Your channel is underrated and extremely helpful. I'm curious if using Quad9 DoH (DNS over HTTPS) or DoT (DNS over TLS) makes a difference compared to using a VPN?
Secure DNS is helpful as it encrypts the queries so your ISP (or other snoopers) wouldn’t be able to see them on the wire. But the owner of the DNS server will so that’s the trade off
Sorry, but I don't know much, the DoH and DoT are used to encrypt DNS queries and responses right?. As these queries are encrypted, ISP can't see DNS query responses, but after my machine got the DNS response, now the ISP will know "Where" I'm going, cause now the ISP has to route the traffic to that destination server. Is this true???
Think of sending a package to someone. Works "kind of" the same. If the 📦 isn't see through ISP just sees the destination address etc. Make yourself a pihole and look up your DNS traffic. Interesting to see, really.
Watching your video made me start thinking that an ISP should be able to see your search terms as well (when you use any search engine) because those search words are part of the URL. I never thought about that before.....
That part they actually can’t as the URL path after the domain isn’t available in plaintext. They’ll see the DNS query for the search engine and the TLS connection to it but that’s it
@@plaintextpackets Cool. I didn't realise the path wasn't plaintext. I've done a fair amount of wiresharking but never looked into the URL path. Thanks :)
Thank you a very interesting video and agree about VPN's as from what I have read need to ensure that the VPN service you use does not log your where and what. Another source such as Network Chuck has suggested using Proxy Chains to hide your identity would this be detectable in wireshark?
There are many vpn services that advertise they don’t log, but frankly I don’t trust that. TOR (a proxy chaining solution) is the closest thing to true privacy but the trade off is performance which is horrible
Host your own vpn server on digital Ocean(any server hosting platform will do) make sure it is encrypted with aes 256 bit encryption. Openvpn is a good option
Pi hole is just a local server, a middle man if you like. Requests still go to your ISP DNS, unless you configure your DNS to something like 9.9.9 .9or Ad-Guard DNS using secure DNS.
@@zadekeys2194pi-hole like add guard home is encrypted and has tls and https, just not pre-installed like in ad guard, even if they go tru isp dns they cant see anything because its already encrypted before going to isp dns server.
The data traffic can be read by the Device over which the traffic is routed, i.e. in this case the gateway. Even if you are using a secure HTTPS connection, the probability is very high that the Google inputs in the search as well as your access data to which pages can be seen as plain text in the recording.
what of your VPN is your own wire guard server on a cloud server? running pfsense as firewall with VPN there as well as the your local machine running client
Trust me or not, they can see your web browser screen if they need to, i have seen it on my own eyes, idc what anyone says. Intercepting packets is nothing compared to this.
They only "hack" criminals (or to spy) I guess... If they see your ip communicating with a terrorist, they would surely hack your pc/phone to get what they need. I don't know how they can do it, that would be interesting to learn 🤔
Why cant they inspect my device as this would solve my problem as the hackers would be caught but in Australia they are so useless that they lie to sell and investigations into fraud are not properly executed and they are enabling the hackers.
Very good video. easy to understand and follow. need another wireshark dns analysis tutorial using a program VPN vs vpn as a browser extension vs Tor browser. no dns showing while on tor..
@garylove2836 it’ll encrypt it between your home to the concentrator yes you’re right. From there the company who owns the concentrator or server it’s running on will be able to see
It knows I tried to connect with my router 1sec each hour, although my wan cable was disconnected and the router was powered off. Their diagnostic tools are poor :D.
This guy is spreading FUD. All the popular websites use HTTPS, it’s only smaller websites without much traffic which don’t. Why? Because more than ten years ago, Google announced they would favor HTTPS websites over HTTP websites in their search results, which incentivized almost everyone to use HTTPS.
So I actually cover that in the vid, and explicitly state that ‘what’ it is you’re doing is mostly obfuscated by HTTPS these days. I also cover in the next vid how most of those popular websites share data on your activities anyhow via various tracking methods.
Even With https deep packet inspection can see what type of services your using. What website you are connecting to even after changing dns as the host header is unencrypted(for now).They just can’t see the content.
@@plaintextpackets Not if you setup a rDNS (reverse DNS) service. Instead of forwarding request the local dns (e.g. pihole) can use unbound (rDNS) to resolve dns directly from the corresponding authoritative servers. It takes longer but can be cached over time.
Amazing video dude! I love the simple straightforward explanations.
ur videos are crazy good i could watch em all day
Glad you like them!
Bro that's straight out knowlegde! You're awsome!
Your channel is underrated and extremely helpful. I'm curious if using Quad9 DoH (DNS over HTTPS) or DoT (DNS over TLS) makes a difference compared to using a VPN?
Secure DNS is helpful as it encrypts the queries so your ISP (or other snoopers) wouldn’t be able to see them on the wire. But the owner of the DNS server will so that’s the trade off
Sorry, but I don't know much, the DoH and DoT are used to encrypt DNS queries and responses right?. As these queries are encrypted, ISP can't see DNS query responses, but after my machine got the DNS response, now the ISP will know "Where" I'm going, cause now the ISP has to route the traffic to that destination server. Is this true???
Think of sending a package to someone. Works "kind of" the same. If the 📦 isn't see through ISP just sees the destination address etc.
Make yourself a pihole and look up your DNS traffic. Interesting to see, really.
