS providers, like large advertising networks, Freenom does not store any IP addresses in its log files. Log files are kept for statistical reasons only and exclude any IP addresses or other personal identifiable information.
Windows 10 -
Windows 8 -
Windows 7 -
Windows Vista -
Windows XP -
Apple OS X - https://youtu.be/VuAOP1oajeg
Apple macOS - https://youtu.be/VuAOP1oajeg

It is important to remember that there is probably no single DNS service that will do the job for everyone. The one that delivers the best performance for one company or individual might not do so for someone else. This is why it is important to run some tests.

This site also has pretty good instructions on changing DNS settings with pictures to help you understand on these as well-
Windows
Mac OSX
Linux (Ubuntu)
iOS
Android
DD-WRT
Appendix
https://www.bestvpn.com/how-to-change-your-dns-settings-a-complete-guide/#append

IPv4: this can be carried out for every PC connection (separately for wired Ethernet and wireless) or for every device on a network through the network router’s DNS settings panel.
IPv6: public IPv6 servers are also offered by providers but it’s best to steer clear of them for now. So (Optionally) Disable IPv6 (un-tick) it's box when changing your “Internet Protocol Version 4 (TCP/IPv4)" DNS settings.
[Before you change your DNS settings in Windows 10/8/7 to use any other DNS, be sure to write down the current server addresses (if any are listed) or the settings on a piece of paper, text file, screenshot, etc. keeping it somewhere safe. It is very important that you keep these numbers for backup purposes, in case you need to revert back to them at any time.]

Mobile devices: Changing DNS servers on mobile platforms such as Android is more complex than for a PC. Android allows users to do this for Wi-Fi, but it will only remember the setting for that network, for example when a user is at home or work. It also requires the user to set a static IP address so no DHCP. There are a couple of apps to help with this on Android, DNS Changer and DNSet. Unfortunately, this approach can’t be extended to 3G or 4G without Android's root access – so carrier access still requires accepting the default DNS.

Privacy: Most of the services promote themselves on filtering security which inevitably means they are gathering data on websites visited. You could argue that this is true of all DNS systems, including those from the ISPs that most people use quite happily. But it is not always clear where this data is stored, nor what usage it might be put to and added with by those collecting it. Information is valuable in today’s Internet economy so be aware that a 'free' service might have hidden privacy matters in a downside use.

Security: Unfortunately, DNS was not built with security in mind, and it is vulnerable to a number of attacks, the most important of which is a “man-in-the-middle” attack known as DNS spoofing (or DNS cache poisoning), where the attacker intercepts and redirects a DNS request. DDoS attacks on DNS servers underscore the system’s vulnerability – no website whose DNS servers have been overloaded will be able to conduct much business - but other security issues abound including cache poisoning (redirecting users from legitimate to fraudulent DNS servers). This was a major impetus behind the Domain Name Security Extensions (DNSSEC) security layer used to authenticate name servers for those providers supporting it.

Edited - from Source of original content - http://www.computerworlduk.com/security/best-6-free-dns-services-boost-internet-performance-security-3632790/ and then added content from other links mentioned herein.

Additional Resources:
In depth guide to DNS - http://cdn2.hubspot.net/hubfs/369936/WHITE_PAPERS/DNS_eBook.pdf?t=1449773580428
Understanding the DOMAIN NAME SYSTEM (DNS) -
https://www.tributemedia.com/blog/understanding_domain_name_system_dns
Understanding DNS record types - https://www.name.com/support/articles/205516858-Understanding-DNS-record-types
 
Last edited:

Gass

Member
This is probably one of the best sites on the net (that isn't biased or sponsored by VPN providers) that lists VPN providers along with their feature sets (and how well do with privacy, etc.);
https://thatoneprivacysite.net/
I second that ;)
Then I'd suggest TF in depth reviews of the logging policies of VPN services. User comments there can give some insights as well, I'm not saying there isn't any biasness or sponsoring done there as I just don't know. What I liked about it, is it's ran for a few years now and one can look back (2017, 2016, 2015) to a VPN provider response of the questions asked and see any changes they've made in their VPN service to the specific related questions asked in TF reviews of them. I'm taking if the TF updated years covers what has really changed and not just relaying on from pasted years covered answers already.
https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/
Gass
 
Last edited:

Gass

Member
3 Malware Distribution Methods You Really Need to Beware Of

How much do you know about malware distribution methods on the Internet? People are beginning to wisen up regarding old tricks such as the “Nigerian Prince” emails and the like, and as such aren’t falling for them as much as they used to. (Ploy to get your personal Info. and be rewarded for helping free up some large amounts of money held in foreign Gov.'s that your help matters). That doesn’t mean the malware developers have given up, however; it just means they’ve become more covert.

One way a malicious user can get access to your data is by playing off your day-to-day life routines. An action that you consider harmless and inconspicuous could actually be used by an attacker to put malicious software on your system. Here are a few examples of how malware distributors can hijack your daily routine and really ruin your day.

