Hardware Router VPN

[Monkeh]

Setting up a serious network appliance of any sort is quite possibly biting off more than you want to chew.

What's the actual reason behind wanting to have all your devices routed out of country? It's bound to cause headaches and broken services, and be far more annoying to disable as needed, so what's the actual goal?

[gnif]

Thanks.
So what you telling me is to just install a VPN software service on every machine and enable/disable as required, and anything else it too hard

For this use case, yes, but not because it's too hard, but more because I think you wont be happy with the results.

[EEVblog]

Thanks.
So what you telling me is to just install a VPN software service on every machine and enable/disable as required, and anything else it too hard

For this use case, yes, but not because it's too hard, but more because I think you wont be happy with the results.

Yep, I suspect so too. Thanks.

[EEVblog]

Setting up a serious network appliance of any sort is quite possibly biting off more than you want to chew.
What's the actual reason behind wanting to have all your devices routed out of country? It's bound to cause headaches and broken services, and be far more annoying to disable as needed, so what's the actual goal?

I just thought it would be cool and simple in the long term, done once and never having to ever worry about an issue with any one machine. But I now realise that's not the case.

[EEVblog]

So, as an aside, should I opt out of this carrier grade NAT for my lab connection?
It says I have a fixed IP as part of my plan, but my AC1200 router says I have a Dynamic IP
Am I right in that a fixed IP will allow me to then change the DNS manually to 8.8.8.8 as suggested by gnif?
As currently the DNS can't be changed with the router set to Dynamic IP.

[gnif]

This just means you're using NAT, if you don't want to remote connect to your lab, or host services there such as a server, then you can leave it enabled as it does give you some level of protection as you don't have a real IP to expose.

As for the DNS, no this wont help you here. If your router has DHCP settings it might let you configure the DNS server that it tells your network to use, the setting you're looking at is for the router device itself (or both if it's not changeable in the DHCP settings).

If the router doesn't give you enough control, you can do this per PC:
1) Click edit DNS server assignment in the Ethernet settings:


2) Select manual:


3) Turn on IPv4:


Don't worry about IPv6, its highly doubtful your ISP provides this, AU is very backwards with IPv6 support still.

[EEVblog]

Ah, I see it now in the router. Worth putting in the 8.8.8.8 or whatever?

[gnif]

I would if only to stop your ISP spying on your DNS queries

[EEVblog]

Don't worry about IPv6, its highly doubtful your ISP provides this, AU is very backwards with IPv6 support still.

Aussie support it it seems.
I have two IPv6 addresses, one /48 and one /64, plus one normal IP address
There is an Edit IPv6 Delegation button

[EEVblog]

I would if only to stop your ISP spying on your DNS queries

Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?

[gnif]

In windows run `ipconfig` in a terminal and you should see the DNS server as 8.8.8.8, if it's not, just renew the IP address (ipconfig /renew), or reboot.

[EEVblog]

In windows run `ipconfig` in a terminal and you should see the DNS server as 8.8.8.8, if it's not, just renew the IP address (ipconfig /renew), or reboot.

Nope, " Connection-specific DNS Suffix" is blank.
No 8.8.8.8 or 1.1.1.1 or other mention of DNS

[5U4GB]

Ah, I see it now in the router. Worth putting in the 8.8.8.8 or whatever?

No.  Maybe they've finally fixed it but Google's DNS used to be location-moronic so it would direct you to servers located wherever it felt like rather than fast local ones, to the point where some sites became inaccessible depending on where it sent you at the time of the lookup.

And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead?  I specifically send my DNS queries to my local ISP because they're the least likely to care about them.

[5U4GB]

Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?

[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]

[Monkeh]

And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead?  I specifically send my DNS queries to my local ISP because they're the least likely to care about them.

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

[Monkeh]

It says I have a fixed IP as part of my plan, but my AC1200 router says I have a Dynamic IP

Your router will be getting the IP via DHCP - it won't know whether it's being given a static assignment or not. If the IP is in the 100.64.0.0/10 range, then you're suffering CGNAT.

[5U4GB]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

Last I checked there was an opt-in blocklist of a small number of known CSAM sites and that was about as far as the ISP's responsibilities went.

[gnif]

And for the other reply above, about worrying about your ISP spying on you: You're suggesting that the solution to concerns about your local ISP, who in practice doesn't give a toss about your DNS lookups, is to hand your queries to the world's largest and most comprehensive surveillance platform instead?  I specifically send my DNS queries to my local ISP because they're the least likely to care about them.

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.

As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.

[madires]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.

This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/

Both log a lot.

[Monkeh]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government.

This is what Google says about logging DNS queries: https://developers.google.com/speed/public-dns/privacy
And Cloudflare: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/

Both log a lot.

And have you read those? I'll give a big hint: They don't store logs containing identifiable information.

[David Hess]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.

As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.

My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53.  DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects.  My VPN endpoints also resolve DNS through my local router.

I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.

Update: I already blocked port 853 when I originally blocked DNS.

[Monkeh]

Unlike Google or Cloudflare, your local ISP can be and probably is legally required to log your queries and filter them according to the wishes of your government. When you're dealing with a government which genuinely believes the rule of law trumps mathematics or physics...

Not much they can do if your using DNS over https, or encrypted DNS and a overseas DNS server. You can even rent a cheap VPS and throw bind on it for a personal DNS server if you want one you can trust.

As for spying on you, sorry, but the instant I start getting poisoned DNS records from a provider is the instant I lose all trust in them, government mandated or not.

My OPNsense router is currently configured to block all outgoing UDP and TCP DNS requests to port 53.  DNS requests must go to the router, which then uses Unbound DNS to resolve all requests with DNS over TLS to port 853 of the usual suspects.  My VPN endpoints also resolve DNS through my local router.

I guess I should block port 853 also since browsers will commonly do their own encrypted DNS resolution if not properly configured.

Update: I already blocked port 853 when I originally blocked DNS.

I presume with those rules that you do not currently have IPv6 connectivity..

[EEVblog]

Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?

[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]

In that case it should fall back to the Cloudflare DNS right?

[gnif]

Done. 8.8.8.8 for primary and 1.1.1.1 for secondary. How do I check that it's worked?

[snark]When you start seeing intermittent site outages caused by Google DNS you'll know it's working.[/snark]

In that case it should fall back to the Cloudflare DNS right?

This is why you can set a primary and secondary, just set the secondary to cloudflare (1.1.1.1), if there is a fault it will automatically try the other server.

[5U4GB]

And have you read those? I'll give a big hint: They don't store logs containing identifiable information.

Because then it's resistant to annoying subpoenas, while Google can still use all the other information it holds on you to de-anonymise as required.

You need to look at "privacy" statements from surveillance organisations like Google in terms of what they're protecting themselves from legally, not what rights they're pretending to leave you with.