Firefox secure DNS?

In article , Carlos E.R.
wrote:


Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

Nope. The bottleneck was the modem. Even today, there are default DNS
servers out there that are slow to respond, so that replacing with a
local LAN server makes sense.

if it was slow enough to be noticeable, then it was misconfigured and
should not be used. that is also very rare.

No, it was not misconfigured on the client side. And no, it was not rare.

slow dns to where it's noticeable is very rare.

obviously, if something is misconfigured or otherwise not working
properly, people will switch to something that is, but that's not the
normal case.

On 6/3/2020 1:12 PM, Mayayana wrote:
As I heard it, FF is going to default to 1.1.1.1, which
seems to be reasonably reputable. The big factor
is that your ISP and other online entities can't see
the traffic. But if you really want it more private you
can use something like Unbound.

In other words, there's no reason to trust Mozilla or
Google. But trusting Mozilla with encrypted DNS is
probably better than doing it in the open and certainly
better than using Google. The best would be to use a
DNS resolver that encrypts but runs separately from the
browser, as a system service.

I've already rerouted everything in my own router configuration through
1.1.1.1 and Google DNS, so my ISP's DNS will never see any of my
requests from any of my devices inside my network. I don't need Mozilla
to decide for me where to route my DNS.

Yousuf Khan

In article , Yousuf Khan
wrote:

I've already rerouted everything in my own router configuration through
1.1.1.1 and Google DNS, so my ISP's DNS will never see any of my
requests from any of my devices inside my network. I don't need Mozilla
to decide for me where to route my DNS.

dns isn't encrypted, so yes they can see the queries, however, if you
use doh to cloudflare, then they won't be able to.

I don't think he's using anything as crude as an app running on his
device. I think he's running a VPN client in his router.

--
Brian Gregory (in England).

On 6/3/2020 5:11 PM, Stan Brown wrote:
On Wed, 3 Jun 2020 12:52:30 -0400, Yousuf Khan wrote:
I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server.

Well, there's your IP address, isn't there?

That's what the VPN is there for.

Yousuf Khan

In article , Yousuf Khan
wrote:

I know that it seems ironic to trust anything provided by Google as safe
for privacy, but the Google DNS server is just a standard DNS server.
When you access it, you don't have to login to it, so there's no
identifiable information about you to access this server.

Well, there's your IP address, isn't there?

That's what the VPN is there for.

that just means you have a different ip address than you otherwise
would have.

you're still trackable, and the ip address isn't even that important
anyway, since it often changes without a vpn.

On 6/3/2020 11:19 PM, nospam wrote:
In , Yousuf Khan
wrote:

Well, there's your IP address, isn't there?
That's what the VPN is there for.
that just means you have a different ip address than you otherwise
would have.

you're still trackable, and the ip address isn't even that important
anyway, since it often changes without a vpn.

Well if you're going to be going into that level of pedantry, then
nothing is secure, and everything is traceable. But the fact of the
matter is that between the VPN server and your IP address there is a
wall of encryption. Without breaking through that encryption, you can't
tell what the true IP address is behind the VPN. Also dozens of people
are using the same VPN IP address at the same time, there's no way to
tell which actual IP address is doing what through that VPN IP.

Yousuf Khan

On 04/06/2020 01.16, nospam wrote:
In article , Carlos E.R.
wrote:


Nope. Me and many people I know changed it for speed.

unless your dns is extremely slow, it's nothing you'll ever notice
since the time to connect and transfer data from whatever you're
connecting to will be the bottleneck.

Nope. The bottleneck was the modem. Even today, there are default DNS
servers out there that are slow to respond, so that replacing with a
local LAN server makes sense.

if it was slow enough to be noticeable, then it was misconfigured and
should not be used. that is also very rare.

No, it was not misconfigured on the client side. And no, it was not rare.

slow dns to where it's noticeable is very rare.

obviously, if something is misconfigured or otherwise not working
properly, people will switch to something that is, but that's not the
normal case.


As I demonstrated, response time was 0.1 second for openDNS.
This instant I tested google own server:

time host google.es 8.8.8.8
....
real 0m0.309s

That is 0.3 seconds to respond, and that is slow. It is just a fact. No
misconfiguration whatsoever.

With my own setup, I reduce that time between 3 and 20 times.

--
Cheers,
Carlos E.R.

In article , Yousuf Khan
wrote:

Well, there's your IP address, isn't there?
That's what the VPN is there for.
that just means you have a different ip address than you otherwise
would have.

you're still trackable, and the ip address isn't even that important
anyway, since it often changes without a vpn.

Well if you're going to be going into that level of pedantry, then
nothing is secure, and everything is traceable.

that's correct, and it's not pedantry. it's the reality of the modern
day internet.

But the fact of the
matter is that between the VPN server and your IP address there is a
wall of encryption.

all that means is that your isp can't see what you're doing.

the vpn provider is able to see what sites you're visiting and some of
them will track you and monetize that, notably free vpns.

the question becomes whom do you trust more, your isp or a random vpn
provider with a fancy website (which is trivial to set up) ?

