Securing DNS is good, but ISPs can still do reverse DNS lookups on the IP addresses you connect to. There is also SNI exposures in the TLS handshakes between your browser and websites, which will usually reveal the domain name of the server (if the server is named after its domain, which many are). The real value of using Quad9 is in mitigating the actions of lazy ISPs and the DNS security feature that Quad9 provides (which is blocking known malicious domains).
@bgroesser
Жыл бұрын
I was thinking the same. Traffic still needs routing.
@ralphm6901
Жыл бұрын
@@bgroesser right. The IP address has to be unencrypted to use it, because numerous routers and switches have to be able to route it correctly. The first stop out the door is your own ISP, who can do a reverse lookup on the IP and get the domain name, then log the fact that YOUR IP address went to THAT server.
@Glutzie
Жыл бұрын
Exactly
@cre8tivebreed
Жыл бұрын
What's the alternative or solution?
@damiendye6623
Жыл бұрын
@@cre8tivebreednothing because it's an envelope. You don't encrypt the address when posting a letter.
@glennw3154
Жыл бұрын
I stumbled upon this video as a pfSense and Unbound noob. What a masterful, concise and logical presentation that truly helped to eliminate the confusion created by many others. This is literally the best short video on the topic, earning you another subscriber. Excellent work!
@fotisgezepis7016
Жыл бұрын
Sharp, independent, practical, precisely detailed content for the security conscious user. More please! And thank you!
@area_5049
Жыл бұрын
Independent??
@genkiferal7178
Жыл бұрын
very *dependent* on companies or orgs @@area_5049
@y_strikes2770
8 ай бұрын
Yeah, independent?
@oni741
8 ай бұрын
@@y_strikes2770 Yeah, she's a secret G-woman. 😏
@stryfespoint304
Жыл бұрын
Another gem delivered as always, keep up the quality work and thanks for all that you and your team constantly do.
@handsomehobo6434
Жыл бұрын
Alright, i’ve watched a handful of your videos now. Holy hell, these are fantastic. I have seen a ton of educational privacy content, but your channel is hands down the best, and criminally under subscribed. Somehow you perfectly thread the needle, being able to conceptualize ideas for the privacy and security hobbyist like myself in an easy to understand package. Please keep up the good work Naomi and team. You have yourself a viewer for life. Cheers!
@NaomiBrockwellTV
Жыл бұрын
Thanks for watching!
@SoundMediaVibes
Жыл бұрын
@@NaomiBrockwellTV Hi Naomi, If I use TOR would that be the same or better than DNS encryption?
@Adam01Time
9 ай бұрын
Well you believe this sht then I got free property in Hawaii . A DNS is a portal. And you all have no clue wtf a DNS means. I got cotton candy children.
@collectorguy3919
Жыл бұрын
Thank-you Naomi. Every time I watch one of your videos, I improve my privacy/security by one significant step. This time, I tweaked my Pi-hole to use DNSSEC, because for no good reason I had it configured incorrectly. Perhaps pfSense or OPNsense is a better choice (?), but using the Pi-hole is effective and eye opening. (you don't need a Raspberry Pi, mine is running in a Proxmox VM)
@tigreonice2339
Жыл бұрын
Ward. What and how to install, to block all youtube adds in the network, even in smart tv
@MrDimn
Жыл бұрын
@collectorguy3919 - I am building a similar setup as you have. Using Pi-hole or Adguard to block ads, and using OPNsense as my firewall. But now, I've got a few new features to add - and all because of @Naomi. Great video!
@TheDeanCStone
Жыл бұрын
Hi Naomi, I love all your videos! I was really excited to learn that the Texas Legislature just passed the Texas Data Privacy and Security Act. (Aka HB4 by Capriglione.) Sadly it doesn't go into effect for a year. I hear other States have similar efforts. Maybe it's a little early, but I'd love to see you do a video on this. I was getting sick of reading all the privacy policies and CA had the only Opt out exception. Keep up the great work! We are winning!
@therealb888
Жыл бұрын
That's great to hear. Honestly texas is one of my favorite states
@ericv738
Жыл бұрын
I suspect the only reason we're allowed to feel like we're winning and actually gaining ground in terms of privacy... Is because they have new methods of surveillance we aren't even aware of yet.
@jirehla-ab1671
Жыл бұрын
@@therealb888a it possible to route my internet from a Huawei router to pfsense?
@0secdox
Жыл бұрын
@@therealb888great idea for a video! I hope you decide to never stop 👏 🎉
@timmcreynolds2734
Жыл бұрын
This is fantastic. You have a new subscriber now. I'm sending this to everybody I know. I am an IT nerd, I know DNS queries are not encrypted, but just felt like that would be out of my control. Great information. Thanks!
@NaomiBrockwellTV
Жыл бұрын
Thanks for subscribing!
