Use this link to get yourself a Vultr VPS www.vultr.com/?ref=8791233 Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts) based.win/product/little-daemon-premium-short-sleeve-t-shirt/
Important thing to note! You should not run a UDP based DNS Server publicly accessible. This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.
I think you meant DoS amplification attacks. NTP and Memcached have greater amplification but there is another problem which is it could be used for DNS cache poisoning and spoofing
The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.
I just break in to my neighbors house and use his computer. A few weeks ago, his wife left him due to his apparent affinity for ladyboys. I didn't know he was in to that as well. Him and I should hang out more.
My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?
Not sure if is possible with Bind9. But I am using AdguardHome as my local DNS and I set the upstream DNS server as Cloudflare's DOH. I noticed a small hit in response times for uncached requests, but other than that. All good! So, in theory, the whole DNS request is encrypted - At least till it reaches Cloudflare. And of course, blocking trackers and other nasty stuff through DNS blocklists is a very pleasant added bonus.
There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.
I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.
lol, hes given you more then you need. you really want to talk to him cough up the money. everyone of those situations has room for notes and messages. oooo, you just want more free? hes busy.
putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.
So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.
When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.
Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.
using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists
The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.
Let's say I'm a hacker running a DNS server from home or someone's garage. Could law enforcement or specialized cybercrime units detect and apprehend me if I engage in illegal activities online?
DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.
Nice Tee shirt. ;*=[} Man, this is so over my head these days.... One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! ) [muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's. But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see RUclipss like this one...it makes dialup look good in retrospect!) Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!
10 месяцев назад+1
I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information. Or is this only for people who want to offer a DNS service for other people?
Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?
if this is supposed to be for script kiddies and noobs, one only need read the comments to go completely insane. every argument sounds right. its maddening.
If someone have no knowledge of online privacy/security, password and sensetive information management. Where should he start? And Do you recommend to learn how to use Linux and get rid of Windows?
Would Technitium DNS Server be a good option for a local DNS server? I've had it running for a few weeks, and doing the same DNS tests gives the same results as in your video, but it is 1 click setup with a web interface. It does appear to also be open source.
Doesn't your own DNS server still need to look up addresses to nameservers? At least they wouldnt have records each time you visit a site, but they'll still have record of you looking it up occassionally as your DNS server refreshes its cache
how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,
Is it just Microsoft and Apple blocking your emails? I tried a few different configs with a few different cloud providers but always have trouble sending to outlook, hotmail, etc
@@MentalOutlaw Microsoft blocking all my mails. Google, apple aol, yahoo are sending me to spam. You can de-list your ip if you send a ticket to microsoft. I am using glockapps to check who is marking me as spamer.
hey just want to let you know - don't you ever even try to host public DNS server unless you know what you're doing. I have abandoned my project of free public uncensored DNS over HTTPS server after just 3 months, because there is basically no way to block DNS amplified DDoS attacks when you are just a single guy with some servers. You have to use other antiddos solutions which are compromising users' privacy. Hosting DNS servers is nightmare. Even bigger than hosting your own mail server.
Another reason this setup doesn't support ECH is the browsers that support it are very picky about which DoH servers they will allow for ECH. I tested even with a server with a real cert, with different SSL libs, and it simply will rarely if ever allow ECH on a personally owned server. They only trust certain parties for use with ECH, whether it be Chrome/Chromium or Firefox.
is there any reason for that? there may still be some advanced config change possible, or at worst case build from source with your server added. but who will do that?
@@apache937 Well, seeing as DoH is the big tech version of DoT, and no browser supports ECH with DoT either, I'm sure you can infer a pattern. A build from source with your own server trusted would do the job in theory, but like you said, aint nobody gonna do that.
Use this link to get yourself a Vultr VPS
www.vultr.com/?ref=8791233
Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts)
based.win/product/little-daemon-premium-short-sleeve-t-shirt/
Why you say private then sellout
Do you recommend a specific VPS from vultr or elsewhere?
Got any tips for mitigating BGP attacks?
Why are you being racist towards indians?
You are so freaking racist dude, you should delete the thumbnail goofball🤡🤡
Blink 2 times if you're ok. 3 times if the NSA is holding you hostage
Don't worry he is hiding near police station
Bro is off-grid...
njp, keep posting this comment on future videos. Also ask in livestreams
It's blinking like a Christmas tree
@@Abhinav_Nayana_Sailenbro is a deep fake
Love the Windows XP style theme! Also, yet another high quality video from you, thanks for being awesome man!
Love your channel man! We need people like you who care about privacy and freedom in this crazy digital world!
naomi brockwell, louis rossmann
Not just privacy but also speed when held locally.
Add you frequently visited sites to your local hosts file for snappier surfing.
Important thing to note!
You should not run a UDP based DNS Server publicly accessible.
This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.
