I stumbled upon this video as a pfSense and Unbound noob. What a masterful, concise and logical presentation that truly helped to eliminate the confusion created by many others. This is literally the best short video on the topic, earning you another subscriber. Excellent work!
Securing DNS is good, but ISPs can still do reverse DNS lookups on the IP addresses you connect to. There is also SNI exposures in the TLS handshakes between your browser and websites, which will usually reveal the domain name of the server (if the server is named after its domain, which many are). The real value of using Quad9 is in mitigating the actions of lazy ISPs and the DNS security feature that Quad9 provides (which is blocking known malicious domains).
@@bgroesser right. The IP address has to be unencrypted to use it, because numerous routers and switches have to be able to route it correctly. The first stop out the door is your own ISP, who can do a reverse lookup on the IP and get the domain name, then log the fact that YOUR IP address went to THAT server.
Hi Naomi, I love all your videos! I was really excited to learn that the Texas Legislature just passed the Texas Data Privacy and Security Act. (Aka HB4 by Capriglione.) Sadly it doesn't go into effect for a year. I hear other States have similar efforts. Maybe it's a little early, but I'd love to see you do a video on this. I was getting sick of reading all the privacy policies and CA had the only Opt out exception. Keep up the great work! We are winning!
I suspect the only reason we're allowed to feel like we're winning and actually gaining ground in terms of privacy... Is because they have new methods of surveillance we aren't even aware of yet.
This is fantastic. You have a new subscriber now. I'm sending this to everybody I know. I am an IT nerd, I know DNS queries are not encrypted, but just felt like that would be out of my control. Great information. Thanks!
Thank-you Naomi. Every time I watch one of your videos, I improve my privacy/security by one significant step. This time, I tweaked my Pi-hole to use DNSSEC, because for no good reason I had it configured incorrectly. Perhaps pfSense or OPNsense is a better choice (?), but using the Pi-hole is effective and eye opening. (you don't need a Raspberry Pi, mine is running in a Proxmox VM)
@collectorguy3919 - I am building a similar setup as you have. Using Pi-hole or Adguard to block ads, and using OPNsense as my firewall. But now, I've got a few new features to add - and all because of @Naomi. Great video!
Alright, i’ve watched a handful of your videos now. Holy hell, these are fantastic. I have seen a ton of educational privacy content, but your channel is hands down the best, and criminally under subscribed. Somehow you perfectly thread the needle, being able to conceptualize ideas for the privacy and security hobbyist like myself in an easy to understand package. Please keep up the good work Naomi and team. You have yourself a viewer for life. Cheers!
Well you believe this sht then I got free property in Hawaii . A DNS is a portal. And you all have no clue wtf a DNS means. I got cotton candy children.
I am so incredibly happy that I have just found your platform/channel. This is the information that I have been trying to find for the past few months. I had always known that internet data was collected but I've only recently found out how intrusive it really is. Thank you so very much for your clear presentations. They are full of facts and the answers to my questions. As the narration is going on, a question forms in my mind and is almost immediately answered as if almost telepathically, lol. It's very obvious how much effort goes into a high-quality production like this given it's forward thinking. The person/people/team responsible for this extremely well executed presentation is one of the finest I have ever seen. I say that because I have never tried to find a true favorite yet but I see no reason why this wouldn't be a contender for the best. I say this as completely unbiased even though I have had an attraction to red since I was 2 years old, lol. Thanks again, I will be absorbing all the knowledge that I can from your productions. I wish you good luck during the turbulent economy that is looming over us and will likely last a decade or so.
Yes, I’d have to agree with the others @Naomi you stand out as one of the best educational UA-camrs for me! Your depth of coverage on these topics is amazing considering how entertaining and digestible you manage to make them. Thank you for putting out content that raises the bar on all fronts. :)
@@NaomiBrockwellTVHey Naiomi. Don't mean to hijack the thread...have you heard of 4freedom mobile? Supposedly a privacy focussed mobile service provider which works in Australia, apparently. Do you know much about it?
All my data is saved and logged in physical memory inside the server that inside the room of isp when they need it just memory and some tools the to see everything I did from the day I subscribed until now In the other side vpn and some step can help you to stay away from hackers and company, website ets... anything away from isp because the isp is the hub where my traffic gose and come from 🤭
Stumbled across your channel recently after watching some videos on privacy. I'm now on a binge sesh of your vids. Even watched 2 of your conferences. Really good content. Subed after the 1st video.
PFSense is increasingly focusing on its proprietary commercial PFSense+ product, at the expense of the open source Community Edition. CE is updated far less frequently than PFS+ and doesn't receive a lot of the features of the commercial product. I moved to OPNSense last year for this reason. It's open source and actively developed, so it's likely to be a much better product over the longer term.
Well for home use PF+ is free and the license is not expensive considering the cost of hardware or VM. Not sure what you mean by proprietary either. I had ongoing DNS issues a couple of years back on CE but my device has been stable and with + for home it's an advantage. Either solutions are better than an off the shelf solution at walmart or best buy.
I don't know if anyone has mentioned it already, but even with DoH (DNS over HTTPS), DoT (DNS over TLS) the TLS ClientHello packet is *not* encrypted, and yet they contain the domain you want to access. Not a whole lot of DPI (Deep Packet Inspection) needs to be done to guess where that particular user is going to, regardless of the upstream DNS server used... _(let's forget about DPI though, keep the talk on DNS)_ TLS 1.3 has an extension, ESNI (Encrypted Server Name Indication), so if employed as long as queries to the resolvers are done through encrypted DNS protocols (by the way, how come DNSCrypt wasn't mentioned? I think all of Quad9's servers support it too and there's at least a plugin for those using unbound :). ESNI alone wouldn't do much when used with the traditional DNS protocols, ECH (Encrypted ClientHello) would though! The ClientHello packet would be encrypted, but I haven't seen many (servers and clients, meaning not only OSes but also apps) support it, but I think it hasn't passed the draft stage yet, it is to be another TLS extension (so DoH, DoT would benefit). When do we get support for it across the board, even as experimental?
even with DoH, while domain destination is encrypted BUT the provider still could identity IP of server we are connecting, and from them they could simply associating it with some service or some website.
@@sourcebased yes that, also it's possible to host your own VPN server on VPS provider you can trust. even that VPS provider still could identify what IP you are connecting via VPN. using VPN and then browsing with ToR is for me the safest for now, but it will slows down the internet connection by a lot. but we don't need that extra privacy and security everyday, so it's just an occassional thing.