@gregsayshi
Жыл бұрын
Yes, I’d have to agree with the others @Naomi you stand out as one of the best educational KZitemrs for me! Your depth of coverage on these topics is amazing considering how entertaining and digestible you manage to make them. Thank you for putting out content that raises the bar on all fronts. :)
@NaomiBrockwellTV
Жыл бұрын
I really appreciate your kind words!
@0secdox
Жыл бұрын
You deserve the kind words. I've learned so much from you extremely detailed videos. ❤ another fantastic video
@milo-qh7cv
Жыл бұрын
just ask her out already jeez
@parasportz
Жыл бұрын
@@NaomiBrockwellTVHey Naiomi. Don't mean to hijack the thread...have you heard of 4freedom mobile? Supposedly a privacy focussed mobile service provider which works in Australia, apparently. Do you know much about it?
@sulemanalrajhy330
Жыл бұрын
All my data is saved and logged in physical memory inside the server that inside the room of isp when they need it just memory and some tools the to see everything I did from the day I subscribed until now In the other side vpn and some step can help you to stay away from hackers and company, website ets... anything away from isp because the isp is the hub where my traffic gose and come from 🤭
@MakeitZUPER
Жыл бұрын
I am so incredibly happy that I have just found your platform/channel. This is the information that I have been trying to find for the past few months. I had always known that internet data was collected but I've only recently found out how intrusive it really is. Thank you so very much for your clear presentations. They are full of facts and the answers to my questions. As the narration is going on, a question forms in my mind and is almost immediately answered as if almost telepathically, lol. It's very obvious how much effort goes into a high-quality production like this given it's forward thinking. The person/people/team responsible for this extremely well executed presentation is one of the finest I have ever seen. I say that because I have never tried to find a true favorite yet but I see no reason why this wouldn't be a contender for the best. I say this as completely unbiased even though I have had an attraction to red since I was 2 years old, lol. Thanks again, I will be absorbing all the knowledge that I can from your productions. I wish you good luck during the turbulent economy that is looming over us and will likely last a decade or so.
@StrummerDave
2 ай бұрын
Not everything on this channel is correct. Don’t believe things just because they are on KZitem.
@MrRoda8143
Ай бұрын
@@StrummerDaveso what's not correct? Care to enlighten the rest of us what this channel is giving misinformation
@tsundokujim
Жыл бұрын
PFSense is increasingly focusing on its proprietary commercial PFSense+ product, at the expense of the open source Community Edition. CE is updated far less frequently than PFS+ and doesn't receive a lot of the features of the commercial product. I moved to OPNSense last year for this reason. It's open source and actively developed, so it's likely to be a much better product over the longer term.
@thebugg333
Жыл бұрын
Well for home use PF+ is free and the license is not expensive considering the cost of hardware or VM. Not sure what you mean by proprietary either. I had ongoing DNS issues a couple of years back on CE but my device has been stable and with + for home it's an advantage. Either solutions are better than an off the shelf solution at walmart or best buy.
@aphanic
Жыл бұрын
I don't know if anyone has mentioned it already, but even with DoH (DNS over HTTPS), DoT (DNS over TLS) the TLS ClientHello packet is *not* encrypted, and yet they contain the domain you want to access. Not a whole lot of DPI (Deep Packet Inspection) needs to be done to guess where that particular user is going to, regardless of the upstream DNS server used... _(let's forget about DPI though, keep the talk on DNS)_ TLS 1.3 has an extension, ESNI (Encrypted Server Name Indication), so if employed as long as queries to the resolvers are done through encrypted DNS protocols (by the way, how come DNSCrypt wasn't mentioned? I think all of Quad9's servers support it too and there's at least a plugin for those using unbound :). ESNI alone wouldn't do much when used with the traditional DNS protocols, ECH (Encrypted ClientHello) would though! The ClientHello packet would be encrypted, but I haven't seen many (servers and clients, meaning not only OSes but also apps) support it, but I think it hasn't passed the draft stage yet, it is to be another TLS extension (so DoH, DoT would benefit). When do we get support for it across the board, even as experimental?
@marhensa
Жыл бұрын
even with DoH, while domain destination is encrypted BUT the provider still could identity IP of server we are connecting, and from them they could simply associating it with some service or some website.
@deHakkelaar1
Жыл бұрын
Was looking for this comment without having seen the vid yet.
@sourcebased
Жыл бұрын
@@marhensaThat! You need a provider or proxy you can trust, not only with DNS.
@marhensa
Жыл бұрын
@@sourcebased yes that, also it's possible to host your own VPN server on VPS provider you can trust. even that VPS provider still could identify what IP you are connecting via VPN. using VPN and then browsing with ToR is for me the safest for now, but it will slows down the internet connection by a lot. but we don't need that extra privacy and security everyday, so it's just an occassional thing.
@sourcebased
Жыл бұрын
@@marhensa Yes, I was talking only about that practical everyday usage. If you need a higher level of anonymity, using Tor is the least indeed. Best used with Tails and changing hardware and location. I am glad that I don’t really need this in practical terms but I am aware that my internet usage is an open book to my provider and some players on the state services level, as well as my OS and hardware vendors to some degree. I just try to be conscious and selective with who could spy on me and what for.