Without breaking through that encryption, you can't
tell what the true IP address is behind the VPN.

there are ways to determine it without breaking encryption, but that
doesn't actually matter.

Also dozens of people
are using the same VPN IP address at the same time, there's no way to
tell which actual IP address is doing what through that VPN IP.

that also doesn't matter.

an ip address is not the only factor in tracking users.

in fact, it's fairly minor since an ip address can change as people
connect from different places, including work, home, school, public
wifi at a coffeeshop and via cellular on a mobile device.

also, isps usually provide dynamic ip addresses, and although the lease
time is typically long, it can (and eventually will) change.

there often are multiple people in a home or workplace, all connecting
via the same ip address but visiting different sites and tracked
separately. large businesses might have a block of ip addresses, but
that doesn't really change anything.

In article , Carlos E. R.
wrote:


That is 0.3 seconds to respond, and that is slow. It is just a fact. No
misconfiguration whatsoever.

it's slower than other dns servers, but in the grand scheme of things,
it's not going to be noticeable when the sites take much longer to
load.

for example, https://www.theverge.com takes a couple of seconds to
load (and i'm on a very high speed link). a difference of 300ms isn't
going to matter.

granted, theverge is among the slower sites, but not significantly so.
modern web sites have lots of graphics and javascript and do not render
immediately. even lightweight sites still have to send a fair amount of
data.

another example are file downloads. i just downloaded a file that took
about 20 seconds to complete. an extra 300ms would not be noticeable,
especially since it was downloading in the background.

On 6/3/20 7:23 PM, Yousuf Khan wrote:

[snip]

I've already rerouted everything in my own router configuration through
1.1.1.1 and Google DNS, so my ISP's DNS will never see any of my
requests from any of my devices inside my network. I don't need Mozilla
to decide for me where to route my DNS.

Â*Â*Â*Â*Yousuf Khan

I do that too. Also, the ISPs DNS does not return an error when it
should, it returns a junk page instead (with a mess in the address bar).

The ISP doesn't see your DNS requests, but it looks like that wouldn't
really matter since it DOES see the page requests.

--
Mark Lloyd
http://notstupid.us/

"I know I believe in nothing but it is my nothing"

In article , Mark Lloyd
wrote:

Also, the ISPs DNS does not return an error when it
should, it returns a junk page instead (with a mess in the address bar).

which is in technically not allowed.

On 04/06/2020 15.22, nospam wrote:
In article , Carlos E. R.
wrote:


That is 0.3 seconds to respond, and that is slow. It is just a fact. No
misconfiguration whatsoever.

it's slower than other dns servers, but in the grand scheme of things,
it's not going to be noticeable when the sites take much longer to
load.

for example, https://www.theverge.com takes a couple of seconds to
load (and i'm on a very high speed link). a difference of 300ms isn't
going to matter.

It matters when you consider that loading a page may mean connecting to
a hundred different hosts. The point is, many of us in a position to
create and use our own DNS server did so, and I know because I helped
many to do so. To us, the issue was speed, not security - google was not
even known at the time.

Today it matters less, but to us it still matters, and we still create
our DNS server, or at least, a cache server. This minute I am at a
remote place connected via thetering to a phone that doesn't even get
4G, so it is slow and it matters those tiny bits I can squeeze.

The point is, don't assume that the only reason for not using default
DNS servers is security. Or rather, privacy. There are other reasons to
other people.

granted, theverge is among the slower sites, but not significantly so.
modern web sites have lots of graphics and javascript and do not render
immediately. even lightweight sites still have to send a fair amount of
data.

another example are file downloads. i just downloaded a file that took
about 20 seconds to complete. an extra 300ms would not be noticeable,
especially since it was downloading in the background.

Of course.


--
Cheers,
Carlos E.R.

On 04/06/2020 18.16, nospam wrote:
In article , Mark Lloyd
wrote:

Also, the ISPs DNS does not return an error when it
should, it returns a junk page instead (with a mess in the address bar).

which is in technically not allowed.

It is broken. Disgusting practice. Creates havoc with other services
that are not html, which try to connect, say, to the wrong IMAP server
and not knowing about the error.

Change DNS provider.


--
Cheers,
Carlos E.R.

On 6/4/2020 12:10 PM, Mark Lloyd wrote:
On 6/3/20 7:23 PM, Yousuf Khan wrote:

[snip]

I've already rerouted everything in my own router configuration
through 1.1.1.1 and Google DNS, so my ISP's DNS will never see any of
my requests from any of my devices inside my network. I don't need
Mozilla to decide for me where to route my DNS.

Â*Â*Â*Â*Â*Yousuf Khan

I do that too. Also, the ISPs DNS does not return an error when it
should, it returns a junk page instead (with a mess in the address bar).

The ISP doesn't see your DNS requests, but it looks like that wouldn't
really matter since it DOES see the page requests.

Again, as I've said elsewhere, it won't even see the page requests, as I
am using a VPN most times. I let it see the page requests, if I decide
to purposefully bring down the VPN, but that's about it. I would only do
that because a few sites are getting wise to VPN's, and they block VPN's.

Yousuf Khan