Firefox secure DNS?

On 6/3/2020 6:53 AM, Neil wrote:
Your VPN is unrelated to the DNS question you raised because a VPN still
uses the same DNS.

Well no, it is completely related, as that's the point of the question.
Mozilla is offering to automatically change your DNS requests to a
totally separate provider than the one you have chosen, or been default
provided through your ISP. The question is how can you trust the DNS
providers that Mozilla is routing your DNS through?

There is no way for the end user to know whether a DNS provider will
track and sell your usage, but I can't imagine a more likely
organization to do such a thing than Google. If you're comfortable with
their DNS, don't worry about others! ;-)

I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server. Its basic
simplicity is what makes it safe for privacy. The VPN adds another layer
of abstraction that hides your identity even further.

Whereas with this Mozilla scheme, Mozilla is privy to all kinds of
private information about you, through its Firefox browser. I mean it
has to know all of this information about you, just to operate properly
when browsing the Internet. Through an encrypted connection to DNS,
which is not a standard way of accessing DNS, who knows how much other
information it is sending through along with just the basic DNS
requests? You can encrypt almost anything you want through an HTTPS
system, and there's no way for you to find out how much is actually
being sent.

Yousuf Khan

In article , Yousuf Khan
wrote:

Once, you have a VPN, everything goes through the VPN. The VPN becomes
your default router. Just like everything goes through a regular default
router, including DNS, a VPN default router will also route DNS calls.
not always. dns can sometimes leak, or the vpn can be set up for split
tunneling.

Well, split routing is for internal VPN setups, for example when you use
a VPN to access resources at your office from home. External VPN's are
just default routers.

or when you want an outside vpn for only some traffic.

As for DNS leaking, I suppose certain ISP's can setup a special private
LAN for all of its customers, through which they can access their DNS
through a non-routeable private IP. The private IP LAN is a special
route which can't be rerouted by the VPN default routes. But I've never
seen any ISP using a private IP to access their DNS servers, they always
provide externally routeable IP's for their DNS.

dns leaks are more common than you might think.

https://en.wikipedia.org/wiki/DNS_leak
Using a VPN client which sends DNS requests over the VPN. Not all
VPN apps will successfully plug DNS leaks, as it was found in a study
by the Commonwealth Scientific and Industrial Research Organisation
in 2016 when they carried an in-depth research called "An Analysis
of the Privacy and Security Risks of Android VPN Permission-enabled
Apps" and found that 84% of the 283 VPN applications on Google Play
Store that they tested did leak DNS requests.

83% is rather high.

test it he
https://www.dnsleaktest.com

"Yousuf Khan" wrote

| I know that it seems ironic to trust anything provided by Google as safe
| for privacy, but the Google DNS server is just a standard DNS server.
| When you access it, you don't have to login to it, so there's no
| identifiable information about you to access this server. Its basic
| simplicity is what makes it safe for privacy. The VPN adds another layer
| of abstraction that hides your identity even further.
|

That may be mostly true for you, if your VPN
is trustworthy. (Which is a whole other question.)
But the problem with google is universality. A lawsuit
was just filed against them for intruding on privacy
even when you choose to browse in "incognito" mode.
If you don't block numeroud Google domains like
googletagmanager, google fonts, google's jquery,
googleanalytics, doubleclick, and so on, Google is
spying on you at nearly every website you visit.That's
what the lawsuit is about. Google is tracking visitors
whether they see an ad or not. So if you use Google
for DNS it wouldn't be hard for them to match your
requests to their spyware web beacons. That may
even be partially feasible with VPN.

As I heard it, FF is going to default to 1.1.1.1, which
seems to be reasonably reputable. The big factor
is that your ISP and other online entities can't see
the traffic. But if you really want it more private you
can use something like Unbound.

In other words, there's no reason to trust Mozilla or
Google. But trusting Mozilla with encrypted DNS is
probably better than doing it in the open and certainly
better than using Google. The best would be to use a
DNS resolver that encrypts but runs separately from the
browser, as a system service.

In article , Yousuf Khan
wrote:

I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server.

except for your ip address, which can easily be linked back to any
other connections you make to google properties from the same ip
address.

Its basic
simplicity is what makes it safe for privacy. The VPN adds another layer
of abstraction that hides your identity even further.

that depends on the vpn provider.

vpn providers can see every connection you make.

they can claim 'no logging' but there's no way to prove that.

some vpns actively data mine and push ads, as do isps.

the question is whom do you trust more, your isp or the vpn provider?

In article , Mayayana
wrote:

| I know that it seems ironic to trust anything provided by Google as safe
| for privacy, but the Google DNS server is just a standard DNS server.
| When you access it, you don't have to login to it, so there's no
| identifiable information about you to access this server. Its basic
| simplicity is what makes it safe for privacy. The VPN adds another layer
| of abstraction that hides your identity even further.
|

That may be mostly true for you, if your VPN
is trustworthy. (Which is a whole other question.)
But the problem with google is universality. A lawsuit
was just filed against them for intruding on privacy
even when you choose to browse in "incognito" mode.

filed by lawyers who cannot read basic english.

on the right side of the splash page:
https://cdn.mos.cms.futurecdn.net/PzeeRrkgVviqrJcDpGfzj7-970-80.png
Your activity *might* *still* *be* *visible* to:
€*Websites you visit
€ Your employer or school
€ Your internet service provider

incognito mode does *not* mean total anonymity, something that is well
understood by those who use it.

it only means various things are not saved locally on your computer,
including history, cookies and forms.