@JustARandomSomething
Жыл бұрын
Stumbled across your channel recently after watching some videos on privacy. I'm now on a binge sesh of your vids. Even watched 2 of your conferences. Really good content. Subed after the 1st video.
@NaomiBrockwellTV
Жыл бұрын
Thanks for your support!
@Steven_nevetS
Жыл бұрын
Excellent information again Naomi! Thank you
@martinwalker3088
Жыл бұрын
Thank you once again Naomi. That was really informative and I'll need to watch this several times to get my head around this!!
@Breeegz
Жыл бұрын
DNS is key, and I think you covered this topic with the perfect amount of details. Just enough to get the point across, without bogging it down with the details. I would add PiHole or some other ad-blocker to your series of videos on this topic, where every webpage you load, there's no telling how many different servers that you make DNS requests for. Each frame, each advertisment, each Third-Party cookie you download is a website that can see your traffic and that you visited that particular website. By pointing those rogue DNS requests to a sinkhole, you protect yourself from some of the other types of tracking that happens as you visit websites.
@Bond2025
11 ай бұрын
I would suggest AdGuardHome on a raspberrypi. It has everything built in and ready to go with just two commands to set it up, it also updates from the web interface, so no messing about with SSH. You set it up and it works. It already has DoH DNS over HTTPS built in unlike PiHole and does not need various modules or bits added on - plus it is far more stable and you can set and forget. AGH is far more stable than pihole and programming is far better, plus they fix any faults - you don't get arrogant people on a forum who don't know how to do things. The other handy thing is AGH does not have the many faults of PiHole. One fault PiHole has is chewing up SD cards by continuous writing to them. This makes systems fail regularly because of poor programming. There are various fixes and commands to use on PiHole and bits to add on, then procedures to update, but do people really want an unfinished product being trusted with their data? AdGuardHome is what PiHole wanted to be!
@keylanoslokj1806
10 ай бұрын
Can you elaborate a bit on how that works?
@jeremymoon9088
9 ай бұрын
What's the "perfect amount" of details? Information isn't a spice, u know? What I hear u saying is she doesn't provide enough info; but since every comment only kisses Naomi's ass, ur fine with her leaving it out.
@funbucket09
8 ай бұрын
@@jeremymoon9088 they are all simps. If a bloke did the exact same video all these people would rage about how wrong and vague the info was. I have seen this exact thing on videos that had the same approximate scope. The only difference was a male presenter. Everyone raged
@jeremymoon9088
8 ай бұрын
@funbucket09 u read my mind! I actually used the word "simp" when I typed that comment; but I edited it before I posted it, because I didn't want to trigger anyone. Have u ever seen Jay at Learn Linux TV interview her? He gets all nervous and wimpy, it's some top level simpin. It's amazing how the internet will give an average woman attention as if she were a super model
@MaxPower-11
9 ай бұрын
If the goal of this action is to limit your ISP from capturing your DNS queries then it is of very limited utility. Your ISP can simply do a reverse DNS lookup on the target IP address in the packets you send out once you received your name resolution from your encrypted DNS.
@breakfastattwilight
7 ай бұрын
Indeed, it feels like an ad.
@stonent
7 ай бұрын
Yeah, you'd still want a VPN to hide that traffic.
@chrisyoung8062
Жыл бұрын
I really appreciate this video and the Quad9 tip. I set up DoH (DNS over HTTPS) in just a few minutes on my MikroTik router running routerOS. Also installed the Quad9 android app on my phone.
@NaomiBrockwellTV
Жыл бұрын
nice!
@tacticalcenter8658
7 ай бұрын
Avoid quad 9.
@chrisyoung8062
7 ай бұрын
@@tacticalcenter8658 Why?
@RealEstate3D
7 ай бұрын
@@tacticalcenter8658Why? Any information would be appreciated.
@Aquabyte
2 ай бұрын
@@tacticalcenter8658Why to avoid Quad9?
@jajwarehouse1
Жыл бұрын
Thank you for this, Naomi!
@NaomiBrockwellTV
Жыл бұрын
You are welcome!
@not12listen
Жыл бұрын
I've been on a security/privacy kick for a while now. This is something that I knew only 1 tiny bit about, but certainly not enough to make effective changes. I'll be going through the process of seeing how to implement this on my IPFire / Pi-Hole setup. Worst case scenario, I have no issues with replacing IPFire with PFSense.
@gasparem16
Жыл бұрын
great video! I haven't been thinking about DNS encryption but now is cristal clear that it is super easy to profile users by doing this. Will change to this setup. Thanks!
@jfiosi
7 ай бұрын
Clear, detailed, informative and user-friendly. Only home-made french toast with fruit toppings is tastier.
