68

Sorry if this is a dumb question, but how important is using one of the encrypted DNS services from the megathread? I've just been using Google's DNS servers directly on my router, and have yet to have any issues. Have I just been lucky?

Also, 🫡 to dbzer0 for migrating the community to Lemmy!

top 26 comments
sorted by: hot top controversial new old
[-] httpjames@sh.itjust.works 29 points 1 year ago* (last edited 1 year ago)

Encrypted DNS can help minimize the amount of information available to your ISP. Most ISPs block and log your traffic through DNS queries since it's the easiest. By encrypting your DNS traffic, the ISP can't see what domain you're trying to find. Although, if they are motivated enough, they can sniff the SNI headers from your TCP traffic.

I'd stay away from Google DNS as they log it for themselves.

Use something like Quad9.net or Control D.

Thanks for the informative response! I've made the switch to Quad9!

[-] dragonfly4933@lemmy.dbzer0.com 18 points 1 year ago

DNS doesn't really matter for piracy, but it can help improve privacy and security.

DNS over TLS will ensure all your dns requests are encrypted, and most clients actually validate the certificate so attempts to hijack the connection are not easily possible.

Firefox can bypass your systems DNS and use DoH. I think windows also supports DoT.

For Linux, systemd networkd and resolved also support DoT.

Keep in mind that some software does not obey system dns settings and can do their own DNS.

[-] Karate_Jesus420@lemmy.dbzer0.com 2 points 1 year ago* (last edited 1 year ago)

I've been entering the primary and secondary DNS addressed in my router settings, so it applies to the whole network. I suppose that won't work for DNS over TLS, DoH, or DoT, then? Unfortunately, my router doesn't support flashing dd-wrt, so I'm stuck with Netgear's firmware.

[-] dragonfly4933@lemmy.dbzer0.com 2 points 1 year ago

It only applies to network devices that respect the setting. However, if you are using windows, for machines you care about, you can just configure DoT.

https://www.linkedin.com/pulse/secure-your-internet-connection-dns

Android also supports DoT, as does firefox as I mentioned above. For any given device you can search for "android DNS over TLS" and get info to see if it can be easily turned on.

However, also keep in mind if you are using Windows, then using DoT is like putting a bandaid on a gushing wound. The underlying OS is not trustworthy.

[-] MrComradeTaco@lemmy.fmhy.ml 12 points 1 year ago* (last edited 1 year ago)

If you don't want to spend money, use 1.1.1.1 at least. It's important.

[-] mremugles@lemmy.world 17 points 1 year ago

I'd actually suggest using Quad9 DNS.

[-] otterpop@lemmy.fmhy.ml 5 points 1 year ago

What advantage does Quad9 have over Cloudflares DoT?

[-] httpjames@sh.itjust.works 26 points 1 year ago* (last edited 1 year ago)

Quad9 is based in Switzerland where privacy laws are stricter, most notably the one where they cannot cooperate with foreign intelligence agencies without approval from the Swiss government. Quad9 keeps no logs, while Cloudflare does for 25 hours.

Cloudflare already routes practically all of the internet, why would you explicitly want to also use their DNS?

[-] boonhet@lemm.ee 14 points 1 year ago

Because we want the internet to be centralized to like 3 companies that run everything!

[-] Pulp@lemmy.dbzer0.com 4 points 1 year ago

Cloudflare is the fastest and well if you use one of the sites proxied by them then they have your data anyways

Speed at any cost, some might value the small privacy gain for the few extra millisecond DNS queries. Which can also be cached locally so only the first one would be slow anyway.

[-] qazwsxedcrfv000@lemmy.unknownsys.com 2 points 1 year ago* (last edited 1 year ago)

You have forgotten Akamai... Google, Microsoft, Meta, and Amazon... Also Equinix and descendants of those once nationalized telephone and telegram operators, e.g. AT&T, BT, NTT, etc.

Upon a quick search here it seem cloudflares does roughly 1/5th of all websites measured. Still pretty huge. You can use whatever serves your own needs best, but I try to avoid using these kinds of megacorp "free" services. Its not too hard to run your own authoritative DNS as well, since DNS is decentralized natively.

If you check the Submarine Cable Map, you can find all the cables we have laid under the sea and their owners. The Mozilla Internet Health Report 2019 contains a map that shows cable ownership by the big 4 aka Google, Microsoft, Meta, and Amazon. The map was updated to contain data till 2021. The L1 is largely owned by the telecom operators, private or national. Cloudflare is just L2 and L3 (maybe some L7).

I think we're at a misunderstanding. If a business owns a road, and a different business owns a shipping company that uses the road. If I want to ship something, I can choose which shipping company to use, and I cannot choose which roads they use. So given my options, wouldn't I want to choose the best shipping company for my needs?

In this analogy, I don't trust Cloudflare shipping company. Especially with how often they are used for SSL termination. This community specifically, places a massive importance on verifying and checking VPN providers, why not be equally as stringent with DNS providers?

[-] sneeple@reddthat.com 1 points 1 year ago

Unrelated but how did you get your username to have that font?

[-] MrComradeTaco@lemmy.fmhy.ml 4 points 1 year ago

Search for fancy font generator in your preferred search engine.

[-] BermudaHighball@lemmy.dbzer0.com 5 points 1 year ago* (last edited 1 year ago)

Have OSes evolved enough that encrypted DNS is available? If so, would someone with enough technical knowledge link a guide on how to set it up within a popular OS?

I imagine that even if you plug in one of the suggested DNS provider IP addresses into your network settings, the OS is still going to make plaintext requests that your ISP can snoop on unless you require it to be encrypted somehow.

[-] shaoiken@feddit.de 4 points 1 year ago

Maybe try dnscrypt. If a graphical frontend is available for your OS of choice it is very simple to setup.

[-] iopq@vlemmy.net 2 points 1 year ago

It was super easy on Windows, but even easier on NixOS where I just set it up without any GUI, just enabled it and that's it

You use a local DNS resolver that can handle encrypted DNS and also does ad blocking. pihole-ftl is what I've been using. Then you just set your DHCP server (your router usually) to provide the pihole server as the DNS server.

It caches entries so things you access often will resolve faster than anything you can get online, it supports all of the privacy options you could want and it also has ad blocking lists so you can block ads and trackers at the DNS level.

load more comments
view more: next ›
this post was submitted on 30 Jun 2023
68 points (97.2% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

52563 readers
355 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder


💰 Please help cover server costs.

Ko-FiLiberapay


founded 1 year ago
MODERATORS