@@marhensa Yes, I was talking only about that practical everyday usage. If you need a higher level of anonymity, using Tor is the least indeed. Best used with Tails and changing hardware and location. I am glad that I don’t really need this in practical terms but I am aware that my internet usage is an open book to my provider and some players on the state services level, as well as my OS and hardware vendors to some degree. I just try to be conscious and selective with who could spy on me and what for.
DNS is key, and I think you covered this topic with the perfect amount of details. Just enough to get the point across, without bogging it down with the details. I would add PiHole or some other ad-blocker to your series of videos on this topic, where every webpage you load, there's no telling how many different servers that you make DNS requests for. Each frame, each advertisment, each Third-Party cookie you download is a website that can see your traffic and that you visited that particular website. By pointing those rogue DNS requests to a sinkhole, you protect yourself from some of the other types of tracking that happens as you visit websites.
I would suggest AdGuardHome on a raspberrypi. It has everything built in and ready to go with just two commands to set it up, it also updates from the web interface, so no messing about with SSH. You set it up and it works. It already has DoH DNS over HTTPS built in unlike PiHole and does not need various modules or bits added on - plus it is far more stable and you can set and forget. AGH is far more stable than pihole and programming is far better, plus they fix any faults - you don't get arrogant people on a forum who don't know how to do things. The other handy thing is AGH does not have the many faults of PiHole. One fault PiHole has is chewing up SD cards by continuous writing to them. This makes systems fail regularly because of poor programming. There are various fixes and commands to use on PiHole and bits to add on, then procedures to update, but do people really want an unfinished product being trusted with their data? AdGuardHome is what PiHole wanted to be!
What's the "perfect amount" of details? Information isn't a spice, u know? What I hear u saying is she doesn't provide enough info; but since every comment only kisses Naomi's ass, ur fine with her leaving it out.
@@jeremymoon9088 they are all simps. If a bloke did the exact same video all these people would rage about how wrong and vague the info was. I have seen this exact thing on videos that had the same approximate scope. The only difference was a male presenter. Everyone raged
@funbucket09 u read my mind! I actually used the word "simp" when I typed that comment; but I edited it before I posted it, because I didn't want to trigger anyone. Have u ever seen Jay at Learn Linux TV interview her? He gets all nervous and wimpy, it's some top level simpin. It's amazing how the internet will give an average woman attention as if she were a super model
I really appreciate this video and the Quad9 tip. I set up DoH (DNS over HTTPS) in just a few minutes on my MikroTik router running routerOS. Also installed the Quad9 android app on my phone.
I've been on a security/privacy kick for a while now. This is something that I knew only 1 tiny bit about, but certainly not enough to make effective changes. I'll be going through the process of seeing how to implement this on my IPFire / Pi-Hole setup. Worst case scenario, I have no issues with replacing IPFire with PFSense.
If the goal of this action is to limit your ISP from capturing your DNS queries then it is of very limited utility. Your ISP can simply do a reverse DNS lookup on the target IP address in the packets you send out once you received your name resolution from your encrypted DNS.
great video! I haven't been thinking about DNS encryption but now is cristal clear that it is super easy to profile users by doing this. Will change to this setup. Thanks!
I find tip videos like these get more people in the line of fire. Have you ever heard of Reverse DNS look up? Or perhaps fingerprinting? They can easily see past this. ISP have also reported that they slow down users found doing this.
I'm not sure if this is a good fit for most users. PFSense seems to require purchases to get started and ongoing. The pitch seems to be directed to anyone including home users which is probably the majority of those watching this. Put another way, as a [retired] IT person, we would NEVER rely on sources like this for our information.
Even though Quad9 says they don't do anything with your data, how do they make money? I don't trust any of them no matter how secure they say they are.
According to their webpage they live on donations. Someone has to make money here. Where is their infrastructure located, who provides the servers/data centers?
what basic DNS encryption (from both the client and service side) does is that one at least can be somewhat confident that the data is actually correct and not spoofed. The DNS client code of all widespread OSes (even Windows!) have supported it for quite a long time. That many applications don't make use of it is a different matter. All current widely used nameservers (BIND, NSD, PowerDNS, KNOT,...) comes supporting it by default. Setting it up can be challenging if it's your first time, but it is worth it.
All of this is pointless if you connect to a secure site and negotiate the certificate using SNI (which is pretty much every website), anybody can see the exact information you'd request via DNS in clear text. This kind of snooping is less common than using DNS data, though.
@@PSL1969 ESNI, extension in TLS 1.3, or even better ECH (Encrypted ClientHello) where that packet of TLS is fully encrypted, but there isn't much support for either that I know of. ECH is to be an extension to TLS (has it made it already?) so _as long as_ the connection to the server is done over TLS 1.x (being x the one supporting it) you'd be golden, but it'd require the browser, for example, to also know about it. I believe AdGuard (client app, not the browser extension) recently launched a version enabling ECH throughout, but I have yet to see how it behaves.
@@PSL1969 The rest of us used ESNI for years! Encrypted, it was a setting in Firefox for ages. There is a modified version of this in modern browsers now called something else. ECH. A sort of "encrypted hello"!
OK, we can encrypt our DNS queries. But all DNS servers belong to either ISPs, private entities (Google for example) etc. So at the end our DNS queries will still end up with one or the other DNS service provider.
You put a lot of effort into masking and encrypting the request of a certain domain... and next you ask your ISP to connect you to a certain IP, that they can easily pin to the initial domain you were hiding.
Good info as usual but what is the relationship of this privacy method to that of using a VPN. Can this be used instead of a VPN, in conjunction with a VPN or does using either/or still provide a similar level of privacy? Your videos are awesome!
Usually when you use a VPN the VPN provider is handling your DNS. But if you have any other devices on your network like IoT devices, phones that don't have a vpn, etc, then changing your DNS settings is still a big help!
Also, remember that most VPN providers are not as secure as they claim and most will happily give away data if asked by a government agency or police. From what little research I have made Mullvad VPN seems to be one of the better ones but please do your own research.
