Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Fri Dec 13, 2019 18:22 Post subject:
well in UK 9.9.9.9 comes trough PCH server's where
they do that thing and where my friend is working, may be i didn't understand what the Packets Cleaning House stands for (PCH) and how d'fk that filtering goes on
on 9.9.9.9 ... but anyway thanks for the info.... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
well...the lightest and easy to use DoT option is Stubby via Entware on USB... it works well on all kind of routers.. you can see the link in my sig.
Thanks, I'll test it, seems rather straightforward...
Alozaros wrote:
I was using Dnscrypt-proxy v2 for a while but decided to move back to Stubby as i have a VPN now and Stubby works along with VPN...
I also am testing VPN (for one of my VAPs), so that's good to know, thanks.
Alozaros wrote:
Best option for encryption is DNScrypt the downside of it is your ISP know you are using it and there is a slight chance to sneak a metadata from it...
Ok, but it's better than not doing anything so I'll probably try it out.
Alozaros wrote:
while, apart of ISP is seen the traffic that goes to
cloudfare or quad9 or GGl traffic over Tls or https is also encrypted...
at the end any DNS encryption will do what ever you choose..
I understand.
Alozaros wrote:
The last question about your ISP capping the port 53...
As you can see the results in DNSleak test, there is no more ISP DNS that means they are not capping it
or even if they do, nothing goes to their side and results are showing it...
Very nice, it already makes me sleep and feel much better, I'm sure I'll never go back to using my ISP's DNS-server unless all hell break lose and I for some obscure reason am forced to it
Alozaros wrote:
last advise i retrain from any use of GGl stuff especially their DNS 8.8.8.8 , best and more secure public DNS are 9.9.9.9 or 1.1.1.1 , Adguard, Cisco and many others public DNS just GGL those ...and choose one to use...
My only concern was that it's not the fastest according to the "namebench.py"-report. But now that I think of it, most of the time I'll be doing something, the DNS-lookup by itself probably isn't the most critical or timeconsuming part of my internet traffic use (and not even in games I think it'll matter much as I believe my local router will cache the DNS addresses and only forward upstream requests if it doesn't know them in advance..
Alozaros wrote:
In FFx you can set any DNS that supports DoH personally i use 9.9.9.9 just to piss off my ISP as i know they don't like quad9...9.9.9.9 does a deep packet inspection/cleaning, to look for a harmful stuff and block/filter the bad DNS hits...in the past they used to keep log's like GGL now they don't (i have a friend working for PCH )
That's good to hear, I also remember having read that google isn't very privacy-concerned - by the way, I've deleted google DNS servers from my setup now (for the same reason described earlier that even though they might be faster in my case/geographical region, I don't think the DNS lookup timeconsumption is as critical as my download/upload speed, furthermore I think it shouldn't affect my ping, once my local router (probably I think) cahches the DNS-address requests...
Alozaros wrote:
posting the Asus stuff here its not a good practice, but was excited to see they move to an easy DoT option via GUI, that is still missing in DDWRT, but running it via Entware is not an issue and its a easy to set up using Stubby
as Stubby offers some extra settings too...
Yeah, I know it's not good practice. I'll delete the screenshot if anyone requests it - in this case I originally forgot that there could be a difference between how DDWRT and Asuswrt-merlin handles things - but after posting the question and reading replies I thought it was easier to post a screenshot than to describe the setup with words. Anyway, if anyone requests I delete the screenshot, I'll do it, no questions asked and I've mostly been messing with my DDWRT-router for the past months so I completely forgot that this might not be the best forum to ask the DNS-question in (asuswrt-merlin also has forums, I just forgot, haven't used their forums for at least 6 months, sorry)...
Alozaros wrote:
The most detailed settings on DNS encrypting stuff goes to DNScrypt-proxy v2 and
Unbound, Stubby has just few useful extra settings only...but its still safe to use...
It's good enough information for me, at the moment. I appreciate your help, very much. Thanks and I'll start with practicing with Stubby via Entware one of these days (on the DDWRT-router)
Don't forget you'll need # and not : for specifying a port in dnsmasq's server= lines.
Yes, understood, thanks.
SurprisedItWorks wrote:
In dnsmasq you'll also need to add no-resolv (no "e" there) if you want to use only the servers specified in the dnsmasq config commands and ignore the ones specified elsewhere, like on dd-wrt's Basic Setup page. You'll otherwise fall back to the latter servers as backup. But no-resolv will also lead to ignoring servers pushed by your vpn provider, leaving your vpn activity dependent on your standard dnsmasq setup, encrypted only if you have carefully set up encrypted dns of some sort. (Merlin looks to be offering you DoT right out of the box. Why look further? That's as good as it gets for encrypted DNS.)