@Arsenic71
Жыл бұрын
A great use-case for DNS over HTTPS is the current state in the EU. Access to Russia Today is blocked EU-wide. But being the technical experts they are (lol), they are doing this on the basis of DNS. So by using an encrypted tunnel to an outside DNS resolver, this block can easily be bypassed. No VPN or such required. Simply specifying a different DNS resolver in your network config won't work because ISPs intercept DNS requests, so it has to be an encrypted connection. Yes there is a small performance overhead due to TLS handshakes, but it's a huge privacy and freedom benefit.
@Eternal_Tech
Жыл бұрын
I disagree with many of the actions of Russia's government, but I do not see how a supposed free society should be blocking content just because they disagree with it. It seems that the Iron Curtain is moving west.
@keylanoslokj1806
10 ай бұрын
What services provide those tunnels?
@DJ-Daz
7 ай бұрын
PFSense gives the user more control, but Pi-Hole lets you add Quad9 (IPv4 and v6) and enable DNSSEC all very easily (within settings, DNS tab).
@oobihdahboobeeboppah
Жыл бұрын
I'm not sure if this is a good fit for most users. PFSense seems to require purchases to get started and ongoing. The pitch seems to be directed to anyone including home users which is probably the majority of those watching this. Put another way, as a [retired] IT person, we would NEVER rely on sources like this for our information.
@SayAhh
Жыл бұрын
Unsure if you've ever covered it before, but should we be concerned about AdBlock Plus and uBlock Origin when it comes to privacy and security?
@Shrapnel_Music
7 ай бұрын
I know this is old. I'm thinking you found your answer but if you didn't. I'd like to try to help, I'd use uBlock Origin. It's the one I use it's 100% open source, and I looked through I haven't found anything wrong. uBlock is 100% safe though for sure (example what it does, blocks javascripts from a server (googles) and returns null; instead of a value. The other thing is it just blocks HTML elements). This is why they hate the F12 button, lol. P.S. If any other extention has a blocker in it, like I use watchmaker it has one. Make sure to turn that off, it's not a security thing; it will just make videos not load. Much Love and Respect
@jimboelterdotcomm9153
Жыл бұрын
This is a great mix of technical knowledge and "street level" accessibility> Very impressive!
@bryndal36
Жыл бұрын
Even though Quad9 says they don't do anything with your data, how do they make money? I don't trust any of them no matter how secure they say they are.
@grabantot1648
Жыл бұрын
According to their webpage they live on donations. Someone has to make money here. Where is their infrastructure located, who provides the servers/data centers?
@mrmotofy
Жыл бұрын
Many have another income source
@MM-he2iq
6 ай бұрын
The poster thanking Snowden is enough to earn a sub
@Elemino
Жыл бұрын
I tried to do this on my pfSense install and then I couldn’t get web pages to load. Eventually, I discovered you also have to uncheck “Enable DNSSEC Support” for this to work. After that, I had no problems. I hope this helps!
@omega.Networx
Жыл бұрын
Can u do me a favor sir 🙏? Can you let me know if you can see my comments on here? I don't understand other than being shadow banned, (which they say isn't real) as to why whenever I comment something, that is probably important to this dns subject, not one person says anything , I would really appreciate it. I have made 3 comments , 2 comments 12 days ago, and one a few mins ago.
@Elemino
Жыл бұрын
@@omega.Networx yes
@beefjerky5708
Ай бұрын
KZitem mixes up the comments. It's very difficult to find anything you have commented on as it gets burried quickly. Even when they send you an email you can't get back to the original comment. It's a crappy system.
@1mouseman
Жыл бұрын
Well done, and so easy to understand. I know nothing about computers, but this was easy to follow. Thanks!
@1Corinthians15v1-4
Жыл бұрын
I'd love to see some pfSense videos both on this topic and beyond.
@mstew8386
7 ай бұрын
I find tip videos like these get more people in the line of fire. Have you ever heard of Reverse DNS look up? Or perhaps fingerprinting? They can easily see past this. ISP have also reported that they slow down users found doing this.
@alanbrandt846
Жыл бұрын
Hi Naomi. Thank you again for a great educational video. I recently fired MS Win 11 and migrated to Fedora Silverblue for privacy reasons... DNS LEAKS are a NO GO... so I will update DNS settings tomorrow with the help of a Linux freelancer. Thank you much. 👍
@Alfred-Neuman
Жыл бұрын
OK... Can I use WinRar to encrypt my IP address?
@funbucket09
8 ай бұрын
@@Alfred-Neuman yes
@Alfred-Neuman
8 ай бұрын
@@funbucket09 Too late, I downloaded WinZip instead but I'm not too sure how it works. Is it encrypting the IP automatically?
@funbucket09
8 ай бұрын
@@Alfred-Neuman WinZip is good too. I forgot about the automatic IP encrypt feature. WinRAR doesn't actually have that. You have to set it up manually. So WinZip is better. Good choice.
@towkukus
Жыл бұрын
OK, we can encrypt our DNS queries. But all DNS servers belong to either ISPs, private entities (Google for example) etc. So at the end our DNS queries will still end up with one or the other DNS service provider.
