Privacy-preserving services

[jobbautista9]

Not to mention the problem DoH/DoT causes for organisational network security.

Does DoT actually have the same problem as DoH on that front? Afaics DNS over TLS uses a dedicated TCP port which is 853, and doesn't have HTTP overhead like DNS over HTTPS does, so network admins should be able to block DoT easily if they need to.

[Moonchild]

Not to mention the problem DoH/DoT causes for organisational network security.

Does DoT actually have the same problem as DoH on that front? Afaics DNS over TLS uses a dedicated TCP port which is 853, and doesn't have HTTP overhead like DNS over HTTPS does, so network admins should be able to block DoT easily if they need to.

The main problem is that lookup requests are sent outside of the org regardless of org-local host names. This effectively exposes infrastructure information to the TRR.
Another issue is that it bypasses any org-defined DNS-based security setup entirely making DoH/DoT clients more vulnerable to external factors.

As an aside, if DoT is being used over a dedicated port that can be easily blocked then that pretty much negates being able to "escape" restrictive environments so that's just another failure of the proposal...

[back2themoon]

Yes, DoT looks nice on paper but if it can be so easily bypassed (and I believe the user will have no idea, right?) then what's the point? Some routers do provide a DoT option which is nice, but again...

DoH should be way more effective, but it presents other type of issues as it seems. Also, DoH is unavailable AFAIK at the router level for some reason. It looks like a per-application feature, if anything.

So, in the end, good old plain DNS seems to be the best option, assuming the server is trusted of course.

(feel free to correct me since I'm not technical on this stuff)

[Michaell]

I found the time server setting but it's set to nist.gov and I'm fine with that.
Can someone here tell me where the DNS server setting is in Windows 10? I've had trouble finding settings ever since M$ split and reorganized things in Settings vs. old style Control Panel.

[Moonchild]

Can someone here tell me where the DNS server setting is in Windows 10?

right-click in the system tray on the networking icon, select "Open network and internet settings"
This opens the settings app.
Scroll down to "change adapter options" under advanced and click it.
This will open a classic explorer view with all your network connections
Right-click your internet connection, select properties
Select to Internet Protocol Version 4 in the list, click the Properties button
Select "use the following DNS server addresses", and enter the IPs
Click OK
Repeat for Internet Protocol Version 6 if applicable to your connection.

Alternatively, you can set this in your router configuration instead of on each device/adapter, if your router does DNS forwarding (most do) and keep using your router as name resolver.

[Moonchild]

Alternate DNS is also up now. This is a secondary box with shared services so do not use it as preferred if you can help it. If your configuration defaults to round-robin or equal spread, please change it to prefer DNS1.

DNS1
IPv4 5.189.164.139
IPv6 2a02:c207:2280:9322::1

DNS2
IPv4 80.255.7.132
IPv6 2a01:4a0:68:1::492a

NTP
time.palemoon.org

[Moonchild]

I've decided to hold off on Tor for the time being as interest isn't very high in comparison, and it would seriously complicate matters having to run Tor node software on multiple servers.

[Night Wing]

I've decided to hold off on Tor for the time being as interest isn't very high in comparison, and it would seriously complicate matters having to run Tor node software on multiple servers.

Off-topic:
I think you made a good decision regarding Tor. Tor is known for it's anonymity, but it is also known for it's access to the Dark Web. I have heard of some sites not giving access to their site if someone is using the Tor browser.

[back2themoon]

In the https://dns.ipleak.net/ website I get:

IP addresses: IPv6 + IPv4
Browser default: IPv6 / Fallback: IPv6 (I do get IPv4 sometimes here)

About: DNS Address - 1 server detected

Is it expected to only see the IPv4 DNS Server here? There's no IPv6.

[Moonchild]

About: DNS Address - 1 server detected

That's expected if set as preferred. the alternate is normally only used if the preferred one has an issue (error, timeout, too slow, etc.).

[back2themoon]

No, I meant that only the IPv4 server is listed there. Not the IPv6 one.

(it's not about primary/secondary).

[Moonchild]

That depends on your network stack and timing (as well as browser settings, probably). In dual-stack setups it could go both ways. I'm guessing if a preferred one is selected it will stick with it.

[Stargate38]

I also think that the DNS/VPN/TOR (and email services suggested) should be free

You think server hardware and bandwidth is free, do you?

At the very least, you could have a free tier.

[back2themoon]

...you could have a free tier.

Which is meant to entice into a commercial/paid plan. Which is unwanted.

[Moonchild]

At the very least, you could have a free tier.

Which has to be paid for somehow as well. What kind of business model other than a shitty one would actually support that kind of setup?

[Michaell]

Your DNS IP4 did work on the sites I tried (I haven't been enabling IP6 so didn't test that), no noticeable issues. I'm going back to my default, automatic setting though.

[jarsealer]

Hmm, before researching, I didn't think DoT/DoH would be so complicated.. leaking local hostnames/IPs/LANs to the provider or extranet definitely shouldn't happen I presume.

My ISP's DNS resolver blocks some certain services, even nontrivial things, but they're not blocked when using another resolver (it's probably some rudimentary DNS filters they don't bother updating or something, incompetent on their part) So that's why I choose another provider, and the way to do that (on my android phone) is to seemingly set custom private DNS in network settings, which uses DoT I think. I'm also not that tech savvy in networking.

[RJARPCGP]

My ISP's DNS resolver blocks some certain services, even nontrivial things, but they're not blocked when using another resolver (it's probably some rudimentary DNS filters they don't bother updating or something, incompetent on their part)

I would normally suspect a strange issue, especially when it happens on random web sites, and when they aren't illegal. Does the browser claim it don't exist, or that it's not responding? In the U.S., I only see intentional blocking at schools and libraries, besides at businesses. The blocking at schools and libraries, are normally for NSFW content.

[Moonchild]

If it's blocked at the DNS level, you are either forwarded to a different site or a page explaining it's blocked, i.e. DNS hijacking, or (more common) the browser will just throw the networking error "Pale Moon can't find the server at {domain}".
If it's blocked at the connection level, it will error with a "server not responding" error.

[LuftWafflePilot]

I like the DNS idea, but what kind of latency is acceptable for this kind of thing so I am guaranteed not be be slowed down in any way? I can use my ISP's DNS servers that are like 2km away from our house with latency of like 1ms, but even though I am mostly certain they are the good kind (they are local and with reputation to keep) without spying and shit, I can never be certain, so I'll always prefer something where I can be reasonably sure.
The average latency to your DNS is 25ms. Is that good or not good enough?

Oh and what would be the reason to use an alternative NTP server? I don't know anything about this stuff, and have been using pool.ntp.org for ages.