I think you meant DoS amplification attacks. NTP and Memcached have greater amplification but there is another problem which is it could be used for DNS cache poisoning and spoofing
The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.
I just break in to my neighbors house and use his computer. A few weeks ago, his wife left him due to his apparent affinity for ladyboys. I didn't know he was in to that as well. Him and I should hang out more.
his server is open and publicly available. but do you trust kenny?
Merry christmas Kenny, and hopefully a happy new year :^)
Thanks merry Christmas and happy new year to you too!
Mental Outlaw is a white guy from Boston.
My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?
yes, it's worse than a VPS.
I think it's pretty silly as well
Not sure if is possible with Bind9. But I am using AdguardHome as my local DNS and I set the upstream DNS server as Cloudflare's DOH.
I noticed a small hit in response times for uncached requests, but other than that. All good!
So, in theory, the whole DNS request is encrypted - At least till it reaches Cloudflare.
And of course, blocking trackers and other nasty stuff through DNS blocklists is a very pleasant added bonus.
Yeah hosting it locally would be stupid.
I’d only host this locally if you have a script to do dns requests for random domains constantly, similar to trackmenot
There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.
Pretty much. Adguard and Quad9 are exactly what i was going to mention
Really good comment! +1
I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.
lol, hes given you more then you need. you really want to talk to him cough up the money. everyone of those situations has room for notes and messages. oooo, you just want more free? hes busy.
Another great deepfake👏
The deepfake tech just keeps getting better
@@MentalOutlawbased indeed 🙌
What?
@@maindepth8830he is AI
is his real face
putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.
thank you for taking time off playing for the boston celtics to bring us this video
Merry TLS 1.3 Christmas Mental Outlaw and have a happy DNSSEC New Year!! :D
number one thing you learn about DNS in networks is that its configuration has to be by IP, otherwise you have a "Chicken first or the egg" problem
not really, as the root servers are known ahead of time, and usually hardcoded into an app, so you can do your own recursion
How do you not have a handle?
So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.
you can use his server if you want
Wow, not only a full time NBA player on the best team in the league, but you run a successful hacking RUclips channel as well? Inspirational man
When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.
Cool. I'm doing all of the above except for Chronly and NTPSec (which I didn't know about - and will start using soon). Thanks.
04:50 I was bloody jamming to that music. Why did it have to stop. I want to live my life with that soundtrack running.
Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.
i didn't know jayson tatum knew about DNS servers
Great video as always. If only DNS was real.
Also combine it with pihole to have the ultimate DNS server
I love how DNS-over-https is: Doh!
The fact that I was trying to do this on the router without any success
Doing this on a router would be interesting, might be possible with dnsmasq on OpenWRT
@@MentalOutlaw openwrt has unbound
@@MentalOutlawthis is possibile with Unbound package for OpenWRT.
Perfect, I was planning on doing this for a few apps I wanted to deploy across a few machines
kenny pls make more farm and lifting videos
also pls put the libre podcast somewhere where it's easy to stream
checkout my farming channel www.youtube.com/@TheBasedFarm
@@MentalOutlaw based joel salatin
Based tech drake
using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists
Mental, your are one of my favourite ytbers to love and hate at the same time. One day i will start paying proper attention to your videos teachings.
One day when I finally will understand how computers work your videos will be very helpful to me. Too bad I know jackshit atm. Keep up the good work!
Bro what is that Indian character? Literally a mix of all the completely different stereotypes. 😂
I personnaly use Technitium DNS, and I like it very much. It's an authorative/recursive DNS, and it also can block ads.
The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.
Just learned about DNS leaks today! On an unrelated note, u should drop a tutorial on removing rogue-deepfake AIs from my walls
ECH is really good if you're using TLS cipher suite based virtual host.
I actually wanted to do this for some time now. Perfect timing that you made that video
I've been thinking about this lately... good timing :)
4:31 feeling the groove on that music!
@@Kuznet609 Thanks 😊!
Happy Holidays, and upcoming new year, MentalOutlaw.
Hope you'll do an update when all the features you mentioned (secure hello etc) are available. Thanks
Holy shit that thumbnail what the fuck
Man, now I feel like I see him in a different (negative) light lol
He's a frustrated mental incel.
@@omkarnaik6305his whitecel ass tryna cope in every way possible it seems
@@hydr0xx_ cry harder scammer
@@ihate4chan he is a salty chicken man
Luke Smith is not uploading on his main channel due to focusing on creatimg great deepfakes for this channel, good job Luke
personally i don't use dns and i just memorize the ip, but this is cool!
20:29 Add domain to host file.
Let's say I'm a hacker running a DNS server from home or someone's garage. Could law enforcement or specialized cybercrime units detect and apprehend me if I engage in illegal activities online?
i never knew that Jayson Tatum also teach on how to host our own dns server
It was super annoying when Firefox ripped out ESNI support when literally nobody in the world was using ECH, hope ECH gets implemented soon
DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.
is there a written guide?
