Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Unpopular or Private DNS Servers - is their usage safe?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Unpopular or Private DNS Servers - is their usage safe?

Hi,
Recently I tried some private and not-so-popular free public and private DNS servers in stead of my ISP's (default) servers and common 8.8.8.8 or 1.1.1.1 on my pc router and also on 'DNS-changer App' for mobile. Somehow the connection speeds were quite fast (may be due to very less people in my country using them, but let's not go into technical of these speed test)

My main question is: Are such unpopular or private dns servers run by anonymous individuals or small companies secure for using billing transactions on eCommerce sites/web hosts or for opening my gmail inbox? - I mean, can they (the dns admin) sniff/hack/read/modify into my transactions/mails? OR they are good for normal internet browsing ONLY?

Comments

  • lentrolentro Member, Host Rep

    I think you need to look to the motive, and I am purely speculating here, but:

    Google has their public dns (8.8.8.8), and they can use this info to serve ads
    CloudFlare can use their dns (1.1.1.1) for faster DNS query resolution for CF sites

    For whatever smaller DNS services you are referencing, keep in mind they might have worse security than Google or CF, and thus you might receive wrong DNS information. E.g. you go to gmail.com, but it tells you to go to a hacker's IP address to log in.

    Just my thoughts :)

    Thanked by 1JasonM
  • Why not just stick to cloudflare? They seem safe enough for now...

  • JasonMJasonM Member
    edited August 2020

    @somik said: Why not just stick to cloudflare? They seem safe enough for now...

    I was sticking to CF only from past 1 year but from past 4-5 days both CF & Google dns were taking too long to load sites. So I replaced them with 185.121.177.177 and 169.239.202.202 public dns servers from openNic anycast resolvers (as204136.net) which my dns changer app had an option among others like opendns, quad9 (it was slow), and few private dns owners!

    that's the reason I asked the basic question about security.

  • rcxbrcxb Member

    When only using https:// sites, even a malicious DNS server can't get the contents of your connection, or redirect you to another site. They do get to keep track of what websites you are visiting.

  • If you are feeling wild maybe host your own DNS server with ad-blocker locally or on a vps. Initially queries will take longer but after the cache is built up you will get same performance with that good dns level ad blocking. Specially helpful in in app ads in mobile

    Thanked by 1JasonM
  • @rcxb said: https:// sites, even a malicious DNS server can't get the contents of your connection.

    yup thnx! that's what i was looking for. So it seems safe to browse https:// sites with such dns. Though I'll switch back to cf/google once its catches the speed!

  • @JasonM said:

    @rcxb said: https:// sites, even a malicious DNS server can't get the contents of your connection.

    yup thnx! that's what i was looking for. So it seems safe to browse https:// sites with such dns. Though I'll switch back to cf/google once its catches the speed!

    If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    https://somik.org/ubuntu-18-04-install-pi-hole-with-pivpn/

    Thanked by 1bwoodcock
  • umiumi Member

    This ip 169.239.202.202 you mentioned is not an anycast one. http://ping.pe/169.239.202.202

    Thanked by 1JasonM
  • defaultdefault Veteran
    edited August 2020

    I use my own custom DNS. This is LET, it's easy to just ask for some cheap VPS offers, and use them as DNS resolvers or even VPN.

  • jsgjsg Member, Resident Benchmarker
    edited August 2020

    @JasonM said:
    My main question is: Are such unpopular or private dns servers run by anonymous individuals or small companies secure for using billing transactions on eCommerce sites/web hosts or for opening my gmail inbox? - I mean, can they (the dns admin) sniff/hack/read/modify into my transactions/mails? OR they are good for normal internet browsing ONLY?

    No, a DNS provider can not sniff/hack/read/modify into your transactions/mails. They - like any DNS provider - could however serve fake records which would lead you e.g. to a fake site that could - and highly likely will - do bad things.

    But: That's true for any DNS provider, no matter whether large or small, famous or unknown, intentionally or being hacked themselves. To avoid that your local resolver (usually a part of your OS) would need to be configured to always only use authoritative name servers only. Note however that quite a few ISPs redirect any and all DNS requests to their caching recursors and not every OS allows such configuration (at least not easily).

    Thanked by 1JasonM
  • @JasonM said: quad9 (it was slow)

    Did you contact [email protected] with a traceroute? If it was slower than Cloudflare for you, there's some specific reason, probably to do with your ISP's peering, so it could be fixed.

    Thanked by 1JasonM
  • bwoodcockbwoodcock Member
    edited August 2020

    @rcxb said: even a malicious DNS server can't get the contents of your connection, or redirect you to another site.

    No, that's not the case. Malicious nameservers do redirect to other sites.

    This isn't a theoretical problem, it's a very real problem.

  • @default said:
    I use my own custom DNS. This is LET, it's easy to just ask for some cheap VPS offers, and use them as DNS resolvers or even VPN.

    DNS servers are ddos magnet many vps providers thus don't allow it

  • raindog308raindog308 Administrator, Veteran

    @somik said: If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.

  • @raindog308 said:

    @somik said: If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.

    Unlock origin exists the only reason for using pihole is in-app ads which again doesn't work for YouTube app for which we have vanced.app

  • I'm using opendns from cisco. It's free.

