Unpopular or Private DNS Servers - is their usage safe?
Recently I tried some private and not-so-popular free public and private DNS servers in stead of my ISP's (default) servers and common 18.104.22.168 or 22.214.171.124 on my pc router and also on 'DNS-changer App' for mobile. Somehow the connection speeds were quite fast (may be due to very less people in my country using them, but let's not go into technical of these speed test)
My main question is: Are such unpopular or private dns servers run by anonymous individuals or small companies secure for using billing transactions on eCommerce sites/web hosts or for opening my gmail inbox? - I mean, can they (the dns admin) sniff/hack/read/modify into my transactions/mails? OR they are good for normal internet browsing ONLY?
I think you need to look to the motive, and I am purely speculating here, but:
Google has their public dns (126.96.36.199), and they can use this info to serve ads
CloudFlare can use their dns (188.8.131.52) for faster DNS query resolution for CF sites
For whatever smaller DNS services you are referencing, keep in mind they might have worse security than Google or CF, and thus you might receive wrong DNS information. E.g. you go to gmail.com, but it tells you to go to a hacker's IP address to log in.
Just my thoughts
Why not just stick to cloudflare? They seem safe enough for now...
I was sticking to CF only from past 1 year but from past 4-5 days both CF & Google dns were taking too long to load sites. So I replaced them with 184.108.40.206 and 220.127.116.11 public dns servers from openNic anycast resolvers (as204136.net) which my dns changer app had an option among others like opendns, quad9 (it was slow), and few private dns owners!
that's the reason I asked the basic question about security.
When only using https:// sites, even a malicious DNS server can't get the contents of your connection, or redirect you to another site. They do get to keep track of what websites you are visiting.
If you are feeling wild maybe host your own DNS server with ad-blocker locally or on a vps. Initially queries will take longer but after the cache is built up you will get same performance with that good dns level ad blocking. Specially helpful in in app ads in mobile
yup thnx! that's what i was looking for. So it seems safe to browse https:// sites with such dns. Though I'll switch back to cf/google once its catches the speed!
If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.
This ip 18.104.22.168 you mentioned is not an anycast one. http://ping.pe/22.214.171.124
I use my own custom DNS. This is LET, it's easy to just ask for some cheap VPS offers, and use them as DNS resolvers or even VPN.
No, a DNS provider can not sniff/hack/read/modify into your transactions/mails. They - like any DNS provider - could however serve fake records which would lead you e.g. to a fake site that could - and highly likely will - do bad things.
But: That's true for any DNS provider, no matter whether large or small, famous or unknown, intentionally or being hacked themselves. To avoid that your local resolver (usually a part of your OS) would need to be configured to always only use authoritative name servers only. Note however that quite a few ISPs redirect any and all DNS requests to their caching recursors and not every OS allows such configuration (at least not easily).
Did you contact [email protected] with a traceroute? If it was slower than Cloudflare for you, there's some specific reason, probably to do with your ISP's peering, so it could be fixed.
No, that's not the case. Malicious nameservers do redirect to other sites.
This isn't a theoretical problem, it's a very real problem.
DNS servers are ddos magnet many vps providers thus don't allow it
One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.
Unlock origin exists the only reason for using pihole is in-app ads which again doesn't work for YouTube app for which we have vanced.app
I'm using opendns from cisco. It's free.
Wrong. One can simply configure IPTABLES to block traffic coming from other sources. Magnet will be disabled.
How to setup custom dns, do you have a tutorial for this please ?
It is really very easy . https://pi-hole.net/
Basically install debian or ubuntu and run
curl -sSL https://install.pi-hole.net | bash
And follow the on screen instructions.
That only works with plain HTTP. With https:// connections redirected to another site, you'll just get a security alert and the page won't load. When your browser sees https://www.google.com is being served up with a certificate for https://i.hack.you/ it just slams on the brakes.
Thats why I use it in conjunction with ublock origin on my browser.
I mainly set it up because I needed a custom caching DNS for my router, as well as a DNS based basic adblocker for everything under my home router. Works great as most members dont see much ads when they are browsing.
Yes, it doesn't work with facebook, youtube or instagram, but as long as it works 95% of the time, it is 95% less ads!
Did not know that existed! I always used youtube on Kiwi browser with ublock origin on my phone to get around youtube ads...
YouTube vanced is a life saver
Thank you so much, I just install it on my VPS, is there any settings I need to do for security ? O rcan I install a VPS panel like CyberPanel ? It wil work ?
I stop using pi-hole and other DNS provider when I discover AdGuard. They even have separate DNS server for “family protection”. IPv6 is also supported. Life is beautiful.
I used to use Google DNS way back but since there are more free options nowadays, here are my top 3 that I use on a daily basis.
1) CloudFlare ( 126.96.36.199, 188.8.131.52)
2) AdGuard for my mobile devices ( 184.108.40.206, 220.127.116.11)
3) DNS Watch ( 18.104.22.168, 22.214.171.124)
Also google bromite browser it is google chrome based with built in ad blocker