ISPs are tricky in general. An ISP can just collect the IP addresses their customers connect to and then use reverse DNS to find the domain names. Therefore, even DoT or DoH won’t fully solve the problem; they just create more work for ISPs that want to track people. Still, it’s better to not hand ISPs the data they want on a silver platter. I just wish DoT and DoH were options on operating systems. Endpoint OSes seem to be behind on adding those checkboxes.
Fully agree... DoT/DoH is a must. Though even still, not only they don't protect against reverse DNS (unless everybody in the world uses them - and even then the ISP could simply perform regular DNS queries to the domain - or domains - they want to monitor), but the DNS server still knows the domain name you are visiting, which means that now it is the company that manages the DNS the one that can sell your data instead of your ISP, no matter which one is or which privacy promises has made. If one wants 100% privacy (including prevention against reverse DNS), then the use of a multi-layer encrypted circuit for DNS querying AND connectivity is needed (e.g. Tor)... of course this has a significant price in terms of performance.
@@AdrianPatten Yes, I am well aware. That is what I was referring to when I mentioned reverse DNS. DoT/DoH only increase the amount of effort required by ISPs and shady VPN companies to track what sites and internet applications users are visiting/using.
@@AdrianPatten And since a noticeable amout of sites use Cloudflares proxy, you ISP could only tell you connected Cloudflares IPs. I don't think DOH or DOT will be implemented fir clients anytime soon, as clients tend to get a local DNS resolver in the same trusted Network via DHCP (at least for IPv4, let's not talk about IPv6 as it's a mess)
This video couldn't have come out at a more convenient type. I just found out yesterday that you can change your DNS address and that the one your ISP gives u is not necessarily the best
Excellent video once again, Naomi! Now the next big topic you should address is the SS7 network which is used by cell phones. SS7 is way scarier than DNS security. Some people might say, "But cell phones aren't computers and Naomi only does computer security." Actually, cell phones are computers these days, so they should also be examined. Please tackle SS7.
My redmi note 9 pro, has better cpu than my laptop, a lenovo with a ryzen 3 3250u proccesor. Thats what geekbench says, a cross-platform benchmarking tool. So yeas, obviusly smartphones are computes, and also dslr's. Thats why i dislike ppl saying "this is too expensive for just a phone" they are not phones. Phones cost around 20$.... So you are right! Nice video!
Modern routers are getting powerful enough to be able to resolve DNS for the whole local network. I think manufacturers should make this available, especially for the not-so-techy majority of people. I've setup a local unbound+adguard setup, but what matters the most is not showing the ISP or the whole internet which addresses you are looking up. DNS over HTTPS, DNS over TLS, or DNS over QUIC should be standard.
Indeed, small routers (including using pfSense) are able to do nameservice recursive resolution. But do you want them to? Having the device at the edge of your network doing full recursive resolution still means that every query goes out (unencrypted) to authoritative servers. If you're looking for a model that provides some privacy, then instead of doing full recursive resolution you probably want to set up your edge device (router, firewall, pfSense box, etc.) to do just "forwarding cache" duty, where it remembers all the answers it hears but it passes the query upstream via an encrypted channel to a recursive resolver like Quad9. There, your query is mixed in with thousands or millions of other users and so it becomes difficult or impossible for an observer on the network to determine who asked for what. Of course, you're still trusting the upstream resolver to not violate your privacy, so choosing a recursive resolver operator who has strong privacy policies and whose interests are aligned with yours is important. We think Quad9 meets both of those criteria, being bound by Swiss data privacy laws and also existing as a non-profit whose mission is to provide privacy and security via the DNS services we offer.
@@jacksoncremean1664 sorry, but their is currently no authoritative DNS servers that support encrypted DNS in the wild at any meaningful scale. A standard exists since last year which is mostly likely to get adoption. But details are still being worked on. You might be confused by DNSSEC which allows to verify answers for security reasons, but doesn't give you privacy.
@@jacksoncremean1664 well, then again, I don't know what you are talking about: "I know some people have been able to encrypt traffic to authoritative DNS servers" I know DNS over TLS as experients, but didn't get any widespread deployment and DNS over QUIC standard exists only since May 2022
Always good to look at this topic, I'm glad people are doing this. Sadly we still have a long way to go to have proper security/privacy though. 11:03 most of authoritative servers (for the full domain) and run by the same organization which runs the website. So basically no privacy was gained. 16:00 next up is encryption of the TLS Server Name Indication (SNI).