@Prime_Animal
8 ай бұрын
fantastic! just subscribed without thinking. love the content
@NaomiBrockwellTV
8 ай бұрын
Thanks and welcome!
@M3PH11
8 ай бұрын
2:45 i just want to point out that in the UK it is a legal requirement that isp's snoop your DNS traffic in order to enact blocking of p2p sharing sites. If you live in the UK, you need to manually set your DNS server ip's in your router to a service that supports DoH and malicious site blocking 4:45 this is why you don;t use unbound and you run another machine behind the pfsense box that can run an encrypted resolver (and now we are getting into territory where some basic IT qualifications would be nice)
@1983Bantam
Жыл бұрын
All of this is pointless if you connect to a secure site and negotiate the certificate using SNI (which is pretty much every website), anybody can see the exact information you'd request via DNS in clear text. This kind of snooping is less common than using DNS data, though.
@PSL1969
Жыл бұрын
Any way to prevent this?
@aphanic
Жыл бұрын
@@PSL1969 ESNI, extension in TLS 1.3, or even better ECH (Encrypted ClientHello) where that packet of TLS is fully encrypted, but there isn't much support for either that I know of. ECH is to be an extension to TLS (has it made it already?) so _as long as_ the connection to the server is done over TLS 1.x (being x the one supporting it) you'd be golden, but it'd require the browser, for example, to also know about it. I believe AdGuard (client app, not the browser extension) recently launched a version enabling ECH throughout, but I have yet to see how it behaves.
@Bond2025
Жыл бұрын
@@PSL1969 The rest of us used ESNI for years! Encrypted, it was a setting in Firefox for ages. There is a modified version of this in modern browsers now called something else. ECH. A sort of "encrypted hello"!
@iwannacutube
Жыл бұрын
Very nice video Naomi and very very well presented, Thank you!
@darenjones6339
Жыл бұрын
Truly empowering. This lady deserves our support in every form and fashion.
@anshulsingh8326
6 ай бұрын
Finally someone calling data, data instead of Daeta
@reaperinsaltbrine5211
7 ай бұрын
what basic DNS encryption (from both the client and service side) does is that one at least can be somewhat confident that the data is actually correct and not spoofed. The DNS client code of all widespread OSes (even Windows!) have supported it for quite a long time. That many applications don't make use of it is a different matter. All current widely used nameservers (BIND, NSD, PowerDNS, KNOT,...) comes supporting it by default. Setting it up can be challenging if it's your first time, but it is worth it.
@angelh1743
3 ай бұрын
Thank you. That's 2 great videos so far. I'm now subscribed and I just might see ya at DEFCON conference now that I know what it is.
@martinpecheur-xh1qp
Жыл бұрын
Love your ending song. Sure it's gonna be a huge summer hit ;p Excellent content as always. Love you Naomi 😍
@vla2uv
7 ай бұрын
How about those that don't have pfSense routers, how can I enable DNS quad9 in an Asus Router? Update: Asus routers come with those DNS settings and I've already changed to quad9 DNS' settings! Thanks a lot!
@trparky
Жыл бұрын
I wonder why Cloudflare wasn't mentioned, they seem to get good reviews especially on the privacy front. Even Mozilla trusts them to use them as the default DNS server in Firefox.
@genkiferal7178
Жыл бұрын
Her skin is so wonderfully *white* ! I bet brown hair would really set off such white skin - beautifully.
@NIAtoolkit
Жыл бұрын
Wouldn’t the ISP know the sites you visit by reversing the DNS process given they can see the IP addresses?
@NaomiBrockwellTV
Жыл бұрын
The ISP can't see the IP address you're visiting if you use a VPN
@1983Bantam
Жыл бұрын
Most websites are hosted on IP addresses that host lots of other websites, so no, but SNI would still reveal where you're going. VPN solves this but then the VPN can see that.
@viktormedina4631
Жыл бұрын
Naomi has one of the best channels on KZitem hands down. I'm following her for a few months now, along with 2 other tech and privacy oriented channels, and am absolutely in love with this material. As a total newbie, I'm slowly learning so much! Thanks, @NaomiBrockwellTV !
@NaomiBrockwellTV
Жыл бұрын
Thanks so much for watching!
@mam4819
3 ай бұрын
Wouldn’t a VPN negate the need for this?
@dawsonmargeson556
3 ай бұрын
A vpn is just using some else's network so all traffic including dns would just go through the VPN provider. These major vpn companies sells data and will just release all the info they have on you to the government if asked as well.
@ferknand0
5 ай бұрын
You put a lot of effort into masking and encrypting the request of a certain domain... and next you ask your ISP to connect you to a certain IP, that they can easily pin to the initial domain you were hiding.
@emilymarriott5927
Жыл бұрын
At the moment I'm using Technitium DNS in a docker container, but yeah. The fact that it's just communicating unencrypted with upstream authoritative servers is a concern to me. I don't have a pfsense router at the moment, so I'll likely have to deal with configuring unbound directly. I don't want to give up having a DNS resolve my local home lab addresses, so I'll figure out unbound.