*That thumbnail is racist and uncalled for.*
Your are best thanks for information and everything you do in the community.
Nice Tee shirt. ;*=[}
Man, this is so over my head these days....
One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! )
[muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's.
But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see RUclipss like this one...it makes dialup look good in retrospect!)
Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!
I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information.
Or is this only for people who want to offer a DNS service for other people?
This video is very timely, thanks, sir
What software are you using for your email server?
Interesting thumbnail, especially the crying person in thr middle.
Does it refer to anyone specific?
His step-father, who is alleged to bang his mom in his full view.
Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?
if this is supposed to be for script kiddies and noobs, one only need read the comments to go completely insane. every argument sounds right. its maddening.
I don’t have much knowledge of DNS, and how the internet works in general, so my question is whats the difference between this and pihole + unbound?
isn't the unencrypted server name in the ssl handshake?
Hey Kenny, how would I start my own ISP?
Real men don't need a DNS, we just go directly to the IP addy
good videos buddy - keep it up
Can I ask what server software you use for your Linode email server?....I was thinking of using Axigen, but am looking for advice. Thanks
If someone have no knowledge of online privacy/security,
password and sensetive information management.
Where should he start?
And Do you recommend to learn how to use Linux and get rid of Windows?
This came at the perfect time for my project
Mom says we already have DNS at home.
DNS at home: /etc/hosts
Uff there is some dust on your meme but I appreciate it 😂 just like my old pentium.
Props for the arcade music :D
Would Technitium DNS Server be a good option for a local DNS server? I've had it running for a few weeks, and doing the same DNS tests gives the same results as in your video, but it is 1 click setup with a web interface. It does appear to also be open source.
I've used Stubby and personalDNSfilter before as a Windows user and just found Technitium. Seems a lot more polished and feature rich.
Jason Tatum 🔥
OMG...this really work
Care to explain the thumbnail? dark-skinned Sikh guy crying with a bindi. What exactly is it supposed to mean?
Doesn't your own DNS server still need to look up addresses to nameservers? At least they wouldnt have records each time you visit a site, but they'll still have record of you looking it up occassionally as your DNS server refreshes its cache
Excellent video 👍 Thank you 💜
Who makes your thumbnails ?
I host adguard home on my raspberry pi with encrypted dns it's great
Good solution, if reverse-DNS lookups are not routinely done by ISPs on general population.
how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,
😂 thumbnails are A1
Insane thumbnail well done
04:09 This looked like straight from the hacking time scene of Kung Fury (and I mean it as a positive thing). 😁
I plan on this big fan 🎉🎉🎉
btw. I have mail server on linode too and yes, it is not ok. Most of my e-mail are marked as spam.
Is it just Microsoft and Apple blocking your emails? I tried a few different configs with a few different cloud providers but always have trouble sending to outlook, hotmail, etc
@@MentalOutlaw
Microsoft blocking all my mails. Google, apple aol, yahoo are sending me to spam.
You can de-list your ip if you send a ticket to microsoft.
I am using glockapps to check who is marking me as spamer.
Have you guys set up SPF record?
@@user-dc9zo7ek5j Yes, spf dmarc dkim are in place, but they do not help against bad IP reputation.
21:45 "it's a trap!" lol
Is this similar to unbound?
With every one of these videos, I think I understand less and less. I probably should take a class.
hey just want to let you know - don't you ever even try to host public DNS server unless you know what you're doing.
I have abandoned my project of free public uncensored DNS over HTTPS server after just 3 months, because there is basically no way to block DNS amplified DDoS attacks when you are just a single guy with some servers. You have to use other antiddos solutions which are compromising users' privacy.
Hosting DNS servers is nightmare. Even bigger than hosting your own mail server.
Vultr Vait (Walter White)
Any issues using DNS over TLS? Should I switch?
Another reason this setup doesn't support ECH is the browsers that support it are very picky about which DoH servers they will allow for ECH. I tested even with a server with a real cert, with different SSL libs, and it simply will rarely if ever allow ECH on a personally owned server. They only trust certain parties for use with ECH, whether it be Chrome/Chromium or Firefox.
is there any reason for that? there may still be some advanced config change possible, or at worst case build from source with your server added. but who will do that?
@@apache937 Well, seeing as DoH is the big tech version of DoT, and no browser supports ECH with DoT either, I'm sure you can infer a pattern. A build from source with your own server trusted would do the job in theory, but like you said, aint nobody gonna do that.
You can't add a DNS name as a DNS server, how would it know how to resolve it?
おはようございます
Thanks drake
what was the song being played around the beginning?
Intresting! ...thanks
Always done something like this, DOT or DOH at least.
Is this different than the dns caching on a edgerouter? Forgive my ignorance
Huh, I haven't experienced any smtp port issues with vultr so far, they were open by default (Europe, though, not US).