Your connection is not private

johnpoz

@netboy said in Your connection is not private:

in "english" what does this do?

It resolves vs forwarding.

You want to look up www.domain.tld it asks the roots hey who is the name servers for .tld

Roots answer with NS for .tld

It then asks the NS for .tld hey what is the NS for domain.tld

They answer.

It go asks NS for domain.tld hey what is the A record for www.domain.tld

you get the IP address of www.domain.tld

This is how dns works..

here is a full example.. I cut down any dnssec info to keep it cleaner looking.

$ dig forum.netgate.com +trace +nodnssec

; <<>> DiG 9.16.44 <<>> forum.netgate.com +trace +nodnssec
;; global options: +cmd
.                       16609   IN      NS      h.root-servers.net.
.                       16609   IN      NS      g.root-servers.net.
.                       16609   IN      NS      f.root-servers.net.
.                       16609   IN      NS      l.root-servers.net.
.                       16609   IN      NS      b.root-servers.net.
.                       16609   IN      NS      a.root-servers.net.
.                       16609   IN      NS      d.root-servers.net.
.                       16609   IN      NS      i.root-servers.net.
.                       16609   IN      NS      e.root-servers.net.
.                       16609   IN      NS      c.root-servers.net.
.                       16609   IN      NS      m.root-servers.net.
.                       16609   IN      NS      j.root-servers.net.
.                       16609   IN      NS      k.root-servers.net.
;; Received 239 bytes from 192.168.3.10#53(192.168.3.10) in 7 ms

com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 873 bytes from 192.5.5.241#53(f.root-servers.net) in 12 ms

netgate.com.            172800  IN      NS      ns1.netgate.com.
netgate.com.            172800  IN      NS      ns2.netgate.com.
netgate.com.            172800  IN      NS      ns3.netgate.com.
;; Received 232 bytes from 192.33.14.30#53(b.gtld-servers.net) in 27 ms

forum.netgate.com.      300     IN      A       208.123.73.83
netgate.com.            3600    IN      NS      ns3.netgate.com.
netgate.com.            3600    IN      NS      ns2.netgate.com.
netgate.com.            3600    IN      NS      ns1.netgate.com.
;; Received 276 bytes from 208.123.73.80#53(ns1.netgate.com) in 33 ms

Even when you forward to say quad9 or googledns or 1.1.1.1, there is a resolver upstream of them that they ask.. The only way to learn the IP address of some fully qualified domain name (fqdn) is to resolve..

Once a fqdn has been resolved.. Your dns server you asked will cache it for a length of time.. See the numbers there 172800, and the 3600 those are seconds.. Once something has been looked up, that is how long that lookup can be cached.

So in the above example forum.netgate.com can be cached for 300 seconds. after that have to look it up again, but since already know the ns for netgate.com and can cache them for 3600, can just go ask them directly - do not need to ask roots or gtld servers.. etc..

netboy

@johnpoz said in Your connection is not private:

It resolves vs forwarding.

Thank you for the detail explanation.

What is the advantage of "Resolving" vs "Forwarding" to the end user?

johnpoz

@netboy control.. You are talking to the horses mouth vs asking someone else..

And your not sending all your dns look ups to some company that does who knows what with them.

netboy

@johnpoz said in Your connection is not private:

You are talking to the horses mouth vs asking someone else..

Got it!!

netboy

@netboy Now how do I make sure I configure pfsense to "resolve" than "forward"? Will this change affect anything else?

johnpoz

@netboy it resolves out of the box, that is the default setting.. If you didn't actually enable forwarding mode its already resolving.

netboy

@johnpoz Wonderfull thanks

Gertjan

@netboy said in Your connection is not private:

What is the advantage of "Resolving" vs "Forwarding" to the end user?

See, for example, this video.
Many other video's about the same subject exist.

totowentsouth

@netboy said in Your connection is not private:

what is the use case to use qwant.com for searches?

qwant claims to be privacy focused. I have found the search results to be on par or better than other popular search engines. YMMV.

netboy

@totowentsouth OK thx