Hardware Router VPN

[5U4GB]

This is why you can set a primary and secondary, just set the secondary to cloudflare (1.1.1.1), if there is a fault it will automatically try the other server.

Just as an aside, primary and secondary are server-side concepts, typically the primary is authoritative and the secondary is a read-only copy of the primary as a backup.  From the client side anything is possible, prefer primary, query either in a round-robin fashion, and then there's the Windows version for which the best description I've seen is the probably DNS and the maybe DNS (gory details here, and that's probably changed ten times since then.

This typically hits PiHole and similar users who have the PiHole as the primary and unfiltered DNS as the secondary for emergency access if there's a problem with the PiHole, and then wonder why a lot of their DNS queries aren't being filtered.

[David Hess]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.

As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.

My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53.  DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects.  My VPN endpoints also resolve DNS through my local router.

I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.

Update: I already blocked port 853 when I originally blocked DNS.

I presume with those rules that you do not currently have IPv6 connectivity..

My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity.  I think our delegated IPv6 subnet is not large enough.

My VPN connections provide IPV6 access for outgoing connections and incoming forwarded ports.

I should probably block outgoing DNS over IPv6 anyway though.

[madires]

My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity.  I think our delegated IPv6 subnet is not large enough.

Or possibly the IPv6 PD (Prefix Delegation) doesn't trickle down to the last router in the chain for whatever reason. There are some stingy ISPs, but the recommendation is to assign a /64 for the link between ISP and CPE and at least a /56 for the LAN.

[madires]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.

This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/

Both log a lot.

And have you read those? I'll give a big hint: They don't store logs containing identifiable information.

Google states (from link above):

Temporary DNS Logs
Temporary logs are the only logs that store both your IP address and your DNS query. Specifically, the temporary logs include:
  - the IP address of your device sending the DNS query
...
These logs are subject to our deletion processes within 24-48 hours. ...

So they store your IP address and query together for 24-48 hours. After that your IP address is replaced with a 'city or region-level location' for the permanent logs. From the data points stored in the permanent logs it's possible to narrow down DNS clients to a group, e.g. via the AS number (your ISP) and the geolocation. As an example (should be unlikely, but is simple to explain), let's assume you're the only customer of your ISP in your area. The permanent logs contain the AS number and the geolocation. In this special case it's possible to pin down the logged querries to a specific user. And if you happen to log into some Google service they can correlate that with the DNS logs and identify you. I don't claim that they are doing that, I'm just trying to explain that with sufficient data points which don't include identifiable information directly it can be still possible to identify a person.

Cloudfare is more privacy-friendly. They store a truncated version of your IP address (last octet removed for IPv4) up to 25 hours in volatile storage. And as a bonus they aggregate all data points they log within 25 hours and delete the original logs. I'd prefer Cloudflare over Google in this regard.

[Monkeh]

So they store your IP address and query together for 24-48 hours. After that your IP address is replaced with a 'city or region-level location' for the permanent logs. From the data points stored in the permanent logs it's possible to narrow down DNS clients to a group, e.g. via the AS number (your ISP) and the geolocation. As an example (should be unlikely, but is simple to explain), let's assume you're the only customer of your ISP in your area. The permanent logs contain the AS number and the geolocation. In this special case it's possible to pin down the logged querries to a specific user. And if you happen to log into some Google service they can correlate that with the DNS logs and identify you. I don't claim that they are doing that, I'm just trying to explain that with sufficient data points which don't include identifiable information directly it can be still possible to identify a person.

Cloudfare is more privacy-friendly. They store a truncated version of your IP address (last octet removed for IPv4) up to 25 hours in volatile storage. And as a bonus they aggregate all data points they log within 25 hours and delete the original logs. I'd prefer Cloudflare over Google in this regard.

And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.

[David Hess]

My router is behind the house NAT router which is behind the fiber NAT router so no, I do not have IPv6 connectivity.  I think our delegated IPv6 subnet is not large enough.

Or possibly the IPv6 PD (Prefix Delegation) doesn't trickle down to the last router in the chain for whatever reason. There are some stingy ISPs, but the recommendation is to assign a /64 for the link between ISP and CPE and at least a /56 for the LAN.

Probably, but I remember checking and finding a smaller than recommended assignment.

IPv6 has been denied to me for so long now that I assume by default that I need to make my own arrangements.  Back when AT&T started deliberately blocking IPv6 access, first at their border routers and then at their customer routers, I filed a complaint with the FCC who said it was fine.

So now I get IPv6 through a robust VPN service, rendering that traffic largely inscrutable and anonymous.  If this makes things more difficult for the government, that is too bad; they made their choice.

And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.

What the court can do if the data exists at any point, is order that it be retained and given to law enforcement.  The only way to prevent this is to not preserve it for any amount of time, and likely not even generate it.

There was a case where this came up a couple years ago where it was determined by the court that data which only exists ephemerally in DRAM may be subject to an order requiring it to be recorded and given to law enforcement.

[madires]

And when the government rocks up with "give us DNS queries for this user over the last six months" they can simply go "no, we don't have that data". There's a difference between being able to deanonymize using large data sets and storing complete, detailed logs for the perusal of others.

Wouldn't work directly anyway, because DNS querries don't include something like a user name. But it would be different when law enforcement is asking your ISP, because your ISP usually knows your ID and IP address for a given time. So they might start with your ISP and then try to collect as much data as available from other sources. However, law enforcement often doesn't know what to ask for and even struggles to follow the correct procedure laid out by law. In that case the ISP can ignore the request or try to educate them.

[EEVblog]

Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

Any advantage in running that?

[gnif]

OpenWRT unlocks a lot of functionally, many devices from providers like TPLink already use it, but a modified version.

Again though, it comes in a default zero configuration state and requires a fair amount of technical investment to configure it.

[Smokey]

Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500
Any advantage in running that?

Get the best of both worlds.  Vender support and updates + OpenWRT core.
One of the Asus routers that comes with AsusWRT.

And if you get really ambitious, you can install the fully open source asuswrt-merlin
https://www.asuswrt-merlin.net/
That link has a list of compatible hardware.

VPN is super easy to setup and use, both servers and clients.  (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)

[EEVblog]

VPN is super easy to setup and use, both servers and clients.  (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)

I've just been told this isn't such a good idea 

[Smokey]

VPN is super easy to setup and use, both servers and clients.  (OpenVPN, PPTP, L2TP, IPSec, and WireGuard)

I've just been told this isn't such a good idea 

both can be true

[madires]

Everyone talks about OpenWRT, looks like my Archer AC1200 is supported:
https://openwrt.org/toh/tp-link/archer-c5-c7-wdr7500

Any advantage in running that?

Pro:
- long term support
- tons of features
- option to install additional software

Con:
- not simple, but plenty of documentation
- the hardware NAT offloading of the Archer AC1200 isn't supported (proprietary) -> lower NAT throughput

[EEVblog]

Update: I just went with a plain vanilla VPN installed on my devices.
No issues so far, apart from Youtube requesting to confirm it's me.
Will see what happens end of this year...

[gnif]

Just note I have over the last few days had to start blocking VPN IP ranges again due to AI abuse.

See attached traffic stats for today alone, they have been super aggressive of late.

Hopefully your VPN provider wont get caught up in this.

[EEVblog]

Just note I have over the last few days had to start blocking VPN IP ranges again due to AI abuse.
See attached traffic stats for today alone, they have been super aggressive of late.
Hopefully your VPN provider wont get caught up in this.

Yeah, we'll see.
For an extra $4/month I can get a fixed IP if needed.