This a a good informative video. Worth noting is that even if you prevent your DNS from being sniffed, all of the websites you visit - HTTPS or not can also be sniffed due to SNI / Certificate identification. For every HTTPS connection, there is plain text in the handshake, that your ISP (or dodgy VPN provider) can log that identifies which website/domain you are accessing.
Very informative and good explained video. I switched to quad9 on my router yesterday away from my isp resolver. I also put pihole on my zimaboard and put that as my local dns server in my router to block ads and telemetry. I'll let that run for a bit and then I'll add unbound
@@NaomiBrockwellTV Here's another good one that plagues me. KYC= Kill Your Customer, parasites ask an ID for everything, can't get a phone number without being put on a list.
Amazing video, until now I thought using unbound would be the most secure hence I was running 2 load balanced instance of pihole with unbound. I will give this a try for sure. I am keen to learn more about the browser based dns. 👍
This is great info. I've already updated my pfSense! Looking forward to the video on encrypting DNS before it gets to my ISP. Thank you again!. Looks like you found yourself a nice location to film your video. It's freezing where I am currently. Where you're at looks very nice right now! 😃
Really enjoy your content! You and the team are great!! If doing nothing is 0 an following your guide at the end of the video is 10 Where is my pi-hole + unbound solution? 😅
There is also the HOSTS file that can be created on NT and other systems. Your computer looks in the HOSTS file, and if the URL and IP address are paired in that, your browser goes directly to the IP address you have listed. This can also be be used to cut off access to sites. If you set a site's IP address to be your own computer, you've just created a boomerang. The browser will return to your computer, and throw an error message.
Just started the video and I'm at your tldr for DNS. There is a caveat that most routers have at least one, but can have many more, DNS lookups servers that it communicates with. Additionally, your router will hold a finite number of recent and most used domain IPs in a database or table. The purposes of the lookup servers and the internal table are a) speed and efficiency and b) to reduce load on the root DNS servers. Edit: Sweet you touched on it
I appreciate you touching such an overlooked topic as DNS is in this context, yet it'd be much more appreciated if you shared different providers/solutions for the case, I mean, showing us how to fish and good lakes to fish rather than hey fish this specific good species and you'll be good. What if they close activities, what if they are not as trustworthy as we think of, what if my internet performance gets reduced, what if my isp blocks access to them etc? Focusing in one brand, one solution could be considered as biased and in Infosec this could be very dangerous. I got the feeling we spent a lot of time talking about DNS and its issues but when it came to the solution, check out these good guys! The video felt kinda driven like an ad. I see you are looking at the comments and you're committed to security and privacy so I wanted to provide you a honest feedback, as I believe it will be useful for the good work you're doing.
Great video! In addition to my other comment I wanted to say that I was hoping you would also touch on DNS poisoning and creating a private home DNS server. For those that don't know what I mean: Since it is possible to mirror the DNS resolvers, and the ICANN root servers, it could be even more secure to just roll your own resolver mirror with the sites you use the most and have a script that checks the TTLs and pulls updated data for the expired ones every day or so. That steps into the DNS poisoning which is essentially populating a DNS entry that is invalid where it will overwrite the entry for another domain or allow a "temporary" domain name for an IP. And yes, that is oversimplified on purpose.
Why is there a million ways to find out everything about me? Why is e.v.e.r.y part in the system leaking e.v.e.r.y.t.h.i.n.g? Why is the whole internet build like giant sieve???
And not a word on where salaries (and marketing budget) in this non-profit that totally won't sell my data are coming from. Very trustworthy, let me redirect all of my DNS requests to them
As Swiss, I have to warn anyone that even we do have strict data privacy law ... it turns out that (a) the law doesn't prevent anyone from collecting your data (it just obliges to have the collector to warn you somehow, but this usually is done in small prints, that you usually will never see) and (b) Swiss since years more and more has become a police state and latest after 2020 Swiss isn't a private place anymore! So this argument that Switzerland is a good place to be for a privacy focused company doesn't count at all anymore! Swiss government are highly professional in collecting data and the laws for ISPs etc. are perfectly preparing for gove agencies collection of your data. As soon as you hit some lists (like this person uses VPN or TOR... or did gov critical social media postings ... or watches Privacy related videos) ... it triggers them to automatically put you and your traffic to a watch list and store everything. Swiss privacy exists only in theory - but in practice there is none for those "more active" or "critical". So in short ... don't think that Swiss aren't collecting everything (even illegally without judges approvals)!