1. Cut and Paste Exploit
When you’re looking up how to enter a specific command into your Windows Command Prompt, a website displays the command, so you copy and paste it directly into the terminal. Only after you execute it do you realise you’ve pasted a totally different command into your terminal, and it’s probably doing something you’d rather it not.

This is the unusual case of “pastejacking” where a user’s copy-paste command is hijacked using Javascript code. When the user goes to copy text, a “keydown event” is triggered because of the key presses. This event waits about a second, then plants text into your clipboard. Due to the time delay, this overwrites what you’ve copied, so you end up pasting what the keydown event gave you rather than what you actually copied. It’s one of the stranger malware distribution methods given it’s something you input into your own PC, rather than something you download and run.

Complex commands, such as the chkdsk command (shown in original article-source link at end) , are easily forgotten by users. As such, people are always hunting for websites that allow them to copy-paste the command straight into their terminals which gives malware distributors a great window to do their work. All they need to do is enter a particularly nasty command into the keydown event, and you have a recipe for disaster. Even worse, it’s possible to add suffixes that auto-run the command as soon as it’s posted, leaving you no time to realize your mistake.

So how do you combat this? When you’re going to copy-paste a command into an important terminal, paste it in something like Notepad first and make sure it’s going to do what you think it will. If you see that your command has somehow “morphed” between the copy and paste, don’t run the new result!

2. False “Download Now” Buttons
When you’re looking for a download site for a program, you come across a website that has said program. Great! You go to download the file, click the green “Download Now” button you see, and install the program. Except, the program that opens up is nothing like the program you actually asked for.

In this case, a “false download” may have just tricked you. Some websites that focus on distributing free and legal software (such as CNET) have advertisements around their download page. Some of these adverts will have their own “Download Now” button to try to trick people into clicking their advert instead of the download they actually want. Here’s an example (shown in original article-source link at end) we found on CNET to download Malwarebytes.

Do you see the advert at the top? If you clicked that, you definitely won’t be installing Malwarebytes; in fact, if you’re unlucky, you may need Malwarebytes to get rid of whatever that program installed on your system!

It’s one of the craftier malware distribution methods out there, as it plays on our tendency to act impatiently and click on the first “Download Now” button we see. When downloading software, make absolute sure that the button you’re clicking on is the correct one, and don’t hastily click a button that says “Download Now” on it until you’re sure it’s the one you actually want.

3. Messages and Posts from Friends
When you’re using your favorite social media website, a friend contacts you. They say that someone has recorded you doing something embarrassing and send you a link. Given that they’re a best friend, you have no reason to distrust them, so you click the link. But it turns out your “best friend” is actually a chat bot set up to fool people into clicking malware links.

The social media malware post is one of the more nefarious examples of malware distribution methods, as it plays off your natural tendency to trust everything your friend sends you. It usually starts off with your friend either having their account hacked or being tricked by the virus themselves. Once your friend is infected, the virus posts instant messages or feed posts asking friends to click on a link. These can be anything from asking you to check a website, to saying they won the lottery, to advertising a “cool new app” which is actually a virus.

So how do you dodge this trick? First, if a particularly grammar-strict friend of yours sends a message along the lines of “omg u have 2 see this,” immediately suspect any links they’re trying to get you to click. Likewise, if your friend posts a link to a product or an app that you’d never think they’d normally post, treat it with suspicion. To validate that your friend is actually a human being, talk to them before clicking any links they have posted. If this is on IM, chat bots are often programmed to deny any claims that they’re a bot. To tackle this, ask a question only your friend would know. If your “friend” trips up, it’s a trick! Be sure to warn your friend so they can take back their account.

Wrapping it up - Modern-day malware distribution methods are no longer the obvious ploys we’ve come to know them as. Given how information can travel the Internet at lightning speed, malware tricks can be all out moments after they’ve been released. Distributing malware is no longer about convincing people to click a link in a phishing email; it’s about hijacking a routine you’ve performed for years and leading you straight into a trap. Keep an eye out for these ploys in your daily life and stay vigilant; your “safe routine” may not be as safe as you first think!

Small edits from original source: https://www.maketecheasier.com/malware-distribution-methods-you-to-know/
See the comments on the source as one caught my eye about - The Copy&Paste hijack is a protection that should probably be built into browsers along with the target=”_blank” vulnerability . https://dev.to/ben/the-targetblank-vulnerability-by-example

Special NOTE to Adguard Admin's and Mod's: sent private message.

