ISPs are notorious for collecting data about us and SELLING IT. Take a look at your ISP's Terms of Service. If it's not spelled out in big clear and bold letters, like "WE NOT USING YOUR DATA. WE WILL NEVER USE YOUR DNS DATA," they're probably using your DNS data. They could be building a profile of you looking at the websites you're browsing.
Even though most of your internet activity is encrypted once you connect to a website, DNS pokes a giant hole in this privacy. DNS stands for Domain Name System. DNS acts as the phone book for the internet so computers need IP addresses to communicate with each other they actually don't understand names so what the DNS does it translates the names that you're most commonly familiar with, like www.quod9.net and turns that into an IP address.
The way that DNS does this look up is you contact a series of different authoritative name servers and ask each one where to find a separate piece of the URL. They'll each send you a new name server to get the next bit of information you need until finally you've reached the authoritative name server responsible for maintaining a record of the IP address for the website you're trying to visit.
Although this process happens in milliseconds it takes a lot of work to make all these queries so typically your computer or your phone will outsource the task to what's called an upstream DNS recursive resolver. That resolver will do these lookups for you which means that you're sending the resolver every URL you want to visit so that it can find the IP address for you.
We're going to let someone see all our internet activity by sending them our DNS requests.
Well, whoever we're sending this to is trustworthy, right?
Whoever we're sending this to is trustworthy, right?
Everybody should be very aware where they are sending their DNS queries.
Yeah, I bet that most people actually have no idea who is handling these DNS requests for them, nor how they're using this data. Most people's DNS requests are handled, by default, by their ISP or internet service provider, and this is very bad because isps are notorious for collecting data about us and selling it and many people might already have a hunch that something like this is going on.
They sort of have a vague understanding that their ISP might be watching what they're doing.
But you should really take the time to find out specifics take a look at your ISP's terms of service
If you ask the telephone book how to get to a certain website it's kind of a given that's where you're going to be going so they can build a profile even just based on the queries that you're sending to the DNS recursive resolver.
And when critical infrastructure like isps get this information you can bet that means governments get access to it .
If you are seeing going to a site which is illegal or is frowned upon depending on what country you're in that may be a risk to your freedom there is more and more focus on it now as a method to determine what people are doing it's it's not just observation but now it's actually being used as a method of control governments are starting to say well you know we're not going to allow certain DNS lookups to occur they're actually blocking certain DNS lookups from happening which should be very worrying to everybody.
So what can you do one option is to use a DNS resolver that you can run yourself instead of sending your DNS queries to someone else as explained in previews videos we recommend using the open source router software PF sense. And using a service inside of PF sense that's called Unbound for your DNS resolution.
Unbound is a recursive resolver so you have the ability to send out queries all over the Internet to all of the various authoritative servers.
Essentially this means that you are bypassing your isps resolver entirely.
That's great that means that you control your own DNS completely and there's no one else involved.
But there are two big downsides to this. First, the authoritative servers that you are sending the request directly to who see who you are and what your querying. Second, it's not possible to encrypt the connection from a recursive resolver to these authoritative servers which means . . .
There's nothing that prevents anybody from sitting downstream from you and seeing what you're doing.
So running your own resolver in sending your unencrypted DNS queries directly to authoritative servers doesn't stop your ISP or snooping governments from seeing your activity but there is a solution it seems like we are having to choose either Outsourcing DNS queries to someone else or handling it all ourselves but while only one DNS resolver will ultimately be used for each transaction.
That's not to say that you can't stack them.
You could use both a local DNS resolver and an upstream resolver so you'll set up Unbound as described but . . .
You want to actually use it as a forwarder instead of Unbound doing all of the this recursive work for you it's going to forward the queries to the DNS servers you set in the general configuration options.
And the Upstream DNS resolver your set to handle these forwarded queries will be privacy focused one we like quad 9 and that's for a number of reasons first they are a non-profit based in Switzerland whose mission is to help make the internet safer and more private. Due to Swiss data protection laws, . . .
We can't sell or reuse or or in any way divulge personal information about anybody we've chosen a place that is extraordinarily strict to be housed to give and you and users the assurance that we are doing what we say we're going to do and that were not actually storing their personal data or logging logging it or even looking at it.