I thin you missed checking the option "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers", or? - Oh, sorry. Wrote it bevor seeing the last seconds of the video.
Does Quad9 have the same or similar functionality that the Cloudflare can offer, like Adult (18+) and malware sites blocking? Saying this since a lot those site have a strong overlap of hosting malware.
Damn... Mr. Beast is so philanthropic that he created another company for private DNS!! But it seems like it took a toll on him as he seems to have aged decades since his last video.
Fantastic video! DNS lookups and security never crossed my mind till I saw this video. I immediately started using Quad9 for my DNS. One question - if I configure my router to use Quad9, do I also have to reconfigure my computers if they are using a different DNS server. In other words will my computer DNS settings supercede my routers settings? Many thanks again for your great videos ! Anthony
If you configure your router DNS to use Quad9 all devices will go through Quad9 DNS unless you manually changed the DNS to Cloudflare on a pc for example it will probably still use Cloudflare until you make it use the default on that device.
Thanks for DNS privacy awareness Naomi - but I failed to configure as PFsense was far too complicated to install !!! Can you release a set of easy-to-understand/step-by-step instructions for how to 1). Install and set up 'Unbound'. And 2). Install and set up PF sense on a Windows 10 machine (currently running Windows firewall and Bitdefender VPN). Thanks
Hey Naomi. Can you do a video on Tesla software. These cars are connected to the internet constantly and the cars have microphones so you can send queries and reports just like Siri. Constant GPS location tracking and creepy onboard cameras inside the car staring straight back at you (which the owner cannot access footage of) supposedly for the autopilot features.
my home machines with DNS over TLS ---> my own VPS server running adguardhome with DNS over TLS --> DNS over HTTPS to upstream server...i feel better 🤓
Looks like xfinity wont allow me to do this with their router but im reading and seems I can create a secondary network with another router . well see how I can do this.
On the xfinity support it says I can not change the DNS on their devices. So Im thinking if i buy my own modem then I should be able to do this. not certain yet more research needed
A new router is a good idea if they've locked down the DHCP settings but in the meantime you can set many of your devices to use DNS of your choice in each device's network settings. For example, open your phone's network settings while connected to your home network and edit the DHCP settings, from there you change the DNS and set a static IP address.
Personally, I would have a big problem with a device or service that I'm paying for that forbids me from making setting changes that improve privacy - that certainly might lead me to some conclusions that discomforting about other things that are being done with "my" data. Change the DNS settings on your devices manually until you get a new router, I suppose.
What I don't get is what is the difference between setting up Unbound with Quad9 instead of simply setting up Quad9 as your resolver with DoH enabled on your device.
Wish this kind of info were more well known. The free internet is what curated dns threatens. Entering a numerical ip is straight up blocked by my ISP unless I change the access point resolution to ipv4 ONLY. IPv6 is set by default and most people never change this sort of option.
Umm, ISPs don't need to snoop the DNS queries. They and anyone can do a reverse look up of your packet destination to retrieve the IP address and cross reference that to any DNS to get the alph-numeric domain name. I personally don't use my ISP's DNS services, and direct my DNS to be Cloudflare instead. It used to be Quad9. IIRC one can create you own DNS resolver database locally if running Pfsense.
I don't understand the idea behind going through the trouble of using unbound which is recursive and then go ahead and use it as a forwarding resolver....makes no sense, why install it at all? why not just setup quad9 directly in the router?
Do you have any plans to switch to OPNsense instead of pfsense? I originally was with pfsense and got a bit nervous with how negate has been acting and switched to OPNsense.
Okay sounds good thank you for doing what you do. I literally started my pfsense home network about 6 months ago and have just been piecing together what I need to have on it from different UA-cam videos. Your DNS videos I didn’t even consider implementing until after I saw the video. So thank you I appreciate what you do.
do you know whether these tutorials can be applied for people who live outside of the US, for example in Europe, Russia, etc.? Or am I just overthinking it? all of these tutorials look quite intimidating for me as a casual user...