@@alfepalfe Sorry to pilled up but still in doubts regarding OP question: If you do not trust your VPN provider is it technically possible to use both this amazing and simple method as shown in the video + A VPN ? (Let's say i'm stuck for 2 years with a Nord membership multi devices plan ? Would it make any sense or simply work to Change my DNS before Data's connect to a one of Nord's Node ? Or it works the other way around in this case i get it and have to choose one or the other....👍 Awesome videos👍, fantastic channel🙏 Since i've discovered it i'm bingeing it like a maniac but the 🐇 hole 🕳️ is Deep... The more i'm learning, the more questions and complex you discover how hard it became to preserve your privacy or just encrypt your clouds data's, photos, email, Google Photo's face recognition and Metadata's usage is freaking me out😱. Govs don't even need anymore datas for their CBDS's Digital ID's we've been face scanned and analysed for years 😤🤦🏻♂️They crosscheck with others services from Google Ecosystem and even third party. Feels like an endless work even migrating on Linux, and assuming Google Drive or Dropbox, all cloud storage companies, really delete your datas if you terminate/delete your accounts, or encrypt on Local using an offline open source file encryptor and re-synch the encrypted content. And even by doing that you may trigger attention and have no proof and they wont retain your non end to end encrypted re-synched or deleted data's🤦🏻♂️🤬👨💻. Who knows what is their real retention time if any ? It's really full-time job! 🤯🛂🧿👩💻🏦🕳️
Hi Naomi. Thank you again for a great educational video. I recently fired MS Win 11 and migrated to Fedora Silverblue for privacy reasons... DNS LEAKS are a NO GO... so I will update DNS settings tomorrow with the help of a Linux freelancer. Thank you much. 👍
@@Alfred-Neuman WinZip is good too. I forgot about the automatic IP encrypt feature. WinRAR doesn't actually have that. You have to set it up manually. So WinZip is better. Good choice.
I tried to do this on my pfSense install and then I couldn’t get web pages to load. Eventually, I discovered you also have to uncheck “Enable DNSSEC Support” for this to work. After that, I had no problems. I hope this helps!
Can u do me a favor sir 🙏? Can you let me know if you can see my comments on here? I don't understand other than being shadow banned, (which they say isn't real) as to why whenever I comment something, that is probably important to this dns subject, not one person says anything , I would really appreciate it. I have made 3 comments , 2 comments 12 days ago, and one a few mins ago.
UA-cam mixes up the comments. It's very difficult to find anything you have commented on as it gets burried quickly. Even when they send you an email you can't get back to the original comment. It's a crappy system.
I know this is old. I'm thinking you found your answer but if you didn't. I'd like to try to help, I'd use uBlock Origin. It's the one I use it's 100% open source, and I looked through I haven't found anything wrong. uBlock is 100% safe though for sure (example what it does, blocks javascripts from a server (googles) and returns null; instead of a value. The other thing is it just blocks HTML elements). This is why they hate the F12 button, lol. P.S. If any other extention has a blocker in it, like I use watchmaker it has one. Make sure to turn that off, it's not a security thing; it will just make videos not load. Much Love and Respect
A vpn is just using some else's network so all traffic including dns would just go through the VPN provider. These major vpn companies sells data and will just release all the info they have on you to the government if asked as well.
At the moment I'm using Technitium DNS in a docker container, but yeah. The fact that it's just communicating unencrypted with upstream authoritative servers is a concern to me. I don't have a pfsense router at the moment, so I'll likely have to deal with configuring unbound directly. I don't want to give up having a DNS resolve my local home lab addresses, so I'll figure out unbound.
In simple terms what the video is about is the confidentiality of the DNS protocol itself (there is none, because it goes in the clear) and what to do about it, hence the suggestion to use an encrypted DNS protocol (DoH, DoT, DNSCrypt) instead of the traditional one. Switching to using Quad9 in your router instead of the ISP set servers (I suppose) doesn't really help in that regard I'm afraid, unless your router is using any of those protocols. It does, however, help if your ISP were doing some sort of filtering through their DNS servers, plus, the default DNS servers for Quad9 offer some threat protection at that level by denying connections to known malicious domains.
I wonder why Cloudflare wasn't mentioned, they seem to get good reviews especially on the privacy front. Even Mozilla trusts them to use them as the default DNS server in Firefox.
Naomi has one of the best channels on UA-cam hands down. I'm following her for a few months now, along with 2 other tech and privacy oriented channels, and am absolutely in love with this material. As a total newbie, I'm slowly learning so much! Thanks, @NaomiBrockwellTV !
We will never be sure if it saves if DNS is not encrypted. Quad9 is sponsoring this video and says there are not looking in your traffic, what is there benefit to move all traffic to them ask your self? But one Positive site on this is that their headquarters are in Swiss. Anyway nice video
2:45 i just want to point out that in the UK it is a legal requirement that isp's snoop your DNS traffic in order to enact blocking of p2p sharing sites. If you live in the UK, you need to manually set your DNS server ip's in your router to a service that supports DoH and malicious site blocking 4:45 this is why you don;t use unbound and you run another machine behind the pfsense box that can run an encrypted resolver (and now we are getting into territory where some basic IT qualifications would be nice)
Most websites are hosted on IP addresses that host lots of other websites, so no, but SNI would still reveal where you're going. VPN solves this but then the VPN can see that.
So I used to work for an ISP. The thing is every time you access a web page you can be resolving anything from 1 to dozens of various sites. The main site, sub, advertising, provider (Amazon, Microsoft, Apple…) Multiply that with thousands of users, the flow of data is significant. You’re not that interesting.
DNS queries do not contain the complete URL of a request. They only contain the FQDN. Even if you run your own resolver, the ISP can still see where you are browsing by doing a reverse lookup on the destination IP of the request. If the request is not encrypted, the ISP will be able to see the entire URL. Luckily, most requests are encrypted. That said, Server Name Indication is always in clear and can leak information.
Whoa you guys are very underrated! My ISP has embedded DNS so i don't have the option to change it in the modem and it makes me furious. I'm trying to do a big project and changing the dns server is one of the steps and it is truly frustrating. So my plan is to install Pfsense on my Proxmox & from there i will manipulate the modem into bridge mode... If this does not work you guys have any advice? I subscribed :)
How about those that don't have pfSense routers, how can I enable DNS quad9 in an Asus Router? Update: Asus routers come with those DNS settings and I've already changed to quad9 DNS' settings! Thanks a lot!
Not only does this provide a false sense of security, because the destination IP address is still visible to the ISP, but you also trade one entity (ISP) for another (random DNS provider) logging your traffic.
It doesn’s say sponsored video but it also doesn’t say, if you catch my drift. We need to check our ISP’s contract for snooping, but using this random DNS is also without any terms? Swiss, so it is safe? No product is just free. I’m pretty sure this company paid her to do this bit. Totally agree on false security, like your ISP doesn’t have the means to check. By the way, I work as consultant for a telco and GDPR laws are extreme, we can’t collect and sell anything from subscribers. DPI is not even allowed, because of net neutrality.
Thank you to Naomi Brockwell, John Todd and all the NBTV team! One small question: After switching to quad9 is there a way to know that the switch is indeed working? Like a linux terminal command... I could even settle for windows cmd command. Wishing you a nice evening!