On 02/06/2020 15.15, nospam wrote:
In article , Neil
wrote:

On 6/2/2020 8:11 AM, Yousuf Khan wrote:
https://support.mozilla.org/en-US/kb...dns-over-https

Would you trust this? It seems like it's just randomly ignoring your own
DNS server and choosing its own!


I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

Nope. Me and many people I know changed it for speed.

--
Cheers, Carlos.

In article , Carlos E.R.
wrote:

I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

On 6/3/2020 12:52 PM, Yousuf Khan wrote:
On 6/3/2020 6:53 AM, Neil wrote:
There is no way for the end user to know whether a DNS provider will
track and sell your usage, but I can't imagine a more likely
organization to do such a thing than Google. If you're comfortable
with their DNS, don't worry about others! ;-)

I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server. Its basic
simplicity is what makes it safe for privacy. The VPN adds another layer
of abstraction that hides your identity even further.

I would suggest that you look into how one can be tracked on the web.
Unless you spoof your IP address and other aspects, your web history can
be saved and sold.

--
best regards,

Neil

On 03/06/2020 20.49, nospam wrote:
In article , Carlos E.R.
wrote:

I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

Nope. The bottleneck was the modem. Even today, there are default DNS
servers out there that are slow to respond, so that replacing with a
local LAN server makes sense.


--
Cheers, Carlos.

In article , Neil
wrote:

I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server. Its basic
simplicity is what makes it safe for privacy. The VPN adds another layer
of abstraction that hides your identity even further.

I would suggest that you look into how one can be tracked on the web.
Unless you spoof your IP address and other aspects, your web history can
be saved and sold.

and even then.

In article , Carlos E.R.
wrote:

I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

Nope. The bottleneck was the modem. Even today, there are default DNS
servers out there that are slow to respond, so that replacing with a
local LAN server makes sense.

if it was slow enough to be noticeable, then it was misconfigured and
should not be used. that is also very rare.

On 03/06/2020 22.43, nospam wrote:
In article , Carlos E.R.
wrote:

I'm not sure what you mean by "...your own DNS server...", but there is
not much of a way that one can evaluate the "security" of a DNS server
anyway. Most users don't change the DNS server that is "chosen" by their
ISP, and the relatively few that select a different DNS server aren't
likely choosing it on the basis of security.

just about everyone who changes dns servers does so for security,
mostly because they don't want their isp monitoring and tracking them
as well as be stuck using a dns server that is non-compliant and shows
ads.

Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

Nope. The bottleneck was the modem. Even today, there are default DNS
servers out there that are slow to respond, so that replacing with a
local LAN server makes sense.

if it was slow enough to be noticeable, then it was misconfigured and
should not be used. that is also very rare.

No, it was not misconfigured on the client side. And no, it was not rare.

cer@Telcontar:~ time host google.es 208.67.222.222
....

Took 0m0,121s to solve. That's too much. That's opendns.com.



--
Cheers, Carlos.

On Wed, 3 Jun 2020 12:52:30 -0400, Yousuf Khan wrote:
I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server.

Well, there's your IP address, isn't there?

--
Stan Brown, Tehachapi, California, USA
https://BrownMath.com/
https://OakRoadSystems.com/
Shikata ga nai...

On 6/3/2020 1:04 PM, nospam wrote:
dns leaks are more common than you might think.

https://en.wikipedia.org/wiki/DNS_leak
Using a VPN client which sends DNS requests over the VPN. Not all
VPN apps will successfully plug DNS leaks, as it was found in a study
by the Commonwealth Scientific and Industrial Research Organisation
in 2016 when they carried an in-depth research called "An Analysis
of the Privacy and Security Risks of Android VPN Permission-enabled
Apps" and found that 84% of the 283 VPN applications on Google Play
Store that they tested did leak DNS requests.

83% is rather high.

As mentioned, I'm not using a split-tunnel VPN, those are specialty
cases. No DNS leaks are happening from my end, so let's get away from
this diversion.

Yousuf Khan

In article , Yousuf Khan
wrote:

dns leaks are more common than you might think.

https://en.wikipedia.org/wiki/DNS_leak
Using a VPN client which sends DNS requests over the VPN. Not all
VPN apps will successfully plug DNS leaks, as it was found in a study
by the Commonwealth Scientific and Industrial Research Organisation
in 2016 when they carried an in-depth research called "An Analysis
of the Privacy and Security Risks of Android VPN Permission-enabled
Apps" and found that 84% of the 283 VPN applications on Google Play
Store that they tested did leak DNS requests.

83% is rather high.

As mentioned, I'm not using a split-tunnel VPN, those are specialty
cases. No DNS leaks are happening from my end, so let's get away from
this diversion.

it's not a specialty case, nor is split tunneling required.

a *lot* of people leak dns without even realizing it. at 83% of sampled
apps, it's more common that not.

the fact that there are several web sites available to check it is
further proof.