@StrummerDave
2 ай бұрын
DNS queries do not contain the complete URL of a request. They only contain the FQDN. Even if you run your own resolver, the ISP can still see where you are browsing by doing a reverse lookup on the destination IP of the request. If the request is not encrypted, the ISP will be able to see the entire URL. Luckily, most requests are encrypted. That said, Server Name Indication is always in clear and can leak information.
@rajughorai7483
8 ай бұрын
Like your way to explain it make it very simple, well for me I have been using pihole and unbound for more than year and it simple to setup up
@vulcan6940
Жыл бұрын
Good info as usual but what is the relationship of this privacy method to that of using a VPN. Can this be used instead of a VPN, in conjunction with a VPN or does using either/or still provide a similar level of privacy? Your videos are awesome!
@NaomiBrockwellTV
Жыл бұрын
Usually when you use a VPN the VPN provider is handling your DNS. But if you have any other devices on your network like IoT devices, phones that don't have a vpn, etc, then changing your DNS settings is still a big help!
@vulcan6940
Жыл бұрын
@@NaomiBrockwellTV Thank you!
@alfepalfe
Жыл бұрын
Also, remember that most VPN providers are not as secure as they claim and most will happily give away data if asked by a government agency or police. From what little research I have made Mullvad VPN seems to be one of the better ones but please do your own research.
@NaomiBrockwellTV
Жыл бұрын
@@alfepalfe Mullvad seems very good
@simonbackwash
Жыл бұрын
@@alfepalfe Sorry to pilled up but still in doubts regarding OP question: If you do not trust your VPN provider is it technically possible to use both this amazing and simple method as shown in the video + A VPN ? (Let's say i'm stuck for 2 years with a Nord membership multi devices plan ? Would it make any sense or simply work to Change my DNS before Data's connect to a one of Nord's Node ? Or it works the other way around in this case i get it and have to choose one or the other....👍 Awesome videos👍, fantastic channel🙏 Since i've discovered it i'm bingeing it like a maniac but the 🐇 hole 🕳️ is Deep... The more i'm learning, the more questions and complex you discover how hard it became to preserve your privacy or just encrypt your clouds data's, photos, email, Google Photo's face recognition and Metadata's usage is freaking me out😱. Govs don't even need anymore datas for their CBDS's Digital ID's we've been face scanned and analysed for years 😤🤦🏻♂️They crosscheck with others services from Google Ecosystem and even third party. Feels like an endless work even migrating on Linux, and assuming Google Drive or Dropbox, all cloud storage companies, really delete your datas if you terminate/delete your accounts, or encrypt on Local using an offline open source file encryptor and re-synch the encrypted content. And even by doing that you may trigger attention and have no proof and they wont retain your non end to end encrypted re-synched or deleted data's🤦🏻♂️🤬👨💻. Who knows what is their real retention time if any ? It's really full-time job! 🤯🛂🧿👩💻🏦🕳️
@spudhead169
9 ай бұрын
ISPs have to follow strict regulations, if they get caught snooping on customers they'd get fined, maybe prosecuted or even shut down. No ISP with any sense is going to risk that. Unless your ISP is the Mafia, you're pretty safe.
@SanderEvers
8 ай бұрын
Those regulations are often the issue though. For example the Government could block certain websites and track everyone who tries to access them. Rule 1 of security: trust nobody.
@spudhead169
8 ай бұрын
@@SanderEvers I'd actually trust my ISP more than I'd trust Google or Cloudfare to handle my DNS. For those that really want to lock it down there's recursive DNS.
@adillpickle6762
Жыл бұрын
Why can't you just use a VPN? I couldn't even figure out how to install Unbound
@evodefense
8 ай бұрын
Amazing video thank you for the explanations and looking forward to follow up video!
@DeDraconis
Жыл бұрын
Doesn't Tor already obfuscate everything like this?
@jovanjanevski3747
Жыл бұрын
DNS, DNS, does whatever a DNS does. Can he swing from a web, no he can't he's a pig. He is a spider pig. - Homer Simpson
@boink800
Жыл бұрын
Likewise, OpenWrt can be used as well as pfsense and OpenSense.
@Gundam-bruh
7 ай бұрын
I still don't understand this: Why would I run Unbound and then forward my queries to Quad9? - When I can just simple change my preferred DNS to Quad9 and be done with it?
@darkshadowlight
Жыл бұрын
"NBTV" should make a video collab ft. "The Hated One".
@richardharker2775
Жыл бұрын
Most of this is over my head but still interests me. I have Quad9 set on my router and I'm hoping this helps within my home network.