EDIT: To Clear up something: I am "NOT" basing the video at all. I liked the video, it was produced great as always, below is just my thoughts. Not bad at the video. I hope I'm making sense, opening peoples minds to conversation on things? Is that the way to say it? Here is why all this stuff is pointless. Start at problem. (Us). Our computer -> Our Router -> Our Modem -> Their sub station -> everywhere else your cloudflare all that. This is a 'false' since of security; like a front door made of glass with a deadbolt on it and you think it has you covered. It don't. Proof in pudding, check your IP's config and all before and after and not just literally your IP. Look at the packets, we change nothing and it goes to the "ISP" Before any other DNS can grab it. Other wise you would have "hacked" free internet somehow, just think about it. If you don't have to go through the ISP and get online why would you? See pipe dream..
I am sorry, Naomi, but this time you really have me stumped. Are you saying that in order to have privacy on our DNS lookups, we need to setup a separate firewall server somewhere on our local network, install pFSense on it, then install Unbound on that, and the somehow set all of our devices, browsers, and such to use this Unbound and pfSense firewall server for our DNS searches? I think this is probably a non-starter for most people.
And then encrypted dns is send to the one of the most spoofing/tracking firm on this planet where they can read it as unencrypted!, So really greate ideaa!
I don't for a minute presume that internet activity is private. Why would that be true, it must be paid for somehow? Still, I would jump right in and follow these instructions, except I have NO WAY to verify what happens beyond my router. Doing this might just open the door even wider for those who are looking in. Or is there? That would be a good episode!
ISPs have to follow strict regulations, if they get caught snooping on customers they'd get fined, maybe prosecuted or even shut down. No ISP with any sense is going to risk that. Unless your ISP is the Mafia, you're pretty safe.
Those regulations are often the issue though. For example the Government could block certain websites and track everyone who tries to access them. Rule 1 of security: trust nobody.
@@SanderEvers I'd actually trust my ISP more than I'd trust Google or Cloudfare to handle my DNS. For those that really want to lock it down there's recursive DNS.
You an even encrypt the requests themselves - you can use DNS over HTTPS (DoH) or DNS over TLS (DoT). This way nobody is able to see what pages you browse - not even your ISPs.
This is an excellent example of content that isn't served well by video presentation. What should be a few paragraphs on a page or two of text is definitely not worth waiting for the presentation to get to the meat of the matter.
Sigh. Not as easy as it sounds. Once you get your DNS reply, you go to the website that was just resolved by Quad9 or whoever you chose. Well, HTTPS will always show the name of the destination (SNI) in the clear. So your ISP, and whoever else can capture those packets, sees where you are going anyway. And while you were at it, you provided an ‘exclusive’ to a specific public company, to see what you were searching. And the result was provided to your computer by them, not by the authoritative DNS server for the zone in question (a Microsoft DNS server for that Microsoft site you are going to, for example). It’s been many years since I had a consumer router so not sure they can do this, but if they can be set to RESOLVE and not forward to a public company’s DNS, they would use root servers and ‘walk the tree’ down to the authoritative DNS server of the place you are going. There is a reason all these public companies are working so hard to provide ‘free’ services like encrypted DNS. (hopefully not a double post, got an error a few minutes ago).
Can u do me a favor 🙏? Can you let me know if you can see my comments on here? I don't understand other than being shadow banned as to why whenever I comment something, that is probably important to this subject, not one person says anything , I would really appreciate it. I have made 3 comments , 2 comments 12 days ago, and one a few mins ago.
First time I get around to this channel - I just get the idea that the "lady" talking is a computer generated image - that just the impression I'm getting looking at the image shadows, movement etc.
I stumbled upon this video as a pfSense and Unbound noob. What a masterful, concise and logical presentation that truly helped to eliminate the confusion created by many others. This is literally the best short video on the topic, earning you another subscriber. Excellent work!
Securing DNS is good, but ISPs can still do reverse DNS lookups on the IP addresses you connect to. There is also SNI exposures in the TLS handshakes between your browser and websites, which will usually reveal the domain name of the server (if the server is named after its domain, which many are). The real value of using Quad9 is in mitigating the actions of lazy ISPs and the DNS security feature that Quad9 provides (which is blocking known malicious domains).
I was thinking the same. Traffic still needs routing.
@@bgroesser right. The IP address has to be unencrypted to use it, because numerous routers and switches have to be able to route it correctly. The first stop out the door is your own ISP, who can do a reverse lookup on the IP and get the domain name, then log the fact that YOUR IP address went to THAT server.
Exactly
What's the alternative or solution?
@@cre8tivebreednothing because it's an envelope. You don't encrypt the address when posting a letter.
Another gem delivered as always, keep up the quality work and thanks for all that you and your team constantly do.
Sharp, independent, practical, precisely detailed content for the security conscious user. More please! And thank you!
Independent??
very *dependent* on companies or orgs @@area_5049
Yeah, independent?
@@y_strikes2770 Yeah, she's a secret G-woman. 😏
Hi Naomi, I love all your videos! I was really excited to learn that the Texas Legislature just passed the Texas Data Privacy and Security Act. (Aka HB4 by Capriglione.) Sadly it doesn't go into effect for a year. I hear other States have similar efforts. Maybe it's a little early, but I'd love to see you do a video on this. I was getting sick of reading all the privacy policies and CA had the only Opt out exception. Keep up the great work! We are winning!
That's great to hear. Honestly texas is one of my favorite states
I suspect the only reason we're allowed to feel like we're winning and actually gaining ground in terms of privacy... Is because they have new methods of surveillance we aren't even aware of yet.
@@therealb888a it possible to route my internet from a Huawei router to pfsense?
@@therealb888great idea for a video! I hope you decide to never stop 👏 🎉
This is fantastic. You have a new subscriber now. I'm sending this to everybody I know. I am an IT nerd, I know DNS queries are not encrypted, but just felt like that would be out of my control. Great information. Thanks!
Thanks for subscribing!
Thank-you Naomi. Every time I watch one of your videos, I improve my privacy/security by one significant step. This time, I tweaked my Pi-hole to use DNSSEC, because for no good reason I had it configured incorrectly. Perhaps pfSense or OPNsense is a better choice (?), but using the Pi-hole is effective and eye opening. (you don't need a Raspberry Pi, mine is running in a Proxmox VM)
Ward. What and how to install, to block all youtube adds in the network, even in smart tv
@collectorguy3919 - I am building a similar setup as you have. Using Pi-hole or Adguard to block ads, and using OPNsense as my firewall. But now, I've got a few new features to add - and all because of @Naomi. Great video!