I've heard of Quad9 many times before, they seem to have a good reputation, but when they say they "block known bad things" how do they determine what these bad things are? And if I want to visit it anyways, do I have the ability to? For example, there are parts of this world that view homosexuality as bad (and I respectfully disagree). Would Quad9 block philosophically "bad" things like that, or just things like spyware and malware? And when it comes to things like spyware and malware, is it all treated as "bad"? What if a governmental entity employed that spyware for an allegedly noble cause, like to catch dissenters, would that be blocked or allowed?
when i try to change my dns on my netgear (comcast is my isp), it seems like it doesnt work and i think it just went to default (comcast) servers one time? so im unable to do anything right
Yes, most games either directly send you IP addresses, or let you use IPs for connecting to servers, and when a domain name is used it would at worst increase you initial connection time, since sockets only work with IPs.
If you are in a location where a Quad9 server has higher latency, this would cause only a one-time delay in the lookup. If you're using pfSense as a forwarding cache, then that lookup would only have the delay added once at first lookup, and it would probably not be very noticeable to you in any case. And as noted, many games don't even use DNS at all. Once the connection is made to the gaming system, DNS is not consulted after that point so even those minor delays would only be incurred once.
My Linux machine all use DNS over VPN (Wireguard), with DNS over TLS as fallback, they only use the router DNS if the TLD is 'lan', my Mac, iPhone and iPad all do DNS over VPN, I use the dns leak test on every device, they all pass with flying colours.
@@jatre5938 Well I got a DNS server setup for my VLAN, all the devices I trust is on the VLAN, the device I don’t trust are not on there such as my smart TV or anything I don’t own! 😁
That was the most clear explanation of recursion ever
yesssss!! 💪
ISPs are tricky in general. An ISP can just collect the IP addresses their customers connect to and then use reverse DNS to find the domain names. Therefore, even DoT or DoH won’t fully solve the problem; they just create more work for ISPs that want to track people. Still, it’s better to not hand ISPs the data they want on a silver platter. I just wish DoT and DoH were options on operating systems. Endpoint OSes seem to be behind on adding those checkboxes.
Fully agree... DoT/DoH is a must. Though even still, not only they don't protect against reverse DNS (unless everybody in the world uses them - and even then the ISP could simply perform regular DNS queries to the domain - or domains - they want to monitor), but the DNS server still knows the domain name you are visiting, which means that now it is the company that manages the DNS the one that can sell your data instead of your ISP, no matter which one is or which privacy promises has made.
If one wants 100% privacy (including prevention against reverse DNS), then the use of a multi-layer encrypted circuit for DNS querying AND connectivity is needed (e.g. Tor)... of course this has a significant price in terms of performance.
Dot/doh only encrypts the question. The ISP can see the results of that question when you go to that site.
@@AdrianPatten Yes, I am well aware. That is what I was referring to when I mentioned reverse DNS. DoT/DoH only increase the amount of effort required by ISPs and shady VPN companies to track what sites and internet applications users are visiting/using.
@@AdrianPatten And since a noticeable amout of sites use Cloudflares proxy, you ISP could only tell you connected Cloudflares IPs.
I don't think DOH or DOT will be implemented fir clients anytime soon, as clients tend to get a local DNS resolver in the same trusted Network via DHCP (at least for IPv4, let's not talk about IPv6 as it's a mess)
@@herkulessi So it's useless...
This video couldn't have come out at a more convenient type. I just found out yesterday that you can change your DNS address and that the one your ISP gives u is not necessarily the best
Excellent video once again, Naomi! Now the next big topic you should address is the SS7 network which is used by cell phones. SS7 is way scarier than DNS security. Some people might say, "But cell phones aren't computers and Naomi only does computer security." Actually, cell phones are computers these days, so they should also be examined. Please tackle SS7.
My redmi note 9 pro, has better cpu than my laptop, a lenovo with a ryzen 3 3250u proccesor.
Thats what geekbench says, a cross-platform benchmarking tool.
So yeas, obviusly smartphones are computes, and also dslr's.
Thats why i dislike ppl saying "this is too expensive for just a phone" they are not phones.
Phones cost around 20$....
So you are right!
Nice video!
This video may have just upscaled my sense of proprietorship over my own data and self reliance tenfold!!! THANK YOU NAOMI!!!
This series is enormously helpful. Thank you so much!
Wow, TIMELY! Just installing pFsence + for the first time on an appliance. Definitely going to use this info to configure mine. Thank you!
Modern routers are getting powerful enough to be able to resolve DNS for the whole local network. I think manufacturers should make this available, especially for the not-so-techy majority of people. I've setup a local unbound+adguard setup, but what matters the most is not showing the ISP or the whole internet which addresses you are looking up. DNS over HTTPS, DNS over TLS, or DNS over QUIC should be standard.
