Hiding Home Network traffic from ISP Tracking
-
@droidus said in Hiding Home Network traffic from ISP Tracking:
The article said even a VPN won't help, because DNS traffic is still not encrypted...
You mean the DNS traffic can be seen by ISP ?
BS of course, as all traffic flows to the VPN provider. All the ISP sees is a flow of traffic from your WAN IP to the IP of VPN provider. This tunnel is encrypted.
So the IP knows : you're online, and where ( the IP of the VPN provider) you go.
Nothing more.
The fun part is : now your VPN provider knows what you do.
That is, the VPN provider still can't see 'into' the https traffic, as it is encrypted. But it knows what sites you visit, where you get your mails from, etc.because DNS traffic is still not encrypted...
"DNS is not encrypted" is a choice, your choice. Encrypt it if you want. You can control the part "from the local LAN client" to the final resolver. That can be pfSense, or an upstream resolver like 8.8.8.8 or 1.1.1.1 if you forward to them.
Which means of course that these guys know all about your DNS traffic ;) -
What I do is use DNS Resolver without a forwarder so that pfSense bypasses the ISP's DNS and talks directly to the root servers (which I figure have better things to do than track whether I'm on Amazon or Target) and then use a rule to redirect any LAN DNS request to pfSense and use pfBlockerNG to attempt to block access to DoH DNS via blocklists. All info I have seen on the forum.
And if I'm completely wrong in this, it wouldn't be the first time! :)
Peder
MAIN - pfSense+ 24.03-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic) -
@provels said in Hiding Home Network traffic from ISP Tracking:
so that pfSense bypasses the ISP's DNS and talks directly to the root servers
However, this DNS traffic might be unencrypted. Hence the ISP would also be able to read the requests anyway.
-
@viragomann
True, but I figure my ISP might have better things to do than packet captures for DNS on my line rather than just processing the DNS logs from it zillion other customers who are less aware. -
@provels said in Hiding Home Network traffic from ISP Tracking:
What I do is use DNS Resolver without a forwarder so that pfSense bypasses the ISP's DNS and talks directly to the root servers (which I figure have better things to do than track whether I'm on Amazon or Target) and then use a rule to redirect any LAN DNS request to pfSense and use pfBlockerNG to attempt to block access to DoH DNS via blocklists.
I'm all with you in using the root servers. I prefer to get the answer to the DNS question directly for the source of the information. And I also block DOH via blocklists.
However, in @droidus post he was concerned about his ISP seeing the DNS requests which would still be possible if using the root servers through the ISP because the requests to the root servers are sent in clear text, it is not encrypted. If he's concerned that the ISP is hostile he could still use the root servers through a VPN. But in that case the VPN would still and know what all his DNS requests are. But at least he would be getting the DNS replies back from the authoritative source.
With DNS your only choice is who you want to put your trust in.
-
@dma_pf
I suppose if you're a small operator like me (CEO, CFO, CIO, NetOps, Helpdesk, and User combined) one could use DoH w/o issue. AFAIK, the only reason to block DoH is to prevent employees (or kids) from being paid to surf FB, Insty, or PornHub by bypassing management. -
@provels said in Hiding Home Network traffic from ISP Tracking:
I do is use DNS Resolver without a forwarder so that pfSense bypasses the ISP's
On the console of pfSense :
dig +trace www.amazon.comYou see some info scrolling over the screen.
The might also scrolls over a screen at the ISP.
They might do it - dono if if do .... or don't.
This is the question.@provels said in Hiding Home Network traffic from ISP Tracking:
talks directly to the root servers
Initially, a root server is elected from build in list. unbound has a build in list with the IP numbers of these guys.
The request to the root servers goes like this :
Unbound has build in list with all the 13 DNS root servers :. 78559 IN NS d.root-servers.net.
. 78559 IN NS e.root-servers.net.
. 78559 IN NS f.root-servers.net.
. 78559 IN NS g.root-servers.net.
. 78559 IN NS h.root-servers.net.
. 78559 IN NS i.root-servers.net.
. 78559 IN NS j.root-servers.net.
. 78559 IN NS k.root-servers.net.
. 78559 IN NS l.root-servers.net.
. 78559 IN NS m.root-servers.net.
. 78559 IN NS a.root-servers.net.
. 78559 IN NS b.root-servers.net.
. 78559 IN NS c.root-servers.net.My unbound chose "m.root-servers.net" from this list, and asked m.root-servers.net :
Do you know where I can find a dot com 'top level domain' server ?
The answer was :Sure, pick any : com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. + some DNSSEC stuff to validate the above answerOk, my unbound now chose "l.gtld-servers.net" from this list, and asked l.gtld-servers.net :
Do you know where I can find info about "amazon.com" ?
The tld "l.gtld-servers.net" name server answered :Ask these : amazon.com. 172800 IN NS pdns1.ultradns.net. amazon.com. 172800 IN NS pdns6.ultradns.co.uk. amazon.com. 172800 IN NS ns1.p31.dynect.net. amazon.com. 172800 IN NS ns3.p31.dynect.net. amazon.com. 172800 IN NS ns2.p31.dynect.net. amazon.com. 172800 IN NS ns4.p31.dynect.net.Btw : these are the domain name servers of amazon.com.
Now, "ns1.p31.dynect.net" is elected, and the final question - to this server - will be :
What is (the A record) of www.amazon.com
"ns1.p31.dynect.net" answeredwww.amazon.com. 1800 IN CNAME tp.47cf2c8c9-frontier.amazon.com.Great.
That isn't even an usable answer !
Now "tp.47cf2c8c9-frontier.amazon.com" has to be resolved. Back to the amazon name servers ....The thing is : Our ISP sees all this traffic. The root DNS servers and TLD's don't.
@viragomann said in Hiding Home Network traffic from ISP Tracking:
However, this DNS traffic might be unencrypted. Hence the ISP would also be able to read the requests anyway.
Yep.
-
@gertjan said in Hiding Home Network traffic from ISP Tracking:
You see some info scrolling over the screen.
The might also scrolls over a screen at the ISP.
They might do it - dono if if do .... or don't.
This is the question.In this case, though I know that is possible, I think the best one can do is "security through obscurity". With my ISPs 30+ million customers, I think they would go to the lowest hanging fruit first, those many millions who neither know nor care what their ISP sees.
-
@provels
I adhere to another scenario : ISP 'listen' to those who they are ordered to listen to.
(something like that).
With a 30 million clients or plus ISP, they don't want to listen to no one, as logging clients will fill terabytes per second. That's a very expensive task.
Normally, in a what I what call a free country, it is only the government who can order the ISP to 'listen' (and report) on a client.
A famous one here in France is ('was' by now) ; you are sharing files that are on a 'ban' list ? Ok, you get invited into a local court room. And no coffee, no sigars. A lawyer is advised. -
@gertjan
In the US, data is dollars and sold to the highest bidder.
Governance optional.