Alright, i’ve watched a handful of your videos now. Holy hell, these are fantastic. I have seen a ton of educational privacy content, but your channel is hands down the best, and criminally under subscribed. Somehow you perfectly thread the needle, being able to conceptualize ideas for the privacy and security hobbyist like myself in an easy to understand package. Please keep up the good work Naomi and team. You have yourself a viewer for life. Cheers!
Thanks for watching!
@@NaomiBrockwellTV Hi Naomi, If I use TOR would that be the same or better than DNS encryption?
Well you believe this sht then I got free property in Hawaii . A DNS is a portal. And you all have no clue wtf a DNS means. I got cotton candy children.
I am so incredibly happy that I have just found your platform/channel. This is the information that I have been trying to find for the past few months. I had always known that internet data was collected but I've only recently found out how intrusive it really is. Thank you so very much for your clear presentations. They are full of facts and the answers to my questions. As the narration is going on, a question forms in my mind and is almost immediately answered as if almost telepathically, lol. It's very obvious how much effort goes into a high-quality production like this given it's forward thinking. The person/people/team responsible for this extremely well executed presentation is one of the finest I have ever seen. I say that because I have never tried to find a true favorite yet but I see no reason why this wouldn't be a contender for the best. I say this as completely unbiased even though I have had an attraction to red since I was 2 years old, lol. Thanks again, I will be absorbing all the knowledge that I can from your productions. I wish you good luck during the turbulent economy that is looming over us and will likely last a decade or so.
Not everything on this channel is correct. Don’t believe things just because they are on UA-cam.
@@StrummerDaveso what's not correct? Care to enlighten the rest of us what this channel is giving misinformation
Yes, I’d have to agree with the others @Naomi you stand out as one of the best educational UA-camrs for me! Your depth of coverage on these topics is amazing considering how entertaining and digestible you manage to make them. Thank you for putting out content that raises the bar on all fronts. :)
I really appreciate your kind words!
You deserve the kind words. I've learned so much from you extremely detailed videos. ❤ another fantastic video
just ask her out already jeez
@@NaomiBrockwellTVHey Naiomi. Don't mean to hijack the thread...have you heard of 4freedom mobile? Supposedly a privacy focussed mobile service provider which works in Australia, apparently. Do you know much about it?
All my data is saved and logged in physical memory inside the server that inside the room of isp when they need it just memory and some tools the to see everything I did from the day I subscribed until now
In the other side vpn and some step can help you to stay away from hackers and company, website ets... anything away from isp because the isp is the hub where my traffic gose and come from 🤭
Stumbled across your channel recently after watching some videos on privacy. I'm now on a binge sesh of your vids. Even watched 2 of your conferences. Really good content. Subed after the 1st video.
Thanks for your support!
PFSense is increasingly focusing on its proprietary commercial PFSense+ product, at the expense of the open source Community Edition. CE is updated far less frequently than PFS+ and doesn't receive a lot of the features of the commercial product. I moved to OPNSense last year for this reason. It's open source and actively developed, so it's likely to be a much better product over the longer term.
Well for home use PF+ is free and the license is not expensive considering the cost of hardware or VM. Not sure what you mean by proprietary either. I had ongoing DNS issues a couple of years back on CE but my device has been stable and with + for home it's an advantage. Either solutions are better than an off the shelf solution at walmart or best buy.
Thank you once again Naomi. That was really informative and I'll need to watch this several times to get my head around this!!
This is a great mix of technical knowledge and "street level" accessibility> Very impressive!
Excellent information again Naomi! Thank you
I don't know if anyone has mentioned it already, but even with DoH (DNS over HTTPS), DoT (DNS over TLS) the TLS ClientHello packet is *not* encrypted, and yet they contain the domain you want to access. Not a whole lot of DPI (Deep Packet Inspection) needs to be done to guess where that particular user is going to, regardless of the upstream DNS server used... _(let's forget about DPI though, keep the talk on DNS)_
TLS 1.3 has an extension, ESNI (Encrypted Server Name Indication), so if employed as long as queries to the resolvers are done through encrypted DNS protocols (by the way, how come DNSCrypt wasn't mentioned? I think all of Quad9's servers support it too and there's at least a plugin for those using unbound :). ESNI alone wouldn't do much when used with the traditional DNS protocols, ECH (Encrypted ClientHello) would though! The ClientHello packet would be encrypted, but I haven't seen many (servers and clients, meaning not only OSes but also apps) support it, but I think it hasn't passed the draft stage yet, it is to be another TLS extension (so DoH, DoT would benefit). When do we get support for it across the board, even as experimental?
even with DoH, while domain destination is encrypted BUT the provider still could identity IP of server we are connecting, and from them they could simply associating it with some service or some website.
Was looking for this comment without having seen the vid yet.
@@marhensaThat! You need a provider or proxy you can trust, not only with DNS.
@@sourcebased yes that, also it's possible to host your own VPN server on VPS provider you can trust. even that VPS provider still could identify what IP you are connecting via VPN. using VPN and then browsing with ToR is for me the safest for now, but it will slows down the internet connection by a lot. but we don't need that extra privacy and security everyday, so it's just an occassional thing.
@@marhensa Yes, I was talking only about that practical everyday usage. If you need a higher level of anonymity, using Tor is the least indeed. Best used with Tails and changing hardware and location. I am glad that I don’t really need this in practical terms but I am aware that my internet usage is an open book to my provider and some players on the state services level, as well as my OS and hardware vendors to some degree. I just try to be conscious and selective with who could spy on me and what for.
DNS is key, and I think you covered this topic with the perfect amount of details. Just enough to get the point across, without bogging it down with the details.
I would add PiHole or some other ad-blocker to your series of videos on this topic, where every webpage you load, there's no telling how many different servers that you make DNS requests for. Each frame, each advertisment, each Third-Party cookie you download is a website that can see your traffic and that you visited that particular website.
By pointing those rogue DNS requests to a sinkhole, you protect yourself from some of the other types of tracking that happens as you visit websites.
I would suggest AdGuardHome on a raspberrypi. It has everything built in and ready to go with just two commands to set it up, it also updates from the web interface, so no messing about with SSH. You set it up and it works.
It already has DoH DNS over HTTPS built in unlike PiHole and does not need various modules or bits added on - plus it is far more stable and you can set and forget. AGH is far more stable than pihole and programming is far better, plus they fix any faults - you don't get arrogant people on a forum who don't know how to do things.