Indeed, small routers (including using pfSense) are able to do nameservice recursive resolution. But do you want them to? Having the device at the edge of your network doing full recursive resolution still means that every query goes out (unencrypted) to authoritative servers. If you're looking for a model that provides some privacy, then instead of doing full recursive resolution you probably want to set up your edge device (router, firewall, pfSense box, etc.) to do just "forwarding cache" duty, where it remembers all the answers it hears but it passes the query upstream via an encrypted channel to a recursive resolver like Quad9. There, your query is mixed in with thousands or millions of other users and so it becomes difficult or impossible for an observer on the network to determine who asked for what. Of course, you're still trusting the upstream resolver to not violate your privacy, so choosing a recursive resolver operator who has strong privacy policies and whose interests are aligned with yours is important. We think Quad9 meets both of those criteria, being bound by Swiss data privacy laws and also existing as a non-profit whose mission is to provide privacy and security via the DNS services we offer.
@@quad9dns374 I know some people have been able to encrypt traffic to authoritative DNS servers, but I haven't done it myself.
@@jacksoncremean1664 sorry, but their is currently no authoritative DNS servers that support encrypted DNS in the wild at any meaningful scale. A standard exists since last year which is mostly likely to get adoption. But details are still being worked on. You might be confused by DNSSEC which allows to verify answers for security reasons, but doesn't give you privacy.
@@autohmae I'm not talking about DNSSEC
@@jacksoncremean1664 well, then again, I don't know what you are talking about: "I know some people have been able to encrypt traffic to authoritative DNS servers"
I know DNS over TLS as experients, but didn't get any widespread deployment and DNS over QUIC standard exists only since May 2022
I love how the exclamation of dns was put in this.. it made it so easy to understand it better
I always had no idea what DNS means or how it works. I still don't completely understand, but this video was extremely helpful, thanks
Naomi’s uploads are safe for our souls.
I have watched 1000s of hours of InfoSec CyberSec channels.. How have I not seen your channel! I'm so glad to have come across this channel.
Welcome!
Always good to look at this topic, I'm glad people are doing this. Sadly we still have a long way to go to have proper security/privacy though.
11:03 most of authoritative servers (for the full domain) and run by the same organization which runs the website. So basically no privacy was gained.
16:00 next up is encryption of the TLS Server Name Indication (SNI).
Every authoritative guest she has on a specific tech topic is an absolute hunk.
😂
Just changed my DNS servers. Thanks!
This a a good informative video. Worth noting is that even if you prevent your DNS from being sniffed, all of the websites you visit - HTTPS or not can also be sniffed due to SNI / Certificate identification. For every HTTPS connection, there is plain text in the handshake, that your ISP (or dodgy VPN provider) can log that identifies which website/domain you are accessing.
Thank you that you told me about Quad9.
Very informative and good explained video. I switched to quad9 on my router yesterday away from my isp resolver. I also put pihole on my zimaboard and put that as my local dns server in my router to block ads and telemetry. I'll let that run for a bit and then I'll add unbound
DNS = Definitely Not Safe
lol
@@NaomiBrockwellTV Here's another good one that plagues me.
KYC= Kill Your Customer, parasites ask an ID for everything, can't get a phone number without being put on a list.
Wow aren't we clever ???
@SK ARIF ALI Yes it should. But you do need to still turn off the toggles in account settings
thats because dns improves your privacy not to anonymize you read it again xD
Amazing video, until now I thought using unbound would be the most secure hence I was running 2 load balanced instance of pihole with unbound. I will give this a try for sure. I am keen to learn more about the browser based dns. 👍
This is great info. I've already updated my pfSense! Looking forward to the video on encrypting DNS before it gets to my ISP.
Thank you again!.
Looks like you found yourself a nice location to film your video. It's freezing where I am currently. Where you're at looks very nice right now! 😃
I love how almost all computer and internet processes are little quests. You can defiantly tell the type of people that developed the tech.
Sorry always loved Naomi even though i do not understand some of her topics...and she is a good teacher. Always learn something....
Hi Naomi, can you please make a playlist for this series, cant find it. Much appreciated.
Great idea. Videos in series currently all listed in the description too in the meantime!
@@NaomiBrockwellTV Thanks. Much appreciated. Have a nice day
Very helpful, have changed the settings. Works fine. Thanks and have a great day!
Really enjoy your content! You and the team are great!!