@aphanic
Жыл бұрын
In simple terms what the video is about is the confidentiality of the DNS protocol itself (there is none, because it goes in the clear) and what to do about it, hence the suggestion to use an encrypted DNS protocol (DoH, DoT, DNSCrypt) instead of the traditional one. Switching to using Quad9 in your router instead of the ISP set servers (I suppose) doesn't really help in that regard I'm afraid, unless your router is using any of those protocols. It does, however, help if your ISP were doing some sort of filtering through their DNS servers, plus, the default DNS servers for Quad9 offer some threat protection at that level by denying connections to known malicious domains.
@specialk9999
Жыл бұрын
I didn’t understand any of this. What is PF sense and unbound? So you have to use 3 different things (PFsense, Unbound and Quad 9) to make it private?
@Jannickjay
Жыл бұрын
Pfsense are one of the firewall OS you can install as your router( u need hardware ). Unbound is like an add-on integrate in this OS. Quad offer a service you can point ip from your router.
@specialk9999
Жыл бұрын
@@Jannickjay okay, thanks for explaining that. This all sounds out of my skill set to setup.
@s.j.5850
9 ай бұрын
Great information, especially for someone just getting into networking.
@gagaxueguzheng
2 ай бұрын
Everything I don't want my ISP to know, I just do via Tor. But this is also interesting to reduce the information that my ISP can collect.
@ChipEstrada
8 ай бұрын
Its called "SECURITY THROUGH OBSCURITY" Nice work
@nellos4ever
Жыл бұрын
Thank you to Naomi Brockwell, John Todd and all the NBTV team! One small question: After switching to quad9 is there a way to know that the switch is indeed working? Like a linux terminal command... I could even settle for windows cmd command. Wishing you a nice evening!
@AngelicStreak
9 ай бұрын
Not only does this provide a false sense of security, because the destination IP address is still visible to the ISP, but you also trade one entity (ISP) for another (random DNS provider) logging your traffic.
@telocho
8 ай бұрын
It doesn’s say sponsored video but it also doesn’t say, if you catch my drift. We need to check our ISP’s contract for snooping, but using this random DNS is also without any terms? Swiss, so it is safe? No product is just free. I’m pretty sure this company paid her to do this bit. Totally agree on false security, like your ISP doesn’t have the means to check. By the way, I work as consultant for a telco and GDPR laws are extreme, we can’t collect and sell anything from subscribers. DPI is not even allowed, because of net neutrality.
@xenxen8317
6 ай бұрын
And then encrypted dns is send to the one of the most spoofing/tracking firm on this planet where they can read it as unencrypted!, So really greate ideaa!
@vulpo
8 ай бұрын
I am sorry, Naomi, but this time you really have me stumped. Are you saying that in order to have privacy on our DNS lookups, we need to setup a separate firewall server somewhere on our local network, install pFSense on it, then install Unbound on that, and the somehow set all of our devices, browsers, and such to use this Unbound and pfSense firewall server for our DNS searches? I think this is probably a non-starter for most people.
@charld
3 ай бұрын
around the @9:46 mark i think you need to call out the option - Allow DNS server list to be overridden by DHCP/PPP on WAN or remote OpenVPN server - needs to be unchecked right?
@TheDevnul
6 ай бұрын
So I used to work for an ISP. The thing is every time you access a web page you can be resolving anything from 1 to dozens of various sites. The main site, sub, advertising, provider (Amazon, Microsoft, Apple…) Multiply that with thousands of users, the flow of data is significant. You’re not that interesting.
@deeyadeli1435
2 ай бұрын
Until you are.
@archangelmusic13
3 ай бұрын
when you say go to services. where is that? i clicked on my windows icon on the bottom left and typed in services. and there was a sevices there. but when i clicked on it, nothing happened, it didn't open any window.
@nevarius9010
Жыл бұрын
What a fantastic video, you earned this sub.
@NaomiBrockwellTV
Жыл бұрын
Grazie!
@jozsefizsak
Жыл бұрын
Thank you once again for all your wonderful work!
@GoogelDeepMind2024
3 ай бұрын
It's the (NSA) & (CIA) = ("OPERATION THIN-THREAD") & ("OPERATION TRAILBLAZER") = ("MAINWAY") is a database maintained by the United States' National Security Agency (NSA) containing metadata for hundreds of billions of telephone calls made through the largest telephone carriers in the United States, including AT&T, Verizon, and T-Mobile.
@ehsandeldouzi1357
4 ай бұрын
I got a liitle bit confused whats the point of the unbound here? unbound is a recursive resolver and you used it as a resolver? cant the unbound subtracted from your equation and use pfsense to directly connect to 9.9.9.9? will pihole + 9.9.9.9 with DoH achive the same thing?
@awangjeme2531
8 ай бұрын
Spread more awareness world wide. Thank you Naomi.
@robmorin
Жыл бұрын
SO I did what is in this video, but how do i verify that my DNS requests are indeed encrypted?