The other handy thing is AGH does not have the many faults of PiHole. One fault PiHole has is chewing up SD cards by continuous writing to them. This makes systems fail regularly because of poor programming. There are various fixes and commands to use on PiHole and bits to add on, then procedures to update, but do people really want an unfinished product being trusted with their data?
AdGuardHome is what PiHole wanted to be!
Can you elaborate a bit on how that works?
What's the "perfect amount" of details? Information isn't a spice, u know? What I hear u saying is she doesn't provide enough info; but since every comment only kisses Naomi's ass, ur fine with her leaving it out.
@@jeremymoon9088 they are all simps. If a bloke did the exact same video all these people would rage about how wrong and vague the info was. I have seen this exact thing on videos that had the same approximate scope. The only difference was a male presenter. Everyone raged
@funbucket09 u read my mind! I actually used the word "simp" when I typed that comment; but I edited it before I posted it, because I didn't want to trigger anyone. Have u ever seen Jay at Learn Linux TV interview her? He gets all nervous and wimpy, it's some top level simpin. It's amazing how the internet will give an average woman attention as if she were a super model
Thank you for this, Naomi!
You are welcome!
I really appreciate this video and the Quad9 tip. I set up DoH (DNS over HTTPS) in just a few minutes on my MikroTik router running routerOS. Also installed the Quad9 android app on my phone.
nice!
Avoid quad 9.
@@tacticalcenter8658 Why?
@@tacticalcenter8658Why? Any information would be appreciated.
@@tacticalcenter8658Why to avoid Quad9?
I've been on a security/privacy kick for a while now. This is something that I knew only 1 tiny bit about, but certainly not enough to make effective changes.
I'll be going through the process of seeing how to implement this on my IPFire / Pi-Hole setup. Worst case scenario, I have no issues with replacing IPFire with PFSense.
If the goal of this action is to limit your ISP from capturing your DNS queries then it is of very limited utility. Your ISP can simply do a reverse DNS lookup on the target IP address in the packets you send out once you received your name resolution from your encrypted DNS.
Indeed, it feels like an ad.
Yeah, you'd still want a VPN to hide that traffic.
great video! I haven't been thinking about DNS encryption but now is cristal clear that it is super easy to profile users by doing this. Will change to this setup. Thanks!
Clear, detailed, informative and user-friendly. Only home-made french toast with fruit toppings is tastier.
The poster thanking Snowden is enough to earn a sub
I find tip videos like these get more people in the line of fire. Have you ever heard of Reverse DNS look up? Or perhaps fingerprinting? They can easily see past this. ISP have also reported that they slow down users found doing this.
PFSense gives the user more control, but Pi-Hole lets you add Quad9 (IPv4 and v6) and enable DNSSEC all very easily (within settings, DNS tab).
I'd love to see some pfSense videos both on this topic and beyond.
Finally someone calling data, data instead of Daeta
Thank you. That's 2 great videos so far. I'm now subscribed and I just might see ya at DEFCON conference now that I know what it is.
Like your way to explain it make it very simple, well for me I have been using pihole and unbound for more than year and it simple to setup up
I'm not sure if this is a good fit for most users. PFSense seems to require purchases to get started and ongoing. The pitch seems to be directed to anyone including home users which is probably the majority of those watching this. Put another way, as a [retired] IT person, we would NEVER rely on sources like this for our information.
Even though Quad9 says they don't do anything with your data, how do they make money? I don't trust any of them no matter how secure they say they are.
According to their webpage they live on donations. Someone has to make money here. Where is their infrastructure located, who provides the servers/data centers?
Many have another income source
Well done, and so easy to understand. I know nothing about computers, but this was easy to follow. Thanks!
fantastic! just subscribed without thinking. love the content
Thanks and welcome!
what basic DNS encryption (from both the client and service side) does is that one at least can be somewhat confident that the data is actually correct and not spoofed. The DNS client code of all widespread OSes (even Windows!) have supported it for quite a long time. That many applications don't make use of it is a different matter. All current widely used nameservers (BIND, NSD, PowerDNS, KNOT,...) comes supporting it by default. Setting it up can be challenging if it's your first time, but it is worth it.
All of this is pointless if you connect to a secure site and negotiate the certificate using SNI (which is pretty much every website), anybody can see the exact information you'd request via DNS in clear text. This kind of snooping is less common than using DNS data, though.
Any way to prevent this?
@@PSL1969 ESNI, extension in TLS 1.3, or even better ECH (Encrypted ClientHello) where that packet of TLS is fully encrypted, but there isn't much support for either that I know of. ECH is to be an extension to TLS (has it made it already?) so _as long as_ the connection to the server is done over TLS 1.x (being x the one supporting it) you'd be golden, but it'd require the browser, for example, to also know about it.
I believe AdGuard (client app, not the browser extension) recently launched a version enabling ECH throughout, but I have yet to see how it behaves.
@@PSL1969 The rest of us used ESNI for years! Encrypted, it was a setting in Firefox for ages. There is a modified version of this in modern browsers now called something else. ECH. A sort of "encrypted hello"!
OK, we can encrypt our DNS queries. But all DNS servers belong to either ISPs, private entities (Google for example) etc. So at the end our DNS queries will still end up with one or the other DNS service provider.
You put a lot of effort into masking and encrypting the request of a certain domain... and next you ask your ISP to connect you to a certain IP, that they can easily pin to the initial domain you were hiding.
Good info as usual but what is the relationship of this privacy method to that of using a VPN. Can this be used instead of a VPN, in conjunction with a VPN or does using either/or still provide a similar level of privacy? Your videos are awesome!
Usually when you use a VPN the VPN provider is handling your DNS. But if you have any other devices on your network like IoT devices, phones that don't have a vpn, etc, then changing your DNS settings is still a big help!
@@NaomiBrockwellTV Thank you!
Also, remember that most VPN providers are not as secure as they claim and most will happily give away data if asked by a government agency or police.
From what little research I have made Mullvad VPN seems to be one of the better ones but please do your own research.
@@alfepalfe Mullvad seems very good
@@alfepalfe Sorry to pilled up but still in doubts regarding OP question: If you do not trust your VPN provider is it technically possible to use both this amazing and simple method as shown in the video + A VPN ? (Let's say i'm stuck for 2 years with a Nord membership multi devices plan ? Would it make any sense or simply work to Change my DNS before Data's connect to a one of Nord's Node ? Or it works the other way around in this case i get it and have to choose one or the other....👍
Awesome videos👍, fantastic channel🙏
Since i've discovered it i'm bingeing it like a maniac but the 🐇 hole 🕳️ is Deep...