You're right, it's really nice. I do however look a bit further, because I think the world of networking is interesting and DDWRT is more opensource so it gives more options and I feel I get a better understanding of how I should/can optimize my home network in terms of LAN-segmentation, security and I also just love linux. I learn a lot about networking with DDWRT for a low cost and I love that it gives some of the same features as professional (and more expensive) routers provide...
SurprisedItWorks wrote:
Also remember that DNSCrypt setup is a bit of a special thing. It uses its own ports (different for each provider) and the server line in dnsmasq will look like server=127.0.0.1#30 to provide a connection to the dnscrypt-proxy process internal to your router. And, if you use the built-in button and menu, that line will be set up by dd-wrt, not you. If you use DNSCrypt, you need to keep other dnsmasq stuff compatible. You can't mix in the standard server= lines we've been discussing, for example, or you'll end up with a mixture of DNSCrypt and non-DNSCrypt DNS queries.
Ok, I haven't gotten into this part yet. But it's good for me to know and be prepared and know the caveats in advance...
SurprisedItWorks wrote:
Don't get too excited about DNSSEC. It protects the integrity of DNS lookups for yourbank.com only if Your Bank has explicitly set it up with their DNS provider. The last time I researched it, here in the US it was used by one or two small banks out of several thousand banks, making it essentially worthless, a placebo. Check out individual websites at https://dnssec-debugger.verisignlabs.com/ to see if they have DNSSEC set up. If you do try DNSSEC, try the test at https://dnssec.vs.uni-due.de/ once it is set up.
But it doesn't harm anything to enable DNSSEC, right? I mean: It's better to enable DNSSEC than to disable it, isn't it? And in the future maybe it'll be more widely adopted by at least banks, financial institutions, government/health institutions etc? At least I hope that...
SurprisedItWorks wrote:
And note that dnsmasq will do DNSSEC checking ONLY if ALL of your dns servers support DNSSEC. Quad9 supports it. Adguard does not. DNS providers are not generally making DNSSEC a priority, since none of the sites you're looking up support it anyway.
I currently only use cloudflare and quad9 - I also added the ipv6 dns servers, although I suspect it isn't really being used...
SurprisedItWorks wrote:
If you want your browsing history to be used by Google to help them direct the "right" ads your way, do use google DNS. It will help. (Of course if you use Chrome, you'll already covered.)
I use chromium (linux) and firefox. I don't trust chrome but chromium is more opensource... I trust firefox. I haven't really heard of people saying chromium spies on the internet activity - at least hopefully it doesn't log the internet activity, right? If I discovered that I would switch away from it immediately... But DNS is a good place for me to start...
Yep, thanks - I'm convinced not to use google dns... I think I'll be happy about quad9 and cloudflare as upstream dns-servers...
SurprisedItWorks wrote:
For fast DNS, most people find Cloudflare is hard to beat. No logging and no filtering. They are not in the DNSCrypt menu, but they do support some version of DNSCrypt. See the discussion of Quad9 DNS linked in my sig for an approach to attempt development of a DNSCrypt setup to work with them. (You may have to set them up using DNSCrypt V2 instead.) I believe they support the newer DNS encryption techniques (DoT, DoH) as well.
I think I'll start with stubby - but I also want to try dnscrypt (v2), now that I've read other people write so much about it and I've seen other people take internet privacy as an important matter and writing about their experiences with such tools as stubby/dnscrypt (and more)... I'll probably work on/off on this project for some weeks, maybe ask in the forum if something unexpected happens...
SurprisedItWorks wrote:
And Alozaros, my friend, sometimes all of us type before that strong cup of tea when we should be typing afterward. Quad9 can't do deep packet inspection of our internet traffic, because all they see are our DNS queries. As you know, nothing else goes through them. There are no packets to inspect. For the less aware: when I visit oddballnewssite.com, Quad9 sends me its IP address if it's not on the evil-player list, then my browser visits that IP address directly (in my case through my dd-wrt vpn client) in a process that does not involve Quad9 in any way.
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 15, 2019 14:56 Post subject:
newsboost wrote:
SurprisedItWorks wrote:
Don't get too excited about DNSSEC. It protects the integrity of DNS lookups for yourbank.com only if Your Bank has explicitly set it up with their DNS provider. The last time I researched it, here in the US it was used by one or two small banks out of several thousand banks, making it essentially worthless, a placebo. Check out individual websites at https://dnssec-debugger.verisignlabs.com/ to see if they have DNSSEC set up. If you do try DNSSEC, try the test at https://dnssec.vs.uni-due.de/ once it is set up.