If doing nothing is 0
an following your guide at the end of the video is 10
Where is my pi-hole + unbound solution? 😅
Its FREE. Thats great. Will give it a try sometime. Because I have IPv6 blocks configured the IPV6 is required to be entered also.
Nice video! I guess this is what VPNs are trying to advertise their service about partially?
Great video! Appreciate the effort. Always something to learn.
Very good information, and very nice outdoor scenery!
There is also the HOSTS file that can be created on NT and other systems. Your computer looks in the HOSTS file, and if the URL and IP address are paired in that, your browser goes directly to the IP address you have listed.
This can also be be used to cut off access to sites. If you set a site's IP address to be your own computer, you've just created a boomerang. The browser will return to your computer, and throw an error message.
Pi-hole, dnssec, quad9.
Android, private dns, pihole dnsec, quad9
Would love a video that stitches it all together
Thank you you once again Naomi. Another subject to get my head around!
Love this channel - thank you❤
As Network Chuck always says, "it's always DNS." ALWAYS! MORE COFFEE PLEASE!!!
Great information from a gorgeous redhead!
Love your channel. Thank you for doing what you do. I appreciate it
Thank you!
Thank You Naomi. Wish I could have donated more, perhaps is the market turns around. Crypto that is. Have a lovely weekend miss.
Thanks, Naomi~
Very informative as always, thank you.
:D Funny video. Lovely costumes / charachters. Something new about DNS for me too.
Glad you enjoyed!
Just started the video and I'm at your tldr for DNS. There is a caveat that most routers have at least one, but can have many more, DNS lookups servers that it communicates with. Additionally, your router will hold a finite number of recent and most used domain IPs in a database or table. The purposes of the lookup servers and the internal table are a) speed and efficiency and b) to reduce load on the root DNS servers.
Edit: Sweet you touched on it
I use quad9 and my connection seems faster and more secure.
I appreciate you touching such an overlooked topic as DNS is in this context, yet it'd be much more appreciated if you shared different providers/solutions for the case, I mean, showing us how to fish and good lakes to fish rather than hey fish this specific good species and you'll be good.
What if they close activities, what if they are not as trustworthy as we think of, what if my internet performance gets reduced, what if my isp blocks access to them etc?
Focusing in one brand, one solution could be considered as biased and in Infosec this could be very dangerous. I got the feeling we spent a lot of time talking about DNS and its issues but when it came to the solution, check out these good guys! The video felt kinda driven like an ad.
I see you are looking at the comments and you're committed to security and privacy so I wanted to provide you a honest feedback, as I believe it will be useful for the good work you're doing.
Great video! In addition to my other comment I wanted to say that I was hoping you would also touch on DNS poisoning and creating a private home DNS server.
For those that don't know what I mean:
Since it is possible to mirror the DNS resolvers, and the ICANN root servers, it could be even more secure to just roll your own resolver mirror with the sites you use the most and have a script that checks the TTLs and pulls updated data for the expired ones every day or so.
That steps into the DNS poisoning which is essentially populating a DNS entry that is invalid where it will overwrite the entry for another domain or allow a "temporary" domain name for an IP. And yes, that is oversimplified on purpose.
Why is there a million ways to find out everything about me? Why is e.v.e.r.y part in the system leaking e.v.e.r.y.t.h.i.n.g? Why is the whole internet build like giant sieve???
Great content as always Naomi. Home networking can be hard and these are great intro videos
And not a word on where salaries (and marketing budget) in this non-profit that totally won't sell my data are coming from. Very trustworthy, let me redirect all of my DNS requests to them
This was really good!
Cant wait for the new vid!!!🧡
As Swiss, I have to warn anyone that even we do have strict data privacy law ... it turns out that (a) the law doesn't prevent anyone from collecting your data (it just obliges to have the collector to warn you somehow, but this usually is done in small prints, that you usually will never see) and (b) Swiss since years more and more has become a police state and latest after 2020 Swiss isn't a private place anymore!
So this argument that Switzerland is a good place to be for a privacy focused company doesn't count at all anymore!
Swiss government are highly professional in collecting data and the laws for ISPs etc. are perfectly preparing for gove agencies collection of your data. As soon as you hit some lists (like this person uses VPN or TOR... or did gov critical social media postings ... or watches Privacy related videos) ... it triggers them to automatically put you and your traffic to a watch list and store everything.
Swiss privacy exists only in theory - but in practice there is none for those "more active" or "critical".
So in short ... don't think that Swiss aren't collecting everything (even illegally without judges approvals)!