The more i'm learning, the more questions and complex you discover how hard it became to preserve your privacy or just encrypt your clouds data's, photos, email, Google Photo's face recognition and Metadata's usage is freaking me out😱. Govs don't even need anymore datas for their CBDS's Digital ID's we've been face scanned and analysed for years 😤🤦🏻♂️They crosscheck with others services from Google Ecosystem and even third party. Feels like an endless work even migrating on Linux, and assuming Google Drive or Dropbox, all cloud storage companies, really delete your datas if you terminate/delete your accounts, or encrypt on Local using an offline open source file encryptor and re-synch the encrypted content. And even by doing that you may trigger attention and have no proof and they wont retain your non end to end encrypted re-synched or deleted data's🤦🏻♂️🤬👨💻. Who knows what is their real retention time if any ?
It's really full-time job! 🤯🛂🧿👩💻🏦🕳️
Very nice video Naomi and very very well presented, Thank you!
Hi Naomi. Thank you again for a great educational video. I recently fired MS Win 11 and migrated to Fedora Silverblue for privacy reasons... DNS LEAKS are a NO GO... so I will update DNS settings tomorrow with the help of a Linux freelancer. Thank you much. 👍
OK... Can I use WinRar to encrypt my IP address?
@@Alfred-Neuman yes
@@funbucket09
Too late, I downloaded WinZip instead but I'm not too sure how it works. Is it encrypting the IP automatically?
@@Alfred-Neuman WinZip is good too. I forgot about the automatic IP encrypt feature. WinRAR doesn't actually have that. You have to set it up manually. So WinZip is better. Good choice.
Truly empowering. This lady deserves our support in every form and fashion.
Love your ending song. Sure it's gonna be a huge summer hit ;p Excellent content as always. Love you Naomi 😍
I tried to do this on my pfSense install and then I couldn’t get web pages to load. Eventually, I discovered you also have to uncheck “Enable DNSSEC Support” for this to work. After that, I had no problems. I hope this helps!
Can u do me a favor sir 🙏? Can you let me know if you can see my comments on here? I don't understand other than being shadow banned, (which they say isn't real) as to why whenever I comment something, that is probably important to this dns subject, not one person says anything , I would really appreciate it. I have made 3 comments , 2 comments 12 days ago, and one a few mins ago.
@@omega.Networx yes
UA-cam mixes up the comments. It's very difficult to find anything you have commented on as it gets burried quickly. Even when they send you an email you can't get back to the original comment.
It's a crappy system.
Unsure if you've ever covered it before, but should we be concerned about AdBlock Plus and uBlock Origin when it comes to privacy and security?
I know this is old. I'm thinking you found your answer but if you didn't. I'd like to try to help, I'd use uBlock Origin. It's the one I use it's 100% open source, and I looked through I haven't found anything wrong. uBlock is 100% safe though for sure (example what it does, blocks javascripts from a server (googles) and returns null; instead of a value. The other thing is it just blocks HTML elements). This is why they hate the F12 button, lol.
P.S. If any other extention has a blocker in it, like I use watchmaker it has one. Make sure to turn that off, it's not a security thing; it will just make videos not load.
Much Love and Respect
Wouldn’t a VPN negate the need for this?
A vpn is just using some else's network so all traffic including dns would just go through the VPN provider. These major vpn companies sells data and will just release all the info they have on you to the government if asked as well.
At the moment I'm using Technitium DNS in a docker container, but yeah. The fact that it's just communicating unencrypted with upstream authoritative servers is a concern to me. I don't have a pfsense router at the moment, so I'll likely have to deal with configuring unbound directly. I don't want to give up having a DNS resolve my local home lab addresses, so I'll figure out unbound.
Most of this is over my head but still interests me. I have Quad9 set on my router and I'm hoping this helps within my home network.
In simple terms what the video is about is the confidentiality of the DNS protocol itself (there is none, because it goes in the clear) and what to do about it, hence the suggestion to use an encrypted DNS protocol (DoH, DoT, DNSCrypt) instead of the traditional one. Switching to using Quad9 in your router instead of the ISP set servers (I suppose) doesn't really help in that regard I'm afraid, unless your router is using any of those protocols.
It does, however, help if your ISP were doing some sort of filtering through their DNS servers, plus, the default DNS servers for Quad9 offer some threat protection at that level by denying connections to known malicious domains.
Everything I don't want my ISP to know, I just do via Tor. But this is also interesting to reduce the information that my ISP can collect.
I wonder why Cloudflare wasn't mentioned, they seem to get good reviews especially on the privacy front. Even Mozilla trusts them to use them as the default DNS server in Firefox.
Spread more awareness world wide. Thank you Naomi.
Naomi has one of the best channels on UA-cam hands down. I'm following her for a few months now, along with 2 other tech and privacy oriented channels, and am absolutely in love with this material. As a total newbie, I'm slowly learning so much! Thanks, @NaomiBrockwellTV !
Thanks so much for watching!
"NBTV" should make a video collab ft. "The Hated One".
We will never be sure if it saves if DNS is not encrypted. Quad9 is sponsoring this video and says there are not looking in your traffic, what is there benefit to move all traffic to them ask your self? But one Positive site on this is that their headquarters are in Swiss. Anyway nice video
2:45 i just want to point out that in the UK it is a legal requirement that isp's snoop your DNS traffic in order to enact blocking of p2p sharing sites. If you live in the UK, you need to manually set your DNS server ip's in your router to a service that supports DoH and malicious site blocking
4:45 this is why you don;t use unbound and you run another machine behind the pfsense box that can run an encrypted resolver (and now we are getting into territory where some basic IT qualifications would be nice)
Likewise, OpenWrt can be used as well as pfsense and OpenSense.
Why can't you just use a VPN? I couldn't even figure out how to install Unbound
Wouldn’t the ISP know the sites you visit by reversing the DNS process given they can see the IP addresses?
The ISP can't see the IP address you're visiting if you use a VPN
Most websites are hosted on IP addresses that host lots of other websites, so no, but SNI would still reveal where you're going. VPN solves this but then the VPN can see that.
Her skin is so wonderfully *white* ! I bet brown hair would really set off such white skin - beautifully.
Amazing video thank you for the explanations and looking forward to follow up video!
So I used to work for an ISP. The thing is every time you access a web page you can be resolving anything from 1 to dozens of various sites. The main site, sub, advertising, provider (Amazon, Microsoft, Apple…)
Multiply that with thousands of users, the flow of data is significant.
You’re not that interesting.
Until you are.
