post #51 of 51
Sorry all that I missed this thread back years ago...

First, it is not a question... NEVER USE YOUR ISP'S DNS. There are many reasons for this. To recap on a recent few:


ISPs have been tracking your DNS, the "urls" you type since well before 2001.

With the recent news about ISPs selling your data, guess where the majority of that data comes from? Your DNS queries (and some cleartext monitoring too). DNS is 100% reliable to track exactly what all websites are being accessed - in your entire household.

Doesn't matter if you are viewing HTTPS or not, the DNS lookup still tells them all they need.

Doesn't matter if you launch that Incognito mode of Chrome and type in that Porn site - your ISP knows you are there, and streamed videos and relays that information to whomever.


ISPs can take control of your browsing.

Have Comcrap and over your bandwidth limit? Get ready to "get served" pages that says you are over your limit. They take control over your DNS to change your queries to a server they control to display the message (over HTTPS). Non-HTTPs sites basically get that HTML injected text. (you can strip that too with tools like Privoxy).

Basically, this is exactly what a Man-in-the-Middle attack is - except, they do it to annoy you that you are over your bandwidth. I currently have a friend going through this this very month!


ISPs limit what sites, especially international sites, that gets resolved

This is a long-time beef of mine with Verizon FiOS, Comcrap and TimeWanker: none of them can resolve my wife's Japanese pages she visits.

I have had to switch to Google DNS or some other non-ISP DNS just to get to international sites in Russia, Japan and many EU countries. It's ridiculous.


Man-in-the-Middle Attacks - from the Govt

Now unless you are doing something illegal, this doesn't normally happen. But ISPs easily work with Govt agencies to redirect your DNS to similar servers they control. This requires a warrant and a lot of time. So if you are reading and are concerned about this particular issue, uh...

Just don't visit any sites that say their is a problem with their certificate. Google Chrome does very good at warning you for this sites (the "Click to Proceed red button").


Automated Government Requests

If you visit www.torproject.org, your IP and account is automatically flagged at the NSA for monitoring - starting with ISP dumps of what DNS queries you have performed. (Circa 2014, Snowden leaks). Please visit it, out of spite!


----

"Ok, so no ISP DNS. What are my options?"

As mentioned earlier in the thread, the root DNS servers will never have DNScrypt. But, they do support DNSSEC! But, any set of DNS servers you pick are going to be limited to their control of lookups (e.g. Law Enforcement's takeover of domain names, etc).

You can limit your exposure, and anonymize yourself from that control by using a DNS provide that attempts to be open.

Google DNS is one of those.

OpenDNS is another (now under Cisco).

I still question the safe guards behind these conglomerates as they both have large inner groups that deal explicitly with mass Government requests under warrants (Google did over 100,000+ in 2015 alone, in case you are wondering).

Twitter, Google and Apple, etc all make a play to fight for your rights. But behind the scenes, they get 100s+ a day of automated requests. They fight for basically PR, and comply with most other orders. IOW, "single out the high profile cases, announce it in the press."

Nothing is going to stop the NSA showing up with an NSL saying, "give us all data from this IP address."

In this regard, this is where Google and Microsoft actually shines. Microsoft happen to be the most complicit (think bureaucratic, in a good way against law mass enforcement requests - must check off all boxes and cross all Ts and dot all Is to be valid). But these two happen to be the most transparent as well. They can't speak to NSLs; but, they can post Metadata:

https://www.google.com/transparencyreport/userdatarequests/countries/

https://www.microsoft.com/about/csr/transparencyhub/lerr/

Just remember, OpenDNS is now under Cisco control - and they also deal with mass government requests (think your Cisco Home Router, that now requires it "talk" back to Cisco, is safe? NOPE!). This is why I always use custom firmware on my routers, usually building my own version.


Ok, so which DNS to use?!?!

I personally switch back and forth between OpenDNS and Google DNS. Sometimes I use a 3rd party that I pay for with my domains I host. It's really a gambit. In the past, I actually wrote a script on my router that would switch between OpenDNS, Google DNS and a few others on random days of the month for random periods of time. I may still have that script around here somewhere, now that I think about it...

Besides, I use TorBrowser for most of my protesting which alleviates most everything I've said in this post.


TorBrowser? You mean the illegal Dark Web?

It is not illegal. Yes, some illicit users do some horrible things on it. But, I view it as an Activist's Tool for reaching audiences otherwise censored by governments far and wide across the world. I run a hidden service, not to "hide from government" but to Prevent Censorship of my free speech.

Want to know how many legit people use Tor? https://www.torproject.org/about/torusers.html.en


Which is Faster?

WHO CARES! Read everything from the beginning of this post again. Saving 50ms from one provider to another isn't going to really matter.


How can I minimize my risk with OpenDNS and Google?

Enable DNSSEC and set up a DNScrypt provider. I use DNScrypt on my router, so my entire household benefits.

I also use AdBlock.sh on my router, so my entire household benefits (no more "Condom ads" in the kid games on the kiddo's tablet!).

I should really blog about how to do all of this.

----

You need DNScrypt!


A few notes on DNSSEC and DNScrypt. They are not mutually exclusive. As a matter of fact, they work great together!

What a lot of people don't realize though is DNSSEC is not encrypted nor does it do anything to prevent prying eyes. Your ISP will still monitor your DNS requests, and will continue to sell your data to advertisers and government agencies. All DNSSEC does is it guarantees the DNS query hasn't been tampered with. They use a signature to sign each DNS entry, that can be validated on every request.

DNSSEC is sent in cleartext, for anyone to monitor.

This is what DNScrypt fixes. This actually encrypts, like SSL, your DNS queries and keeps it out of your ISP's prying eyes.

Again, I have had both DNSSEC and DNScrypt enabled on my router, for my entire household.


----

What are the downsides to not using ISP's DNS?

There is only one: you can't reach your ISP's "special homepage."

But who cares! Well, you might if you are a newbie or someone not familiar with the inner workings of your router, and constantly rely on "The Technician" to come in and install software on your PC/Mac and "set things up" or call into your ISP often trying to ask why you can't go this or that site, or need a configuration change - then they will always tell you to go this or that Homepage URL, that only works on their DNS.

I have turned Technicians away for years. "I don't need your router, I have my own thank you." Verizon FiOS works best as they can activate the POTS port for my RJ45 for my router. Don't ever route their router, it just sits in the basement collecting dust. Worse case is I have to call into the ISP when turning on service and give them my MAC of my router.
Edited by eduncan911 - 4/7/17 at 7:34am