Great video, thank you
I feel like i'm watching an early 2000's SBS segment on DNS privacy
Thanks for the video! Could you do a video about using Unbound with Pi-Hole?
I thin you missed checking the option "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers", or? - Oh, sorry. Wrote it bevor seeing the last seconds of the video.
YES! Absolutely. I'm looking for an alternative to DNS. Currently, have firewall that blocks a few MEG worth of domain names already ...
Brilliant!
Great video!
This is why I have now and then reminded, that significant amount of WikiLeaks DNS traffic is routed to "GRU city block" next to Kremlin.
WOW! great video.
thankyou it was perfect.
Does Quad9 have the same or similar functionality that the Cloudflare can offer, like Adult (18+) and malware sites blocking? Saying this since a lot those site have a strong overlap of hosting malware.
Don't use cloudflare. Use nextDNS
@@spenderhunchback5430 Yeah, you are correct, Cloudflare is possibly a fed
I have to use my phone as my Wifi network
Would just setting quad9 as DNS on any connected device be enough to make it more private?
Thanks Naomi great video. Can this process be used on routers from cable companies like optimum cable?
How does this differ from setting up something like DoH with a resolver like Cloudflare?
Thank you. 👍🏻
Thanks Ron
Damn... Mr. Beast is so philanthropic that he created another company for private DNS!! But it seems like it took a toll on him as he seems to have aged decades since his last video.
It's not Mr. Beast, its Luke Skywalker
Fantastic video! DNS lookups and security never crossed my mind till I saw this video. I immediately started using Quad9 for my DNS.
One question - if I configure my router to use Quad9, do I also have to reconfigure my computers if they are using a different DNS server. In other words will my computer DNS settings supercede my routers settings? Many thanks again for your great videos !
Anthony
If you configure your router DNS to use Quad9 all devices will go through Quad9 DNS unless you manually changed the DNS to Cloudflare on a pc for example it will probably still use Cloudflare until you make it use the default on that device.
Thank you
I honestly thought this was gonna be a video about registering domains privately
Thanks for DNS privacy awareness Naomi - but I failed to configure as PFsense was far too complicated to install !!! Can you release a set of easy-to-understand/step-by-step instructions for how to 1). Install and set up 'Unbound'. And 2). Install and set up PF sense on a Windows 10 machine (currently running Windows firewall and Bitdefender VPN). Thanks
I trust quad9 dns because it is Switzerland 🇨🇭 based, nice video 😊. Smart 🧠 and beautiful, you are a rare woman 👩🏻
Hey Naomi. Can you do a video on Tesla software. These cars are connected to the internet constantly and the cars have microphones so you can send queries and reports just like Siri. Constant GPS location tracking and creepy onboard cameras inside the car staring straight back at you (which the owner cannot access footage of) supposedly for the autopilot features.
I'm so frustrated, I don't understand how to use PFSense.
my home machines with DNS over TLS ---> my own VPS server running adguardhome with DNS over TLS --> DNS over HTTPS to upstream server...i feel better 🤓
Video explain good :)
I wonder what is the motivation behind Quad9 and how do they make money to sustain this enterprise, being a non profit organization and all?
they're a non profit. It's donation based.
@@NaomiBrockwellTV Are donations their only source of revenue?
@@sawdustcrypto3987 Yes, have you read their website? quad9.net/about/sponsors
@@NaomiBrockwellTV No, but now I feel stupid and definitely will! Thanks for responding and the awesome content!
@@sawdustcrypto3987 :) Thanks for watching!
Looks like xfinity wont allow me to do this with their router but im reading and seems I can create a secondary network with another router . well see how I can do this.
On the xfinity support it says I can not change the DNS on their devices. So Im thinking if i buy my own modem then I should be able to do this. not certain yet more research needed
A new router is a good idea if they've locked down the DHCP settings but in the meantime you can set many of your devices to use DNS of your choice in each device's network settings.
For example, open your phone's network settings while connected to your home network and edit the DHCP settings, from there you change the DNS and set a static IP address.
Personally, I would have a big problem with a device or service that I'm paying for that forbids me from making setting changes that improve privacy - that certainly might lead me to some conclusions that discomforting about other things that are being done with "my" data. Change the DNS settings on your devices manually until you get a new router, I suppose.
Prob with quad9 you cannot block trackers for privacy.
What I don't get is what is the difference between setting up Unbound with Quad9 instead of simply setting up Quad9 as your resolver with DoH enabled on your device.