@Shrapnel_Music
7 ай бұрын
EDIT: To Clear up something: I am "NOT" basing the video at all. I liked the video, it was produced great as always, below is just my thoughts. Not bad at the video. I hope I'm making sense, opening peoples minds to conversation on things? Is that the way to say it? Here is why all this stuff is pointless. Start at problem. (Us). Our computer -> Our Router -> Our Modem -> Their sub station -> everywhere else your cloudflare all that. This is a 'false' since of security; like a front door made of glass with a deadbolt on it and you think it has you covered. It don't. Proof in pudding, check your IP's config and all before and after and not just literally your IP. Look at the packets, we change nothing and it goes to the "ISP" Before any other DNS can grab it. Other wise you would have "hacked" free internet somehow, just think about it. If you don't have to go through the ISP and get online why would you? See pipe dream..
@BitcoinNewsTodayLive
Жыл бұрын
Thanks for the info drop Naomi!
@Gunni1972
8 ай бұрын
I don't presume anything i do on the Internet to stay private. And why should i encrypt my DNS when my ISP just sends the Encryption key to the IS. (Stands for Intelligence services) Which it is contractually obliged to do. Also. If they want to, they can access my CPU right from the Boot-up. And deactivate or "allow requests" through any software that is blocking that access.
@schmandel
9 ай бұрын
This is an excellent example of content that isn't served well by video presentation. What should be a few paragraphs on a page or two of text is definitely not worth waiting for the presentation to get to the meat of the matter.
@jmanj3917
Жыл бұрын
11:30 Lol... Yes, Ma'am; It's a wonderful song. It's going to be stuck in my head all day...😀
@IPear
Жыл бұрын
I keep not understanding why protecting DNS from the ISP if the ISP routes all of our traffic and can know what website we visit
@nommindymple6241
Жыл бұрын
I've got all of that set up in pfSense. But, what about browser settings? For instance, in Chrome Settings > Privacy and Security > Use Secure DNS: do I leave that off and assume all that will be handled by pfSense before the browser gets involved? Or, do I turn it on and set a service provider? Won't doing that override pfSense's settings?
@matthijsleenhouts4827
Жыл бұрын
DNS over TLS in combination with openvpn end your data is standard for encrypting DNS queries to keep them secure and private.
@MikeUIibarri
Жыл бұрын
3:55 "As explained in previous (and impossible to find) videos..." Looking for that/those videos, because from the pfSense download page: " The entire hard drive will be overwritten" ? Say what?
@robtihanyi1155
Жыл бұрын
Thank you so much for your excellent content...good job :-)
@jamie_adrian_wood_official
2 ай бұрын
The bit I don't get is if you are researching for ethical reasons, why would anyone fear their searches being known unless they are melisious in intent?
@slug.racing
2 ай бұрын
Ohh this old chestnut.
@germanarturo11
Жыл бұрын
This is great information as usual, and you always beautiful Naomi, if I could I would hire you with no hesitation.
@P4V3LS
Жыл бұрын
DNS-over-TLS ( DOT) are great but what about reverse ssh tunnels are kind of scary.
@jmr
Жыл бұрын
I double checked my DNS servers. 😂 I'm already using quad 9.
@jimmysmith-ru8nb
Жыл бұрын
bro, Quad9 is free software or paid? and how can install to router? pls...
@jmr
Жыл бұрын
@@jimmysmith-ru8nb It's free. No software. Just Google it and they can walk you through setup.
@cyberdevil657
3 ай бұрын
Whoa you guys are very underrated! My ISP has embedded DNS so i don't have the option to change it in the modem and it makes me furious. I'm trying to do a big project and changing the dns server is one of the steps and it is truly frustrating. So my plan is to install Pfsense on my Proxmox & from there i will manipulate the modem into bridge mode... If this does not work you guys have any advice? I subscribed :)
@juststeve7665
Жыл бұрын
SMH... I am already using Ubuntu latest ver. and did not want to change OS... I did a little investigation and found that unbound is available in the Ubuntu repositories... I have now spent almost 10 hours trying to make it work........ I get it that PFSense has a GUI that makes this a lot easier but I am not going to change OS! I may have to set up another machine just to encrypt and forward traffic with PFSense... but shouldn't have to. I have changed my DNS settings in Ubuntu to use Cloud9 but no encryption until I get unbound to function or my head explodes... iffy which one will happen first.
@youronlinepresencepro9348
Жыл бұрын
Great Video as always thank you!
@gagaxueguzheng
2 ай бұрын
To me, it is even worse that most people nowadays just use Google's DNS server. Not enough that we give them our search and YT history but we also give them the sites we browse without going via a search engine.
@nwogamesalert
Жыл бұрын
@Naomi - As I understand it, PfSense has to be installed on a router? 1) Can it be installed it on a PC instead, so it will work when I connect to the internet from varying locations? 2) What if I use a USB modem with sim card & subscription for my internet connection? Can PfSense be used in this setup? 3) If it can be installed on a PC, does it use many resources, in other words, will it slowdown my PC?
@mrmotofy
Жыл бұрын
pfSense/OpnSense is a router software or operating system and yes it can be run on any regular pc like an older Dell Optiplex. Add a dual or quad NIC and you have enterprise level router capabilities
Пікірлер: 803