Gass :D
 
Last edited:

Gass

Member
@anajames
2. Get software ($$$) to prevent ransomware attacks, I use Malwarebytes 3 premium myself, there are others https://blog.malwarebytes.com/101/2016/03/how-to-beat-ransomware-prevent-dont-react/
I am still liking Malwarebytes 3.0 because it has a Ransomware detector which is extremely important currently, it is still slightly buggy but much better and worth a look, NO I don't sell it, I'm just a lifetime licensed user of Malwarebytes
I was happy to find out Malwarebytes still honors my lifetime license, I've installed mb3-setup-consumer-3.1.2.1733-1.0.141-1.0.2092 and as you've said it does offer a Ransomware feature - which is nice to see from the version I had used long ago without any, back then it wasn't even a term to consider more or less a threat on the horizon.

Since this is a good thread to speak of it any tips and what kind of bugs are there?
I've two questions if you care/can answer - what is meant of the selections to choose in "Windows Action Center" options, I'm using the recommended now but just wondering of the other two there?

Then in the Exploit Protection, I get that the advanced setting are for suggestions from Malwarebytes Technical support to a user and shouldn't be experimented with. But under "Manage Protected Applications" (the user adjustable section outside of advanced settings) there are a lot listed I don't even have installed on my system and their in an "ON" state - and was wondering any harm to turning off (not uninstalling) the ones I definitely don't have installed and would that save on any system resources doing so? Not my system has slowed any with the main program install (MB3).

Not looking for an experts advice - just user logic as one user to another - Thanks :)
Gass
 
Last edited:

Gass

Member
To complete Gass post - - - which can help you to understand and choose.
Anyone is free to have an opinion and/or comment here (heck, I welcome it, them and all), but to lead out with an misnomer that my post wasn't complete - it is as I see it, and with regards to the logic in my advice and suggestions I have made, that I felt comfortable in giving to anyone trying to understand. No sense sending them into deep water over their heads treading the tides to see the privacy issues many Free DNS has to anyone using them.
Anyways / No harm - No foul, possibly a mistake of the English word used or what you actually wanted to offer and say. All is good and peace within :)

My prior post was fully as complete as I wanted it in referenced DNS Servers to consider, from a privacy viewpoint as "Free" DNS servers of the 3 I've mentioned means your data is going to a low logging unfiltered DNS server provider, many public Free DNS providers logs your DNS queries on their servers and can censor websites via DNS, or simply implement a fuller logging policy, resulting in logging your entire browsing history, accurate down to the second - all that data.

Basically, the DNS server sees virtually everything you access online by simply focusing on the DNS requests you make. It knows who, when and how someone has accessed a website and adds this info into a database. Therefore, it can even profile you, sell this data on to others and they profile you then or both totally possible.

In the case of not changing your DNS settings your ISP has your DNS records and might then end up in the hands of advertisers. AT&T for instance is known to sell such data, unless customers pay the company not to allow this to happen. Also, it might end up in the hands of the government forcing ISPs to log and provide DNS logging data.

I might add one more for a total of 4 that I feel comfortable with in suggesting for people to use and it is-
UncensoredDNS - https://blog.uncensoreddns.org/dns-servers/ it's a solo Danish guy and from their FAQ you'll see-
Q. Do the UncensoredDNS DNS servers log any personal information?
A. Absolutely nothing is being logged, neither about the users nor the usage of this service. I do keep graphs of the total number of queries, but no personally identifiable information is saved. The data that is saved will never be sold or used for anything except capacity planning of the service.

Conclusion:
Keep in mind that even if DNS is insecure by design, in general, if an ISP doesn't have DPI (Deep Packet Inspection) measures in place, you're fairly safe by using a 3rd party DNS. DPI is very expensive and not as easy to implement efficiently as simply enabling logging on their own DNS recursive resolvers. Therefore, that's a main reason why most ISPs wouldn't engage in such practices and likely focus on their DNS resolvers hosted on-premise.
Mobile users can change DNS service for WiFi connection only. In the case of a mobile connection, it only works for rooted smartphones. (Jailbroke phones by Apple I have no ideal here?)

Quick sum-up, and insights-

Problems:
-DNS is broken as it is. Very little effort has been made to improve it, from security and privacy points of view.
-Not much can be done for mobile devices using mobile broadband connections (requires root). They will always use the carrier DNS.
-It is the easiest, cheapest and most effective mass-surveillance and censorship method. All repressive governments and spying agencies love it.
-There are some easy fixes, such as using a 3rd party DNS instead of your own ISP. Not a perfect method, but good enough. Read up on any one you'd consider and know what's the bottomline to your privacy by logs kept or anything else as Free - you could be the product then. . . :oops:
-Attackers can easily profile your browsing history as well as software that you have installed, then launch accurate targeted attacks against such software.
-This is not about "DNS leaks" or using VPNs in general, but about one of the elephants in the room. DNS leaks - I'd suggest you find some testing sites and being detailed in other articles.

Solutions:
-Never use your ISP's DNS. Use 3rd party services. Almost any 3rd party DNS service is better than your ISP. Most common services use anycast to ensure low-latency regardless of your geo-location. Therefore, there's no noticable delay. Remember the bottomline to your privacy from above, and look for something that is reassuring as being documented on the DNS site of the settings you'll use.
-Use DNSCrypt.
-Increase awareness by telling others what are the problems with DNS. The more people who will know about it, the better chances we will have encryption be standardized into the DNS protocol so that it's a standard being use by the masses and DNS servers.

