Unless I misunderstood your comment, how do they (ISPs) see a host domain if DoH requests are encrypted via TLS no matter if it's a GET or POST request? The whole point of DNS encryption is the encryption. All they see a HTTPS request host header which will be the host name of a DNS server. URI or a request body would be encrypted. The only think I can think of is an intermediary or a DNS server itself which would log your GET DoH requests.
@@MrSmilev yeah I don't think his comment is correct if you are using a combination of encrypted DNS with a VPN. The only thing your ISP sees is traffic.
@@MrSmilevyour packets still contain the sni. ech is meant to help with that but 1: that only matters if both the client and server support it & 2: it only "obscures" as long as the ip address associated with the domain is used to point to other domains - or else the ip address reveals all. adoption of this tech is not commonplace, and it has even been pushed back by some large data collectors. dns is not how you stay secure, your security is only as strong as your weakest link. hope my explanation is clear
This is the first time I've ever heard of Quad9! I've been trying to find a DNS to replace CloudFlare with for a long time now. Thanks for the heads up, Tom!
@0:44 Encrypted DNS doesn't prevent the ISP or DNS provider (whichever you are using) from seeing your IP address, nor the response it gave for that address. Encrypted DNS or DNS over HTTPS or DoH (whichever you like to call it) ensures that request and reply packets are securely sent, securely transmitted and securely received between two entities, while ensuring the connection identity of both parties. That encrypted request has to be unpacked and processed by *something* and it's highly possible some appropriately authoritative administrator(s) somewhere in the other station can see that data should the unlikely need arise, otherwise with millions of DNS requests per day, nobody gives a shite about where you legally go. With that being said, using an encrypted DNS service apart from your ISP servers will prevent your ISP from wire tapping into your otherwise plain DNS requests. And Encrypted DNS is technically slower, how many milliseconds slower than in-the-clear packets will vary. Not really enough to notice though.
I’m rocking AdGuard Home running on a Rpi which itself backs off to NextDNS for upstream DNS. I also have DoH setup on AdGuard too so I can use it outside of my network. Oh and a VPN. Next step: a self hosted mail server 😂
It's better to disable secure dns while using a vpn. It's a guarantee there will be a dns leak if secure dns or another dns provider outside your vpn service is used.
I have been trying to find a good guide for implmenting quad 9 at the router level in combination with the dhcp server in your router. The message I see currently in the router is "Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers.". So does this mean on the wan page to put Quad 9's dns settings and then on the Router's DHCP page to put the router's internal IP.
I only use three systems for adblocking and blocking malicious urls depending on the system and environment, these are : Nextdns, adguard home and pihole
DNS doesnt hide your browsing from your ISP. They can see the host domain. They just cant see what you are doing on it. Encrypted DNS or not.
Wouldnt a proxy stop this? But its probably slow right? Adding an extra hop.
This is why you use multiple tools as he states. Just like a VPN isn't an all in one solution.
Unless I misunderstood your comment, how do they (ISPs) see a host domain if DoH requests are encrypted via TLS no matter if it's a GET or POST request? The whole point of DNS encryption is the encryption. All they see a HTTPS request host header which will be the host name of a DNS server. URI or a request body would be encrypted. The only think I can think of is an intermediary or a DNS server itself which would log your GET DoH requests.
@@MrSmilev yeah I don't think his comment is correct if you are using a combination of encrypted DNS with a VPN. The only thing your ISP sees is traffic.
@@MrSmilevyour packets still contain the sni. ech is meant to help with that but 1: that only matters if both the client and server support it & 2: it only "obscures" as long as the ip address associated with the domain is used to point to other domains - or else the ip address reveals all. adoption of this tech is not commonplace, and it has even been pushed back by some large data collectors. dns is not how you stay secure, your security is only as strong as your weakest link. hope my explanation is clear
This is the first time I've ever heard of Quad9!
I've been trying to find a DNS to replace CloudFlare with for a long time now.
Thanks for the heads up, Tom!
Which one is best?
@@Rvsharma1501
Definitely Quad9. Don't use CloudFlare.
For gaming ( ps5 ) quad9 or cloudflare?
Crazy this i
@@Daviid2194does not matter for gaming
@0:44 Encrypted DNS doesn't prevent the ISP or DNS provider (whichever you are using) from seeing your IP address, nor the response it gave for that address.
Encrypted DNS or DNS over HTTPS or DoH (whichever you like to call it) ensures that request and reply packets are securely sent, securely transmitted and securely received between two entities, while ensuring the connection identity of both parties.
That encrypted request has to be unpacked and processed by *something* and it's highly possible some appropriately authoritative administrator(s) somewhere in the other station can see that data should the unlikely need arise, otherwise with millions of DNS requests per day, nobody gives a shite about where you legally go.
With that being said, using an encrypted DNS service apart from your ISP servers will prevent your ISP from wire tapping into your otherwise plain DNS requests.
And Encrypted DNS is technically slower, how many milliseconds slower than in-the-clear packets will vary. Not really enough to notice though.
I’m rocking AdGuard Home running on a Rpi which itself backs off to NextDNS for upstream DNS. I also have DoH setup on AdGuard too so I can use it outside of my network. Oh and a VPN. Next step: a self hosted mail server 😂
Which one is best?
Can u help me to setup
I want to create different regions gaming account discord account, i am using contold dns its so slpw
@@Rvsharma1501next dns for me
Using unbound dns over vpn feature. Then using a vpn for specific data flows on my network via policy based routing.
It's better to disable secure dns while using a vpn. It's a guarantee there will be a dns leak if secure dns or another dns provider outside your vpn service is used.
No matter what you use there's no privacy
I have been trying to find a good guide for implmenting quad 9 at the router level in combination with the dhcp server in your router. The message I see currently in the router is "Your router's DHCP server is configured to provide a DNS server that's different from your router's IP address. This will prevent clients from using the DNS Privacy servers.". So does this mean on the wan page to put Quad 9's dns settings and then on the Router's DHCP page to put the router's internal IP.
controld dns vs quad9?
I only use three systems for adblocking and blocking malicious urls depending on the system and environment, these are :
Nextdns, adguard home and pihole
I tried using pihole and most of my services stopped working 😂 this was long ago when pinhole was pretty new
I still get max speed on my VPN
how does adguard dns ?its good?
Its good. But NextDNS and LibreDNS are better for Ad blocking.
olso my speed is olso faster thnx