DNS queries do not contain the complete URL of a request. They only contain the FQDN. Even if you run your own resolver, the ISP can still see where you are browsing by doing a reverse lookup on the destination IP of the request. If the request is not encrypted, the ISP will be able to see the entire URL. Luckily, most requests are encrypted.
That said, Server Name Indication is always in clear and can leak information.
DNS, DNS, does whatever a DNS does. Can he swing from a web, no he can't he's a pig. He is a spider pig. - Homer Simpson
Its called "SECURITY THROUGH OBSCURITY" Nice work
Whoa you guys are very underrated!
My ISP has embedded DNS so i don't have the option to change it in the modem and it makes me furious.
I'm trying to do a big project and changing the dns server is one of the steps and it is truly frustrating.
So my plan is to install Pfsense on my Proxmox & from there i will manipulate the modem into bridge mode...
If this does not work you guys have any advice? I subscribed :)
Thanks for the info drop Naomi!
Doesn't Tor already obfuscate everything like this?
Thanks, Naomi!
I swear this channel is a honeypot
Why ?
11:30 Lol...
Yes, Ma'am; It's a wonderful song.
It's going to be stuck in my head all day...😀
Great video thanks
Love you Naomi❤🙏
Great information, especially for someone just getting into networking.
How about those that don't have pfSense routers, how can I enable DNS quad9 in an Asus Router? Update: Asus routers come with those DNS settings and I've already changed to quad9 DNS' settings! Thanks a lot!
Not only does this provide a false sense of security, because the destination IP address is still visible to the ISP, but you also trade one entity (ISP) for another (random DNS provider) logging your traffic.
It doesn’s say sponsored video but it also doesn’t say, if you catch my drift. We need to check our ISP’s contract for snooping, but using this random DNS is also without any terms? Swiss, so it is safe? No product is just free. I’m pretty sure this company paid her to do this bit. Totally agree on false security, like your ISP doesn’t have the means to check. By the way, I work as consultant for a telco and GDPR laws are extreme, we can’t collect and sell anything from subscribers. DPI is not even allowed, because of net neutrality.
What a fantastic video, you earned this sub.
Grazie!
Thank you to Naomi Brockwell, John Todd and all the NBTV team!
One small question:
After switching to quad9 is there a way to know that the switch is indeed working?
Like a linux terminal command... I could even settle for windows cmd command. Wishing you a nice evening!
This is great information as usual, and you always beautiful Naomi, if I could I would hire you with no hesitation.
Thank you once again for all your wonderful work!
Naomi is pure excellence.
EDIT: To Clear up something: I am "NOT" basing the video at all. I liked the video, it was produced great as always, below is just my thoughts. Not bad at the video. I hope I'm making sense, opening peoples minds to conversation on things? Is that the way to say it?
Here is why all this stuff is pointless. Start at problem. (Us). Our computer -> Our Router -> Our Modem -> Their sub station -> everywhere else your cloudflare all that.
This is a 'false' since of security; like a front door made of glass with a deadbolt on it and you think it has you covered. It don't.
Proof in pudding, check your IP's config and all before and after and not just literally your IP. Look at the packets, we change nothing and it goes to the "ISP" Before any other DNS can grab it. Other wise you would have "hacked" free internet somehow, just think about it. If you don't have to go through the ISP and get online why would you? See pipe dream..
I am sorry, Naomi, but this time you really have me stumped. Are you saying that in order to have privacy on our DNS lookups, we need to setup a separate firewall server somewhere on our local network, install pFSense on it, then install Unbound on that, and the somehow set all of our devices, browsers, and such to use this Unbound and pfSense firewall server for our DNS searches?
I think this is probably a non-starter for most people.
And then encrypted dns is send to the one of the most spoofing/tracking firm on this planet where they can read it as unencrypted!, So really greate ideaa!
Great song at the end 😂
This video gave me some serious deja vu.
My Asus RT-AX82U had all the configurations ready to go for this
I don't for a minute presume that internet activity is private. Why would that be true, it must be paid for somehow? Still, I would jump right in and follow these instructions, except I have NO WAY
to verify what happens beyond my router. Doing this might just open the door even wider for those who are looking in. Or is there? That would be a good episode!
does tor protect you from this?
clear as mud
Naomi you are a boss!
ISPs have to follow strict regulations, if they get caught snooping on customers they'd get fined, maybe prosecuted or even shut down. No ISP with any sense is going to risk that. Unless your ISP is the Mafia, you're pretty safe.
Those regulations are often the issue though. For example the Government could block certain websites and track everyone who tries to access them. Rule 1 of security: trust nobody.
@@SanderEvers I'd actually trust my ISP more than I'd trust Google or Cloudfare to handle my DNS. For those that really want to lock it down there's recursive DNS.
You an even encrypt the requests themselves - you can use DNS over HTTPS (DoH) or DNS over TLS (DoT). This way nobody is able to see what pages you browse - not even your ISPs.
DNS-over-TLS ( DOT) are great but what about reverse ssh tunnels are kind of scary.
Thanks for the information 👍👍
What about those NOT using pfSense?
I like the song too ! Will I actually attempt all these security features? I dunno,
This is an excellent example of content that isn't served well by video presentation. What should be a few paragraphs on a page or two of text is definitely not worth waiting for the presentation to get to the meat of the matter.
Sigh. Not as easy as it sounds. Once you get your DNS reply, you go to the website that was just resolved by Quad9 or whoever you chose. Well, HTTPS will always show the name of the destination (SNI) in the clear. So your ISP, and whoever else can capture those packets, sees where you are going anyway. And while you were at it, you provided an ‘exclusive’ to a specific public company, to see what you were searching. And the result was provided to your computer by them, not by the authoritative DNS server for the zone in question (a Microsoft DNS server for that Microsoft site you are going to, for example). It’s been many years since I had a consumer router so not sure they can do this, but if they can be set to RESOLVE and not forward to a public company’s DNS, they would use root servers and ‘walk the tree’ down to the authoritative DNS server of the place you are going. There is a reason all these public companies are working so hard to provide ‘free’ services like encrypted DNS. (hopefully not a double post, got an error a few minutes ago).
Can u do me a favor 🙏? Can you let me know if you can see my comments on here? I don't understand other than being shadow banned as to why whenever I comment something, that is probably important to this subject, not one person says anything , I would really appreciate it. I have made 3 comments , 2 comments 12 days ago, and one a few mins ago.
I've been using quad or nextdns for several years now
First time I get around to this channel - I just get the idea that the "lady" talking is a computer generated image - that just the impression I'm getting looking at the image shadows, movement etc.
hah. Maybe one day.