Further reading:
DNS hijacking - https://en.wikipedia.org/wiki/DNS_hijacking
Pretty Bad Privacy: Pitfalls of DNS Encryption - https://www.ietf.org/mail-archive/web/dns-privacy/current/pdfWqAIUmEl47.pdf
DNS Censorship (DNS Lies) As Seen By RIPE Atlas - https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes

Gass :D
 
Last edited:

Gass

Member
Hmmmm, what's a good, fast, non-logging third-party DNS for the US these days? :D
Any reason for a US one? As I've reported. "Most common services use anycast to ensure low-latency regardless of your geo-location."
Privacy maybe good in US or not I'm not sure and haven't looked in to it - specifically. I'll try to answers these for you :)
 
Last edited:

Boo Berry

Moderator + Beta Tester
Moderator
Actually, latency is the reason why I prefer US-based DNS. Not really tested too many, but the fastest DNS I've ever encountered is Google's public DNS. But that's hardly a "privacy" focused DNS. ;)

Lately with DNSCrypt I've been using d0wn Resolver USA #2 as my primary and #4 as the secondary. Just wondering if there's any "better" US-based DNS these days. Granted, it's been a long while since I've done anything in regards to DNS, but I *do* plan on getting DNSCrypt on my DD-WRT router at some point (whereas right now I'm running the client on the OS).
 

Gass

Member
Just wondering if there's any "better" US-based DNS these days
I *do* plan on getting DNSCrypt on my DD-WRT router at some point
That's a presales question(s) - correction (DNSCrypt is totally free) [donations accepted], so pre-use questions I'd ask DNSCrypt for any information - asking for a specific US based DNS list of the following point, "Paying attention to the fact that some resolvers do not support the DNS security extensions (DNSSEC)." Then of an understanding of the following.
[I see no contact listed, no forum, only for support - https://github.com/jedisct1/dnscrypt-proxy/issues ]

Pro's and Con's in deciding how to " Take control of your DNS traffic"
Aside from implementing the protocol, common DNSCrypt clients give a lot of control on the DNS traffic.
-Using DNSCrypt in combination with a DNS cache.
(For optimal performance, the recommended way of running DNSCrypt is to run it as a forwarder for a local DNS cache, such as Unbound or PowerDNS-Recursor.)
-Deployment: The local network is usually the most vulnerable network segment against active attacks such as DNS spoofing. The DNSCrypt server can run on the router, along with a modern DNS resolver. Clients can then run the client code of DNSCrypt, leveraging the router DNS resolver.
(Alternatively, companies, organizations and individuals are running public DNS resolvers supporting the DNSCrypt protocol. These can be used as an alternative to running a DNSCrypt server and a DNS resolver on the router. For maximum protection, DNSCrypt client can run on every client device. Or if you totally trust the local network, the DNSCrypt client can run on the router instead. Finally, you can run your own DNSCrypt server on a remote, trusted network, to get full control over what the resolver is doing and logging.)

Use dnscrypt-proxy, Simple DNSCrypt, and OSXClient to:
•Review the DNS traffic originating from your network in real time, and detect compromised hosts and applications phoning home
•Locally block ads, trackers, malware, spam, and any website whose domain names or IP addresses match a set of rules you define.
•Prevent queries for local zones from being leaked.
•Reduce latency by caching resposes and avoiding requesting IPv6 addresses on IPv4-only networks.
•Force traffic to use TCP, to route it through TCP-only tunnels or Tor.

Of Note:
Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent third-party DNS resolvers from logging your activity.

By design, the TLS protocol, as used in HTTPS and HTTP/2, leaks websites host names in plain text, so DNSCrypt is not enough to hide this information.
https://dnscrypt.org/

Lastly -
Using Google here - there - anywhere just builds a stronger link to yourself in data and a profile, e.g. gmail, apps, store, browser, maps, DNS, etc... - thoughts???
 
Last edited:

Gass

Member
@Boo Berry
https://wiki.opennic.org/doku.php
Might be something to look into?
Well, if you check out this list, you can understand how widespread is the server infrastructure of OpenNIC DNS and there is an option to find the best DNS server that is near to your location. By doing so, you will be able to choose the corresponding server details and use them for enhanced connection and speed. You just have to visit the website and OpenNIC DNS will tell you the most appropriate DNS server for you.
- - - - - - - -
https://www.lifewire.com/free-and-public-dns-servers-2626062
The Small print on the bottom of this page has some helpful bonus info. [1-15]
- - - - - - - -
It's in print of these two services - reality may be a different fact though???

hide.me’s Self-Managed Anonymous DNS Servers
Most internet users typically rely on their ISP’s DNS server or 3rd party services, which tends to monitor and record log of internet users’s activities and block access to certain websites. These DNS servers are unencrypted and vulnerable to hacker attacks. At hide.me, we run our own DNS on every server. When you connect to hide.me VPN, all your internet traffic will be routed via the same tunnelling protocol and protected with the same level of encryption using hide.me’s DNS servers.