Watching your video made me start thinking that an ISP should be able to see your search terms as well (when you use any search engine) because those search words are part of the URL. I never thought about that before.....
That part they actually can’t as the URL path after the domain isn’t available in plaintext. They’ll see the DNS query for the search engine and the TLS connection to it but that’s it
@@plaintextpackets Cool. I didn't realise the path wasn't plaintext. I've done a fair amount of wiresharking but never looked into the URL path. Thanks :)
Thank you a very interesting video and agree about VPN's as from what I have read need to ensure that the VPN service you use does not log your where and what. Another source such as Network Chuck has suggested using Proxy Chains to hide your identity would this be detectable in wireshark?
There are many vpn services that advertise they don’t log, but frankly I don’t trust that. TOR (a proxy chaining solution) is the closest thing to true privacy but the trade off is performance which is horrible
network chuck is a douche.
They all do, they have to by Law in the UK. If they don't then the Host does, by Law.
That's why PIA removed UK servers.
Host your own vpn server on digital Ocean(any server hosting platform will do) make sure it is encrypted with aes 256 bit encryption. Openvpn is a good option
This is possible, the cloud provider though can see what that VPN is accessing and knows your identity. But it is a stronger option
thank you so much
You're welcome!
Would pi hole solve privacy, and stop the isp seeing your traffic
Solves some, I will cover this in a video coming soon
No. :) That's what DNS over Https or TLS is for :)
Pi hole is just a local server, a middle man if you like. Requests still go to your ISP DNS, unless you configure your DNS to something like 9.9.9 .9or Ad-Guard DNS using secure DNS.
@@zadekeys2194pi-hole like add guard home is encrypted and has tls and https, just not pre-installed like in ad guard, even if they go tru isp dns they cant see anything because its already encrypted before going to isp dns server.
The data traffic can be read by the Device over which the traffic is routed, i.e. in this case the gateway. Even if you are using a secure HTTPS connection, the probability is very high that the Google inputs in the search as well as your access data to which pages can be seen as plain text in the recording.
Wireshark records the data as its leaving to the network adapter so everything that will be encrypted by the application layer is already encrypted.
Will the ISP also be able to tell which device in my LAN is accessing which site or can they only see the router and which site it is requesting?
Good question, no they will just know someone in your network did but not the specific device
what of your VPN is your own wire guard server on a cloud server? running pfsense as firewall with VPN there as well as the your local machine running client
You could do this, that secures the server from logging but the traffic itself can be sniffed by the cloud hosting provider
@@plaintextpackets and what if I deploy my own VPN Wireguard server on my own network, say on a Docker Container or on a Raspberry PI ?
YES!👍🏾
This is helpful content thanks.
DNS over TLS? it would encrypt your traffic to DNS, most home routers can do it.
Is DoT better of DoH?
@@AvacadoJuice-q9bdoesn't really matter.
Trust me or not, they can see your web browser screen if they need to, i have seen it on my own eyes, idc what anyone says. Intercepting packets is nothing compared to this.
They only "hack" criminals (or to spy) I guess... If they see your ip communicating with a terrorist, they would surely hack your pc/phone to get what they need. I don't know how they can do it, that would be interesting to learn 🤔
Can my isp see my full link? I mean my isp is able to see what I am doing from my link, don’t they? 9:08
If not, then I don’t have any questions.
They can see the domain but not the full path
Are you watching porn or what?
Do you rate tailsOS?
Why cant they inspect my device as this would solve my problem as the hackers would be caught but in Australia they are so useless that they lie to sell and investigations into fraud are not properly executed and they are enabling the hackers.
Very good video. easy to understand and follow.
need another wireshark dns analysis tutorial using a program VPN vs vpn as a browser extension vs Tor browser.
no dns showing while on tor..
Noted
You could always use elons musk starlink with a vpn concentrator and you don’t need isp.
Starlink is an ISP
@@plaintextpackets but the vpn concentrator will encrypt the traffic so the isp can’t see.
@garylove2836 it’ll encrypt it between your home to the concentrator yes you’re right. From there the company who owns the concentrator or server it’s running on will be able to see
@@plaintextpackets oh I see.
It knows I tried to connect with my router 1sec each hour, although my wan cable was disconnected and the router was powered off. Their diagnostic tools are poor :D.
You used cloudflare's ip address in this video, lol
Are you censoring me or is youtube censoring me.
This guy is spreading FUD. All the popular websites use HTTPS, it’s only smaller websites without much traffic which don’t. Why? Because more than ten years ago, Google announced they would favor HTTPS websites over HTTP websites in their search results, which incentivized almost everyone to use HTTPS.
So I actually cover that in the vid, and explicitly state that ‘what’ it is you’re doing is mostly obfuscated by HTTPS these days. I also cover in the next vid how most of those popular websites share data on your activities anyhow via various tracking methods.
I own an ISP - we don’t look at anything.
Even With https deep packet inspection can see what type of services your using. What website you are connecting to even after changing dns as the host header is unencrypted(for now).They just can’t see the content.
Yeah you can tell a ton about a person just from looking at what they visit and when.
Resolve DNS locally and then proxy out.
Your local DNS server still needs to talk to one upstream
@@plaintextpackets Not if you setup a rDNS (reverse DNS) service. Instead of forwarding request the local dns (e.g. pihole) can use unbound (rDNS) to resolve dns directly from the corresponding authoritative servers. It takes longer but can be cached over time.