    Thanked by 1JasonM
  • @codelock said:

    @default said:
    I use my own custom DNS. This is LET, it's easy to just ask for some cheap VPS offers, and use them as DNS resolvers or even VPN.

    DNS servers are ddos magnet many vps providers thus don't allow it

    Wrong. One can simply configure IPTABLES to block traffic coming from other sources. Magnet will be disabled.

  • @default said:

    @codelock said:

    @default said:
    I use my own custom DNS. This is LET, it's easy to just ask for some cheap VPS offers, and use them as DNS resolvers or even VPN.

    DNS servers are ddos magnet many vps providers thus don't allow it

    Wrong. One can simply configure IPTABLES to block traffic coming from other sources. Magnet will be disabled.

    This

  • @default
    How to setup custom dns, do you have a tutorial for this please ?

  • @adilolv said:
    @default
    How to setup custom dns, do you have a tutorial for this please ?

    It is really very easy . https://pi-hole.net/

    Basically install debian or ubuntu and run

    curl -sSL https://install.pi-hole.net | bash
    And follow the on screen instructions.

    https://github.com/pi-hole/pi-hole

  • rcxbrcxb Member

    @bwoodcock said:
    No, that's not the case. Malicious nameservers do redirect to other sites.

    That only works with plain HTTP. With https:// connections redirected to another site, you'll just get a security alert and the page won't load. When your browser sees https://www.google.com is being served up with a certificate for https://i.hack.you/ it just slams on the brakes.

    Thanked by 1NanoG6
  • somiksomik Member
    edited August 2020

    @raindog308 said:

    @somik said: If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.

    Thats why I use it in conjunction with ublock origin on my browser.

    I mainly set it up because I needed a custom caching DNS for my router, as well as a DNS based basic adblocker for everything under my home router. Works great as most members dont see much ads when they are browsing.

    Yes, it doesn't work with facebook, youtube or instagram, but as long as it works 95% of the time, it is 95% less ads!

    @codelock said:
    Unlock origin exists the only reason for using pihole is in-app ads which again doesn't work for YouTube app for which we have vanced.app

    Did not know that existed! I always used youtube on Kiwi browser with ublock origin on my phone to get around youtube ads...

  • codelockcodelock Member
    edited August 2020

    @somik said:

    @raindog308 said:

    @somik said: If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.

    Thats why I use it in conjunction with ublock origin on my browser.

    I mainly set it up because I needed a custom caching DNS for my router, as well as a DNS based basic adblocker for everything under my home router. Works great as most members dont see much ads when they are browsing.

    Yes, it doesn't work with facebook, youtube or instagram, but as long as it works 95% of the time, it is 95% less ads!

    @codelock said:
    Unlock origin exists the only reason for using pihole is in-app ads which again doesn't work for YouTube app for which we have vanced.app

    Did not know that existed! I always used youtube on Kiwi browser with ublock origin on my phone to get around youtube ads...

    YouTube vanced is a life saver

  • @codelock said:

    @adilolv said:
    @default
    How to setup custom dns, do you have a tutorial for this please ?

    It is really very easy . https://pi-hole.net/

    Basically install debian or ubuntu and run

    curl -sSL https://install.pi-hole.net | bash
    And follow the on screen instructions.

    https://github.com/pi-hole/pi-hole

    Thank you so much, I just install it on my VPS, is there any settings I need to do for security ? O rcan I install a VPS panel like CyberPanel ? It wil work ?

  • I stop using pi-hole and other DNS provider when I discover AdGuard. They even have separate DNS server for “family protection”. IPv6 is also supported. Life is beautiful.

  • I used to use Google DNS way back but since there are more free options nowadays, here are my top 3 that I use on a daily basis.

    1) CloudFlare ( 1.1.1.1, 1.0.0.1)
    2) AdGuard for my mobile devices ( 176.103.130.130, 176.103.130.131)
    3) DNS Watch ( 84.200.69.80, 84.200.70.40)

    Thanked by 1JasonM
  • @somik said:

    @raindog308 said:

    @somik said: If that's what you are after, why not setup your own local DNS caching server? Pi-Hole works great both on a raspberry Pi and on a normal ubuntu server.

    One problem with pi-hole is that big sites now serve their ads on the same domain. E.g., if you block Facebook ads, you block all of Facebook, etc. There are still plenty of ad networks that you can block, but most large sites seem to have side-stepped domain-level ad blocking.

    Thats why I use it in conjunction with ublock origin on my browser.

    I mainly set it up because I needed a custom caching DNS for my router, as well as a DNS based basic adblocker for everything under my home router. Works great as most members dont see much ads when they are browsing.

    Yes, it doesn't work with facebook, youtube or instagram, but as long as it works 95% of the time, it is 95% less ads!

    @codelock said:
    Unlock origin exists the only reason for using pihole is in-app ads which again doesn't work for YouTube app for which we have vanced.app

    Did not know that existed! I always used youtube on Kiwi browser with ublock origin on my phone to get around youtube ads...

    Also google bromite browser it is google chrome based with built in ad blocker

Sign In or Register to comment.