VyprDNS - Encrypted, Zero-Knowledge DNS
Internet users typically rely on their ISP's DNS servers or a 3rd-party DNS, which are often configured to comprehensively log your internet activity and censor websites - even if you use a VPN.
VyprDNS is Golden Frog's 100% owned and operated service available exclusively for VyprVPN users. We developed our zero-knowledge VyprDNS service to increase user privacy and defeat censorship across the world. VyprDNS is included with all plans and is active whenever you use VyprVPN.

Even my paid VPN has something about this-
DNS security & privacy done right
  • We use our own - private DNS resolvers for all DNS queries by our customers
  • All DNS queries are encrypted (AES 128-bit) to protect customers against 3rd party DNS monitoring and hijacking
  • DNS resolvers do not log DNS queries
  • We generate millions of DNS queries per day, and these are mixed with legitimate queries from VPN users to make sure that potential monitoring of our DNS resolvers will be ineffective
I liked that mine goes into the encryption used with DNS queries and that potential monitoring is possible, and an onset to make this an abstract and ineffective data capture by running a query generator service on each DNS resolver. Basically, they're generating "noise" offsetting to counteract monitoring and it's virtually impossible to match a user's DNS queries within the "flood" of queries sent by themselves to DNS root servers directly.
DNS queries are protected against MitM hijacking and snooping, wiretapping. they have their own private DNS resolvers outside of US and UK. All DNS queries sent by VPN users are forwarded by their VPN servers to the private resolvers, through encrypted tunnels.

So effectively self-hosted, encrypted DNS services; that do not rely on 3rd parties, No logs, not even common Linux daemons, are kept on VPN servers, They don't use 3rd party tracking services on their web-site (Google Analytics, tracking beacons, “Like” buttons etc.).
Not a plug as I haven't mentioned their name - anyone wishing to know just PM me for it.
Gass :D

Add-Edit:
Bottom line looks to me as, DNSCrypt only authenticates DNS traffic, and doesn't prevent third-party DNS resolvers from logging your activity. Where as a VPN service which self-hosts it's own private encrypted DNS service to all your DNS queries with no logging - is a strong point to consider then. . .
 
Last edited:

Bruno

Member
Nice knowledge about DNS. However if someone wants to get privacy why not using a VPN provider which provides its own DNS? Anyway, you will have to use a VPN at a certain time, and if you want to make sure that the flow within the DNS is encrypted and that the provider does not keep any log, I will think it's easier to find the right service provider which ensures you full privacy and security from end to end. Does it make sense? Also, I do not believe in free services especially on security matters because there is always a catch hidden somewhere.

Personally this is what I did when I chose NordVPN which has its DNS servers.
"NordVPN native applications automatically use our NordVPN DNS servers when connected to NordVPN. This is done to prevent DNS leaks when connected, ensuring that your DNS requests are safe."
 

Gass

Member
Nice knowledge about DNS. However if someone wants to get privacy why not using a VPN provider which provides its own DNS? Anyway, you will have to use a VPN at a certain time, and if you want to make sure that the flow within the DNS is encrypted and that the provider does not keep any log, I will think it's easier to find the right service provider which ensures you full privacy and security from end to end. Does it make sense?
I totally agree with you on a VPN and it's own DNS combo or package. Best deals are found on BlackFriday to a year subscription.
I'd also add trying out a few before hand (1 months subscription to the one's of your interests) before the years plunge.

Also, I do not believe in free services especially on security matters because there is always a catch hidden somewhere.

Personally this is what I did when I chose NordVPN which has its DNS servers.
"NordVPN native applications automatically use our NordVPN DNS servers when connected to NordVPN. This is done to prevent DNS leaks when connected, ensuring that your DNS requests are safe."
Again I totally agree as if it's free then - very possibly your the product (data you generate and that sold) allowing you the so called free ride. Nice to see you here again :)
 

Bruno

Member
FYI I tried all with Free trail on iOS and OSX. As a result I chose NordVPN. They have right now a 72% discount on 2 years subscription which gives you a $3.29 per month deal.
Code:
https://nordvpn.com/order/?feature=1&coupon=2YDeal2017&2year=&language=en
My 2c feedback.

First of all I want to say that I have a 1Gb optical internet fiber on a MBP at home with a 500Mb Wi-Fi ac connection on my iPhone 7 Plus.

I tried all the VPN which offers free trial or free Gb or Mb usage.

The fastest was F-Secure Freedome VPN which provide around 300Mb speed.
NordVPN arrives second with 250Mb.
Others like Winscribe, PureVPN or Tunnel Beat are under 100Mb.
VyprVPN or OpenVPN are under 50Mb.