Wish this kind of info were more well known. The free internet is what curated dns threatens. Entering a numerical ip is straight up blocked by my ISP unless I change the access point resolution to ipv4 ONLY. IPv6 is set by default and most people never change this sort of option.
Umm, ISPs don't need to snoop the DNS queries. They and anyone can do a reverse look up of your packet destination to retrieve the IP address and cross reference that to any DNS to get the alph-numeric domain name.
I personally don't use my ISP's DNS services, and direct my DNS to be Cloudflare instead. It used to be Quad9. IIRC one can create you own DNS resolver database locally if running Pfsense.
So it's useless...
Hi ! What about adguard DNS solution ? Thanks
Is there a more Aussie name than Naomi Brockwell?! 😂😂😂
Tor is the only current solution for privacy of DNS.
I don't understand the idea behind going through the trouble of using unbound which is recursive and then go ahead and use it as a forwarding resolver....makes no sense, why install it at all? why not just setup quad9 directly in the router?
Do you have any plans to switch to OPNsense instead of pfsense? I originally was with pfsense and got a bit nervous with how negate has been acting and switched to OPNsense.
Any thoughts on NextDNS?
Michael Bazzel talks more about it in his in-depth instructions in his book, but I haven't dived in yet amzn.to/3kX8QSf
It’s good but Pi-Hole is better since it’s self-hosted and open source
When is the next video out in this series or have I missed it?
Still coming! In the pipeline, but we have 5 other videos to be released before this one!
@@NaomiBrockwellTV Thanks for the reply I appreciate it. Looking forward to when they drop.
Had to turn the sound level way up for this video.
Is there supposed to be a video that goes over pfblockerng on pfsense ? I seen it referenced in the end of the video but cant seem to find it.
Actually that's one of our next releases! Scheduled for 2 weeks from now!
Okay sounds good thank you for doing what you do. I literally started my pfsense home network about 6 months ago and have just been piecing together what I need to have on it from different UA-cam videos. Your DNS videos I didn’t even consider implementing until after I saw the video. So thank you I appreciate what you do.
do you know whether these tutorials can be applied for people who live outside of the US, for example in Europe, Russia, etc.? Or am I just overthinking it?
all of these tutorials look quite intimidating for me as a casual user...
I have been using DNS over HTTPS to get some privacy but now I wonder if unbound grants me more privacy in the long run. Any thoughts?
Can you do a video with sophos xg also ?
I've heard of Quad9 many times before, they seem to have a good reputation, but when they say they "block known bad things" how do they determine what these bad things are? And if I want to visit it anyways, do I have the ability to?
For example, there are parts of this world that view homosexuality as bad (and I respectfully disagree). Would Quad9 block philosophically "bad" things like that, or just things like spyware and malware?
And when it comes to things like spyware and malware, is it all treated as "bad"? What if a governmental entity employed that spyware for an allegedly noble cause, like to catch dissenters, would that be blocked or allowed?
How is this different than using Pihole + Unbound as the Upstream DNS server?
when i try to change my dns on my netgear (comcast is my isp), it seems like it doesnt work and i think it just went to default (comcast) servers one time? so im unable to do anything right
Useful & nice but please increase the volume, I can barely hear you
I'm avoiding Quad9 due to high ping times to the DNS address, is this worry unfounded if I intend to have the lowest possible latency for gaming?
Yes, most games either directly send you IP addresses, or let you use IPs for connecting to servers, and when a domain name is used it would at worst increase you initial connection time, since sockets only work with IPs.
If you are in a location where a Quad9 server has higher latency, this would cause only a one-time delay in the lookup. If you're using pfSense as a forwarding cache, then that lookup would only have the delay added once at first lookup, and it would probably not be very noticeable to you in any case. And as noted, many games don't even use DNS at all. Once the connection is made to the gaming system, DNS is not consulted after that point so even those minor delays would only be incurred once.
Thanks for the info!
@@johnhtodd The main problem is not that (that too), but that results from other countries are offered.
My Linux machine all use DNS over VPN (Wireguard), with DNS over TLS as fallback, they only use the router DNS if the TLD is 'lan', my Mac, iPhone and iPad all do DNS over VPN, I use the dns leak test on every device, they all pass with flying colours.
@@jatre5938 Well I got a DNS server setup for my VLAN, all the devices I trust is on the VLAN, the device I don’t trust are not on there such as my smart TV or anything I don’t own! 😁