Mogsy
Senior Member
AFAIK most ISPs doesnt provide DNSSECInterestingly according to dns check.tools Verizon on my phone seems to fail DNSSEC (not sure how accurate this is; but all other DNSs I’ve tested are green for all DNSSEC tests).
AFAIK most ISPs doesnt provide DNSSECInterestingly according to dns check.tools Verizon on my phone seems to fail DNSSEC (not sure how accurate this is; but all other DNSs I’ve tested are green for all DNSSEC tests).
Comcast fully implemented DNSSEC. It’s why they stopped redirecting typos, because the engineers told them it breaks DNSSEC.AFAIK most ISPs doesnt provide DNSSEC
I mean a lot of people are paranoid their DNS request are being watched. My concern would be a MITM where they could be manipulated if I was encrypting DNS. But I’ve found encrypted DNS to slow things a bit.I am not going to encrypt anything I don't have to. I want it out in the open so it can be scanned. I think it is safer. Why help hide bad packets?
I think this is silly. DNS can be spoofed by using IP addresses instead of names. What really counts is your routing information on your packets and that has to be exposed to the net because routing will not work without it being exposed. So, what they would want is where you have been, and your internet packets have that trail. It has to be for the internet to work.I mean a lot of people are paranoid their DNS request are being watched. My concern would be a MITM where they could be manipulated if I encrypted DNS. But I’ve found encrypted DNS to slow things a bit.
Well VPN is a bit different from encrypted DNS. Similar point. Did I miss something where we got on VPNs?I think this is silly. DNS can be spoofed by using IP addresses instead of names. What really counts is your routing information on your packets and that has to be exposed to the net because routing will not work without it being exposed. So, what they would want is where you have been, and your internet packets have that trail. It has to be for the internet to work.
It is like I said a VPN provider only protects you to their IP address. Once you access anything on the internet outside of the VPN provider's network you have an exposed internet trail which can be tracked. So, to me it seems silly to think about any VPN provider. You only want to use VPN when you control both ends.
I do not want to expand this thread beyond DNS. But there is no reason to be paranoid about DNS requests. But be paranoid about DNS hacking and ending up on a malicious site.
It is like I said a VPN provider only protects you to their IP address.
So many VPN advertisements I see are really seriously misselling their services!
AFAIK most ISPs doesnt provide DNSSEC
That’s a 37% difference in number of sites blocked, but still not as bad as that site suggests.My un-scientific comparison of Cloudflare Security vs. Quad9.
I set up a Pi-Hole with a malware only block list (https://blocklistproject.github.io/Lists/malware.txt) containing 435,266 records. For the first day the Pi-Hole was set to get queries from Cloudflare Security. The second day it used Quad9. DNSSEC was enabled. The Pi-Hole stats were cleared between tests.
First Day: Cloudflare 1.1.1.2, 1.0.0.2
Total Queries: 26,751
Queries Blocked: 227
Percentage Blocked: 0.8%
Second Day: Quad9 9.9.9.9, 149.112.112.112
Total Queries: 32,476
Queries Blocked: 359
Percentage Blocked: 1.1%
My test shows me the Cloudflare Security is not as "bad" as was stated in the article. In fact, it is 0.3% better than Quad9 which rated quite high. Sure, this was a short one day test for each upstream resolver and not scientific at all. But I feel justified in using Cloudflare Security which works best for me even using DoT and DNSSEC. Quad9 and DoT on my ISP do not play well together.
Yes, normal household browsing as this is what matters to me. Think of it as a real world test. My wife and daughter were not told told that I was doing a test.Is this just using your normal browsing? Doesn't tell us anything at all if it is.
How are you determining that Cloudflare is 0.3% better than Quad9?
Give us (much) more details about the testing you're reporting here.
I think it should be lists: Abuse, Fraud, Malware, Phishing, Ransomware, Scam.with a malware only block list
I set up a Pi-Hole with a malware only block list (https://blocklistproject.github.io/Lists/malware.txt) containing 435,266 records
You can try the combination of redirecting all DNS queries on port 53 on the firewall and additionally using pfblockerng with DNSBL & IP DoH blocklists plus the DoH/DoT block option under "DNSBL Safe Search". Then users on your network "for the most part" should be forced to go through unbound on the firewall. That's the way I do it.Maybe I need IPS/IDS on my firewall to be able to look for this kind of thing. Which ones can support this? I don't think I have ever written a rule to block DNS.txt.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!