Regarding Netflix only Freedome and NordVPN do the trick. Same thing for Chinese users.

For basic users Freedome is an excellence choice, it also offers adwares tracking protection.

NordVPN offers specials servers regarding the type of usage your are looking for (Double VPN, Onion over VPN, Anti DDos, Dedicated IP, P2P, Standard).
It has also its own DNS servers but you change and add yours if you want to.

Both VPN are compatible with Adguard! ;)


Freedome is more stable that NordVPN because it never drops the connection.
However you will face issues with your emails application because it seems that F-Secure cannot solve a problem where you cannot send or/and receive emails. The only solution today is to disconnect the VPN.

You will not face such issue with NordVPN. However the connection will drop few times during the day (twice on OSX per day, more on iOS).
Hopefully you have the Kill Switch option which will kill your connection until NordVPN connects again.

In conclusion none is perfect. So when you will choose you will have to make some compromises.
 

Gass

Member
Nice knowledge about DNS
Thanks my hat don't fit my head now - ha ha !
One can read a lot as I do, but practical application in experience is where the true knowledge is I feel, would you agree? Logic leads to a blueprint in thoughts, and then hands on aptitude leads to a hardwired application in experiences. Both are needed or complements the other in the long run of ones life.

That's the way I feel in my own applications to knowledge. Kind of the way I feel artificial intelligence is not headed, a machine is only capable of learning but not of the feelings that round out the equations of the human learning experience - to me that's the determining factor that surround intelligence - could a machine become as smart with feelings as a pet (possibly) as a Human (never).

Back to DNS - Adguard DNS (overlooked and sorry Adguard team), with it users can easily make their own Internet connection safe from trackers, phishing, and even advertisements. Adguard has a pretty advanced advertisement blocking system already available on PC and Mac that works very, very well. With their public DNS servers, Adguard has brought this advanced technology to networks as well. For those looking to block advertisements over their networks rather than adding a browser extension, this is one to try.
Adguard has very clear instructions covering setting up on most systems. https://adguard.com/en/adguard-dns/overview.html

I guess if an advance user - you could be interested in DNS Jumper, Namehelp and Simple DNS Plus.

DNS Jumper: (freeware, portable)
1. It can aid in accessing blocked websites
2. It can improve security by changing to more secure DNS servers
3. It can help keep your children safe by blocking inappropriate websites (e.g. adult material) by selecting a Family Safe DNS server.
4. It can speed browsing by moving to a faster DNS server
5. Changing DNS servers manually can be done, but DNS Jumper greatly simplifies the process

DNS Jumper 2.1 has some new and important features, such as Turbo Resolve which can apply the fastest DNS at startup. DNS Jumper is freeware, and portable (no installation needed). DNS Jumper can add any resolver service that you require and switch easy between different ones.
How to change to a custom DNS Severer (setting your preferred ones)
Easily add a custom DNS server by first ticking the ‘Custom DNS server’ box,
and then type (or paste) in the IP address you wish to add.
Do the same for the alternate IP address. Then click the ‘Apply DNS’ button.
http://www.sordum.org/7952/dns-jumper-v2-1/

Namehelp: - EECS Department, Northwestern University
End-host solution to improve web performance with remote DNS by obtaining more accurate redirections to nearby content delivery network servers.
The problem comes from the hidden interaction of DNS with another useful and equally transparent service in the Web — Content Delivery Networks.

Most popular websites, over 70% of the top 1,000 most popular sites, rely on Content Delivery Networks (CDNs) to deliver their content fast, wherever you happen to be. To ensure good high performance, CDNs replicate the website content in some of the hundred or thousand of computer servers around the world and redirect users, again transparently, to the copy nearest to them.
As it turns out, using public DNS services can result in seriously bad redirections sending users to get their content from CDN replicas that are three times farther away than necessary!

— use public DNS without compromising on Web performance. namehelp runs personalized benchmarks in the background, from within your computer, to determine your optimal DNS configuration and improves your Web experience by helping sites load faster. If it finds that you are receiving less than optimal Web performance, namehelp automatically fixes it by cleverly interacting with DNS and CDNs to ensure you get your content from the nearest possible copy.
http://aqualab.cs.northwestern.edu/projects/151-namehelp

Simple DNS Plus: (costs) - you receive one year (minor or major update) of free upgrade protection.
Run your own DNS service at a cost. It even allows you to create your own DynDNS service. This way you don’t have to rely on anyone else and you have complete control over all your DNS needs. You can (easily) assign names to your own internal devices regardless of what O/S they happen to use, or no O/S at all. Bypass having to rely on an external DNS service given how necessary it is to EVERYTHING you do on line.
Features - http://simpledns.com/features




 

Gass

Member
Is This Security made easy!
Three products together on one computer provides you with protection like you’ve never had before.