But it doesn't harm anything to enable DNSSEC, right? I mean: It's better to enable DNSSEC than to disable it, isn't it? And in the future maybe it'll be more widely adopted by at least banks, financial institutions, government/health institutions etc? At least I hope that...
I absolutely agree. I have it enabled here for the same reason. But it's good to be aware that at the moment it's doing basically nothing.
Quote:
SurprisedItWorks wrote:
And note that dnsmasq will do DNSSEC checking ONLY if ALL of your dns servers support DNSSEC. Quad9 supports it. Adguard does not. DNS providers are not generally making DNSSEC a priority, since none of the sites you're looking up support it anyway.
I currently only use cloudflare and quad9 - I also added the ipv6 dns servers, although I suspect it isn't really being used...
SurprisedItWorks wrote:
If you want your browsing history to be used by Google to help them direct the "right" ads your way, do use google DNS. It will help. (Of course if you use Chrome, you'll already covered.)
I use chromium (linux) and firefox. I don't trust chrome but chromium is more opensource... I trust firefox. I haven't really heard of people saying chromium spies on the internet activity - at least hopefully it doesn't log the internet activity, right? If I discovered that I would switch away from it immediately... But DNS is a good place for me to start...
Call me a cynic perhaps, but Chromium was written by Google, so in my book that alone implies that everything you do in it is being logged and analyzed. Why would they have spent the money to develop it otherwise? I have the same feeling about Android. These are not good people who do these giant software projects just to be nice. I have no idea how to get more authoritative information on it though.
Yep, thanks - I'm convinced not to use google dns... I think I'll be happy about quad9 and cloudflare as upstream dns-servers...
Makes sense for speed. If you want Quad9's malware filtering though, put Quad9's server= line last in dnsmasq config and include strict-order or check the dd-wrt GUI button for strict order. Then Quad9 will generally be used unless it is proving slow for some reason.
Quote:
SurprisedItWorks wrote:
For fast DNS, most people find Cloudflare is hard to beat. No logging and no filtering. They are not in the DNSCrypt menu, but they do support some version of DNSCrypt. See the discussion of Quad9 DNS linked in my sig for an approach to attempt development of a DNSCrypt setup to work with them. (You may have to set them up using DNSCrypt V2 instead.) I believe they support the newer DNS encryption techniques (DoT, DoH) as well.
I think I'll start with stubby - but I also want to try dnscrypt (v2), now that I've read other people write so much about it and I've seen other people take internet privacy as an important matter and writing about their experiences with such tools as stubby/dnscrypt (and more)... I'll probably work on/off on this project for some weeks, maybe ask in the forum if something unexpected happens...
SurprisedItWorks wrote:
And Alozaros, my friend, sometimes all of us type before that strong cup of tea when we should be typing afterward. Quad9 can't do deep packet inspection of our internet traffic, because all they see are our DNS queries. As you know, nothing else goes through them. There are no packets to inspect. For the less aware: when I visit oddballnewssite.com, Quad9 sends me its IP address if it's not on the evil-player list, then my browser visits that IP address directly (in my case through my dd-wrt vpn client) in a process that does not involve Quad9 in any way.
Ok, thanks, for that, sounds reasonable...
Good luck. You are on a good track. That patient approach, adding a feature at a time slowly over the months as you figure out what you want and how to do it is the way to go with dd-wrt. It's a learning experience for sure. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Call me a cynic perhaps, but Chromium was written by Google, so in my book that alone implies that everything you do in it is being logged and analyzed. Why would they have spent the money to develop it otherwise? I have the same feeling about Android. These are not good people who do these giant software projects just to be nice. I have no idea how to get more authoritative information on it though.
Now when I come to think of it: As DNS-lookups (AFAIK) don't really contain data other than the lookup, what google could do, is to match the IP address from a lookup-table with records of who's actually using that same public IP address, while logged into e.g. gmail... So for a huge organization, they/google wouldn't be able to match a dns-lookup with a specific user, because there's so many user DNS requests from the same public IP address (maybe that's why the made chrome, to spy and get even more details and then they can match a dns lookup with a specific user/account).
I think my opinion is that I value privacy and when I can hide my data with little effort (e.g. using cloudflare/quad9 as dns) I really want to do it. But I do use gmail - when I started there wasn't any real good options with an excellent spam filter and I didn't want to pay. So I started with gmail and still there I am. Then there's android/iphone - I think apple is probably almost as bad as google, but just twice as expensive. So I have been using android phones for the past years. I however do it such that I always create a gmail/google account called "(my-normal-username)-phone@gmail.com". I see 2 benefits: If I ever lose my phone and it gets hacked, I don't use my android-account for ANYTHING important. The other benefit is that google must be having a harder time, figuring out that I have several google-accounts and it's the same person (not different people), if they ever wanted/want to do that puzzle game (I doubt, but in any case I don't want to make it too easy for anyone to spy on me, if they for some reason should ever decide to try it)...