Another big reason that we like them is that they're one of the few DNS providers that allow client side encryption what does this mean we already mentioned that a DNS resolver connection with authoritative servers can't be encrypted but it is possible to encrypt the connection from your device to an upstream DNS resolver like quad 9.
In the last couple of years major encryption protocols have Arisen that's DNS over TLS was the first one it came out with and the other one is DNS server https most isps do not Implement them.
But Quad9 does.
We were actually the first major public resolver to actually offer standard based encryption and that means that all of the DNS transactions between those devices in our services cannot be observed by anybody sitting on The Wire in the middle.
Encrypting this DNS traffic out of your devices is super important for stopping anyone like like your ISP from being able to Snoop on it so using an upstream resolver like quad 9 has huge privacy benefits now as mentioned it's not possible to encrypt the second part of this journey that goes from quad nine to the authoritative service so what quad 9 does is once a receive your DNS query, . . .
We mix that query in with all the other millions of people that are making queries at that moment in time and then we send that out in an unencrypted fashion to all the different authoritative servers on the internet and get answers and give it back to you so anybody observing even past our system can't tell what queries you're doing.
Now let's explain how to set all this up it's actually a very simple process first we'll give you a quick recap of how to set up Unbound on PF sense as your local resolver if you want to dive deeper into PS sense take a look at our previous video then we'll put Unbound into forwarding mode point to quad nine as our Upstream recursive is over and show you how to turn on encryption so that the connection between your device and quad nine is private so let's begin.
The first thing you need to do if you're on PF sense is that you need to enable your DNS resolver so that enables Unbound to start working on your PF sense box.
Go to services and select DNS resolver and under the general settings tab . . .
You're going to click on the box that says enable DNS resolver.
This sets Unbound to be your local DNS resolver now scroll down in the general DNS resolver options.
Network interfaces should be all outgoing network interface should be WAN.
Now scroll down to where it says DNS query forwarding.
You definitely want DNS forwarding turned on.
We'll configure where to forward your DNS to in a moment.
Use SSL TLS for outgoing DNS queries to forwarding servers yes you want to turn that on as well that means encrypt the connection between Unbound and quad nine so no one can see where you're going or what you're doing with the DNS.
The rest of the settings you can leave as the default we're going to publish an addendum to this video for a deeper dive into what each of these settings means including the ones that we skipped so that you can better understand some of your other PF sense capabilities now it's time to tell Unbound which Upstream DNS resolver we want it to forward queries to.
You're going to then point Unbound to an external resolver such as quad 9 go into the system settings under under General setup and there you're going to see DNS servers settings.
We are going to add 3 different DNS servers the addresses belonging support not all IP addresses belonging to quad nine in the first field . . .
9.9.9.9 and then you'd add another one 149 112 112 112 and then you got another one if you have IPv6 and that's 2620:fe::fe.
Not every ISP offers IPv6 but you can add one anyway . . .
It's not something that will hurt and it won't slow anything down especially if you listed as the last one.
Then you'll have the host names:
Put dns.quad9.net, . . .
And put that next to each of the three DNS servers you've added you may have another setting in there which is the Gateway which you can just leave as none or if you don't have that option just ignore it and that's it changing these DNS settings is a huge step in improving your online privacy DNS request can be a gold mine of information about our internet habits preferences and routines.
This is the last piece of data that is able to be observed.
And every piece of this data that we send across the internet can be collected analyzed and we don't know how it might be used in the future but we do know that this DNS data is already being used by governments all over the world to monitor online activity and it can be used for the censorship and targeting of dissidents activists persecuted minorities you name it.
Governments are not just simply trying to observe what people are doing but they're trying to control it.
Protecting DNS privacy should be apart of everyone's online safety practices we want to be able to navigate the internet safely and with the peace of mind that not everything we're doing is under constant surveillance better privacy online is achievable you just have to learn how and now that you know about DNS leaks you are one big step further along as always we have no partnership with quad 9 or any other company we just like to spread awareness of tools that we think will help people Preserve their rights online NBTV is actually a non-profit that is funded by Community donations. If you'd like to support our free educational content, please visit nbtv.media/ support we also have a book titled beginners introduction to privacy that also supports our Channel also liking and sharing and commenting on our videos also really helps thank you so much for watching through till the end.
No comments:
Post a Comment