@WinPatrol WAR – Immunize your computer against ransomware, malware and zero day threats with our artificial intelligence engine that gives ransomware and malware a taste of it’s own medicine and blocks them before they can infect. 4 Layers of Protection in one product. Powered by our Artificial Intelligence engine, WinPatrol WAR blocks ransomware it has never seen before, ransomware we haven’t yet seen in the lab. The days of needing to obtain a sample first are over.

@WinPatrol PLUS – Tried and true Host Intrusion Protection system that also provides great system utility functionality like ability to delay start-up programs, schedule task monitoring, browser cookie clean-up and now in the latest release file size monitoring. How to Use WinPatrol to Monitor Your Windows PC for Change - https://www.howtogeek.com/212494/how-to-use-winpatrol-to-monitor-your-system-for-any-changes/

@WinPatrol Firewall – Referred to as the “World’s Easiest to use Personal Firewall”, WinPrivacy blocks any unknown programs from using the Internet and much more. A program that brings transparency to the Internet!
WinPrivacy rips open the veil of secrecy programs have been hiding behind by exposing every single program on your computer that is using the Internet.
“Smart Recognition” automatically allows/blocks programs so you don’t have to.
Allow/Block by signature. Now it’s super easy to allow all programs for your printer or other.
  • Tells you from where each program is sending and receiving data, and how much.
  • Gives you the power to block Internet access for any program(s).
  • Empowers you to block any unknown programs from using the Internet without your permission.
  • Can automatically remove unwanted Flash Cookies…
  • Designed to Block Canvas Fingerprinting….
  • Informs you which sites DO NOT use Canvas Fingerprinting so you can use them instead.
  • Program Details Dialog gives you detailed specifics about any program.
Spy Block Technology is the ability to block embedded spyware while allowing the main program to run wanted/needed functionality.
To test Spy Block, we took a list of domains we found on the Internet that were reported as potentially associated with Windows 10 embedded spying. We entered these domains into the Spy Block page in WinPrivacy, excluding invalid domains.
Because the list did not have any associated ports, we blocked traffic on both ports 80 and 443. We then ran a test for approximately 12 hours, during this time we opened various MS Office products, browsed the Internet, ran the Snippet tool, used File Explorer and placed the computer into and out of hibernation.

WinPrivacy has actively blocked traffic to these domains. Not surprisingly, not every domain recorded traffic. This can be due to many factors like our not tripping the switch for reporting on that domain during our tests or that we simply haven’t run the test for a long enough period of time yet. But the bottom line is, WinPrivacy PLUS BLOCKS embedded spying.

If you care to check it out, as WinPatrol has been around a while now and some swear by it - just posted for your knowledge. :)
Gass :D

EDIT: intended to delete this post as I had wanted too after the 85% off sale ended, I don't see that's possible now...
Tried to make the post more informative now as what the software's do.

So if ever you should become interested, I advise to watch their site, as (this time round) it advised of the sale and where it was being held at. Maybe like BF or CM in November, google a search and see if any topics come up with dates to understand what times of the year they happen. Know that a Lifetime License and bundled purchase brings the price down ridiculously low as the 85% off offered this last time till July 09 midnight EST.
 
Last edited:

Gass

Member
What can your ISP see?

Unencrypted websites give ISPs (i.e. Internet Service Providers) the most detailed pieces of data about their users. Unencrypted websites use Hypertext Transfer Protocol (HTTP) without a Secure Sockets Layer (SSL), leaving the connection unencrypted. Encrypted websites use Hypertext Transfer Protocol Secure (HTTPS) which works with an SSL. Your ISP sees data from unencrypted websites and some data from encrypted websites.

Data from unencrypted websites: ISPs see the full URLs (Universal Resource Locators) of all web pages visited by their users on unencrypted websites. The former counselor to Tom Wheeler, the prior FCC Chairman, Gigi Sohn says that ISPs “have access to everything you do online.”

According to Sohn, ISPs “know every website you visit, how long and during what hours of the day you visit websites, your location, and what device you are using.” Of the top 50 health, news and shopping websites, more than 42 are unencrypted. That’s over 85% of these top 50 websites, including Target.com, WebMD, the Huffington Post, IKEA and more.

Data from encrypted websites: Half of the websites are using HTTPS to reduce the amount of information that ISPs access from their visitors. When visitors use encrypted sites, ISPs are not able to access their full URL and content from pages visited.

However, ISPs still know what site you’re visiting even if they don’t know what pages you used on that site. That knowledge is still useful to them. Knowing what websites you use helps them make educated guesses on what your interests might be, in estimating your age range, your internet usage habits, when you are online or offline and more.

A broadband privacy attorney, Dallas Harris, says that “The fact that you’re looking at a website can reveal when you’re home, when you’re not home” Harris contends that “The level of information that they can figure out is beyond what even most customers expect.”

ISPs are desperate to see and track your data

The repeal of ISP privacy rules in the US effectively opens the doors for creepy ISP data collection practices. It calls for caution that ISPs have a standing history of breaching user privacy. Let’s examine a few of these practices.