I live with knowing that google and others can spy on me if they really want. But as I'm scandinavian, living in a very small country (denmark) I think there are other more important people to spy on Finally, I'm REALLY happy that my ISP will have a harder time spying on my now (I know they probably can log all websites I visit if they want, but that's also why for the past several years I've been a good VPN-customer and I don't hesitate to switch to the VPN if I'm about to do anything that could be misused against me, if anyone was/should be spying on my internet usage...
SurprisedItWorks wrote:
Makes sense for speed. If you want Quad9's malware filtering though, put Quad9's server= line last in dnsmasq config and include strict-order or check the dd-wrt GUI button for strict order. Then Quad9 will generally be used unless it is proving slow for some reason.
At the moment, I'm not so interested in the malware filtering stuff. I'm using something on the Asus-router called AIprotection (https://www.asus.com/support/FAQ/1012070/) which claims they use deep-packet inspection and besides I think I've seen some other solutions for entware, where one can make the router block known malware IP-addresses (the simplest solution I remember having tried is something that downloads blocked ip-addresses and adds those to /etc/hosts). I also really seldom visit e.g. piracy/torrent websites and practically never download illegal software so I think I'm not a high-risk person. The more stuff I can do on my router, change settings locally - and learn from - the better, is also my opinion (same for DDWRT as for ASUS and entware is for both)
SurprisedItWorks wrote:
Good luck. You are on a good track. That patient approach, adding a feature at a time slowly over the months as you figure out what you want and how to do it is the way to go with dd-wrt. It's a learning experience for sure.
Thanks a lot! Normally I get much more done after work, but I just bought an nvidia shield-device and set it up for iptv (with vpn) and have just spend too much time playing with that... I think/hope however soon I'll get back to playing with DDWRT, I'm really happy about the helpful and friendly DDWRT-community in here, thanks
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Sun Dec 15, 2019 23:22 Post subject:
Great thoughts there on privacy, but I fear you may be a bit behind the times. Have a good, patient read through the rather long piece https://www.eff.org/wp/behind-the-one-way-mirror (and take note of the difference between Apple and Android... it has evolved). I thought I knew my way around what was going on in privacy-invasion land before I read that a couple of days ago, but I was way, way behind. Remember also that this is the EFF, Electronic Frontier Foundation, perhaps the leading advocate for digital privacy out there. (Random factoid: AirVPN is a regular contributor to EFF.) _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
@SurprisedItWorks : Thanks, very interesting, especially the captcha-part. It's not something that'll make me change anything in the short term (changing DNS is still great though), because I also enjoy the many free apps/services, e.g. google maps. Luckily privacy legislation is a big thing in the EU - see e.g. https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/ and/or https://en.wikipedia.org/wiki/General_Data_Protection_Regulation - with these rules, google nor apple/facebook don't own my data and if they cross the line and I read about it a single time I and many others would probably easily request those large companies to delete all my/our personal data. This will probably help does companies to think one extra time, before misusing the collected privacy data. Strong legislation and privacy rules is something I wish the US legislators also cared (more?) about maybe/hopefully things will regulate itself, for the benefit of both users and corporations investing money in providing good free services... Anyway, the topic isn't so much about DDWRT anymore so I'll stop now - thanks a lot though!
Joined: 04 Aug 2018 Posts: 1447 Location: Appalachian mountains, USA
Posted: Tue Dec 17, 2019 15:52 Post subject:
newsboost wrote:
Luckily privacy legislation is a big thing in the EU.
Ah yes, the GDPR. Americans are jealous. (I like that AirVPN pledges to uphold GDPR rules in their worldwide operations, not just in the EU where their HQ is.)
Quote:
Strong legislation and privacy rules is something I wish the US legislators also cared (more?) about
They care a lot... about preventing real privacy legislation so as to keep those corporate campaign donations rolling in.
Quote:
Anyway, the topic isn't so much about DDWRT anymore so I'll stop now - thanks a lot though!
At least dd-wrt gives us solid DNS and VPN options for frustrating our ISPs' efforts to log/sell our histories. I suspect this brings us many of our users. Half? Subnet isolation and VLAN network segmentation for security brought me, but I like frustrating ISPs when I can. But you are right... time to quit! _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
)
But you are right... time to quit!