Snooping through your traffic and inserting ads: ISPs use your browsing history to inject and serve you ads. AT&T, Charter, and CMA have reportedly done this in the past. According to the Electronic Frontier Foundation, the FCC’s repeal of privacy rules officially grants ISPs the legal grounds to sell your traffic in this manner, going forward

Selling your data to marketers: AdvertisingAge says that Consumer Insight 365, a service offered by SAP “ingests regularly updated data representing as many as 300 cellphone events per day for each of the 20 million to 25 million mobile subscribers.”

The $24 Billion Data Business that Telco's don't want to talk about > Mobile Carriers are working with Partners to Manage, Package and Sell Data (Your Data)

According to the AdvertisingAge report, “The service also combines data from Telco's with other information, telling businesses whether shoppers are checking out competitor prices. It can tell them the age ranges and genders of people who visited a store location between 10 a.m. and noon, and link location and demographic data with shoppers’ web browsing history.”

SAP, as reported by AdvertisingAge, refused to disclose the carriers supplying them this data. Essentially, this means that ISPs are seeing, tracking and even selling off their users’ data on demographics, location and browsing history.

ISPs inject undetectable, indelible tracking cookies into your HTTP requests: ISPs like Verizon and AT&T have been reported to use “supercookies” to track their users. The EFF says that “Initially, there was no way for customers to turn this “feature” off. It didn’t matter if you were browsing in Incognito or Private Browsing mode, using a tracker-blocker, or had enabled Do-Not-Track: Verizon ignored all this and inserted a unique identifier into all your unencrypted outbound traffic anyway.”

Supercookies or UIDH makes it possible for anyone (including advertisers) to track your web browsing. Advertisers could turn your cookies into “zombie cookies” by using Verizon UIDH to resurrect them, even if you cleared them. FCC says Verizon kept the supercookies running for two years before updating its privacy policy to allow users turn off the feature if they so desired.

Search hijacking: According to EFF, in 2011, a number of ISPs were caught using a service by Paxfire to hijack their users’ search queries to Bing, Yahoo!, Google and other search engines. ISPs used this to drive traffic to specific sites while presumably earning some money from this practice.

Pre-installed software that logs app usage and URLs that you visit: Sprint, T-Mobile and AT&T were found to be logging their users’ URLs visited and the apps used. Using Carrier IQ, ISPs tracked your apps usage and websites visited. Trevor Eckhart of Electronic Frontier Foundation conducted research to reveal how the Carrier IQ worked.

Although Carrier IQ lead to a class action lawsuit in the past, the repeal of the FCC privacy rules would encourage (and even legalize) the use of such tracking software by ISPs.

How to stay safe online
It’s already old news for 2017 with the repeal of the US internet privacy rules that had prevented your ISPs from selling off your browsing data and history to advertisers, having been rolled back by the FCC earlier in the year. It's still a fact now your ISP can monetize your behavior online even better today than some months ago. So if your SAVVY ENOUGH, I'm hoping you've taken some necessary steps - if not please read on...

Due to the overwhelming tracking technologies, information collection and usage by ISPs, it’s best to use Tor or VPN in secured connections to access the internet. VPNs or virtual private networks effectively mask your identity, encrypt your data and significantly limit what information flow your ISPs get. Since the FCC has granted ISPs their freedom to use and sell your internet traffic data without your consent (that many average people had a Voice in the last 2015 vote setting this rule) , using a VPN is feasible a necessity now more than ever.
Source: maketecheasier

By all means installing Adguard and it's Stealth Mode features helps complement your choice of a VPN. If any of this is news to you, then start to day - this minute and read my post #15 at https://forum.adguard.com/index.php?threads/the-truth-behind-vpn-protection.13798/
Then searching for something like "VPN the Basics" or "VPN 101 guide" to relate to what a VPN actually does, and remember a lot of VPN Review Sites are only click bait to get you to buy through their sites.
Then visit Adguard's Knowledge base article on Stealth Mode

https://kb.adguard.com/en/windows/features/stealth-mode

Gass
 
Last edited:
T

The Commissioner

Guest
@Gass Although I agree with your post at large, it's the solution that bothers me.
Consider an average user, a layman, I don't think you can expect them to know the intricacies of softwares like TOR and VPN.
How to setup the system and then configure it in a way, that it doesn't hamper your overall web browsing experience.
The major block in adopting the technologies you mentioned is that they are slow. or involve process like not having javascript enabled at some places.
To a layman that's too much to work with. He would have to constantly work around problems, which IMO will only frustrate him to a point that he will most likely return to his earlier setup despite the privacy risk.
Although not the simplest of method but an easy one would be to encrypt your dns using something like dnscrypt proxy. That does away with all the things I mentioned in the para above. What's more it's a one time setup and forget thing. For a layman, that would be the best of the lot. And it's free.

What do you think?
 
Top