Host Your Own Encrypted DNS Server

Use this link to get yourself a Vultr VPS
www.vultr.com/?ref=8791233
Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts)
based.win/product/little-daemon-premium-short-sleeve-t-shirt/

Blink 2 times if you're ok. 3 times if the NSA is holding you hostage

Love the Windows XP style theme! Also, yet another high quality video from you, thanks for being awesome man!

Love your channel man! We need people like you who care about privacy and freedom in this crazy digital world!

Merry TLS 1.3 Christmas Mental Outlaw and have a happy DNSSEC New Year!! :D

Merry christmas Kenny, and hopefully a happy new year :^)

thank you for taking time off playing for the boston celtics to bring us this video

I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.

Important thing to note!
You should not run a UDP based DNS Server publicly accessible.
This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.

I actually wanted to do this for some time now. Perfect timing that you made that video

I've been thinking about this lately... good timing :)

Just learned about DNS leaks today! On an unrelated note, u should drop a tutorial on removing rogue-deepfake AIs from my walls

Happy Holidays, and upcoming new year, MentalOutlaw.

Another great deepfake👏

My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?

The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.

Not just privacy but also speed when held locally.
Add you frequently visited sites to your local hosts file for snappier surfing.

Great video as always. If only DNS was real.

This video is very timely, thanks, sir

Perfect, I was planning on doing this for a few apps I wanted to deploy across a few machines

Mental Outlaw is a white guy from Boston.

Your are best thanks for information and everything you do in the community.

good videos buddy - keep it up

Excellent video 👍 Thank you 💜

This came at the perfect time for my project

Thanks for thr tutorial and its certainly a step that I plan to take with my network. My problem is that i want to keep tabs on all dns traffic and having DoH client-side is not ideal for that. Hopefully you or some forum guru will come out with an easy to follow guide for local recursive secure DNS when communicating with the outside world.

Awesome! Thank you!

Intresting! ...thanks

There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.

I personnaly use Technitium DNS, and I like it very much. It's an authorative/recursive DNS, and it also can block ads.

Insane thumbnail well done

putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.

When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.

Props for the arcade music :D

awesome vid

I love how DNS-over-https is: Doh!

Wow, not only a full time NBA player on the best team in the league, but you run a successful hacking RUclips channel as well? Inspirational man

I plan on this big fan 🎉🎉🎉

04:50 I was bloody jamming to that music. Why did it have to stop. I want to live my life with that soundtrack running.

Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.

One day when I finally will understand how computers work your videos will be very helpful to me. Too bad I know jackshit atm. Keep up the good work!

Thanks drake

number one thing you learn about DNS in networks is that its configuration has to be by IP, otherwise you have a "Chicken first or the egg" problem

4:31 feeling the groove on that music!

ECH is really good if you're using TLS cipher suite based virtual host.

Mental, your are one of my favourite ytbers to love and hate at the same time. One day i will start paying proper attention to your videos teachings.

OMG...this really work

Awesome

fire 🗿

The fact that I was trying to do this on the router without any success

finally!!!!!!!!!!!!!!!

😂 thumbnails are A1

very cool

Hope you'll do an update when all the features you mentioned (secure hello etc) are available. Thanks

The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.

So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.

i didn't know jayson tatum knew about DNS servers

Also combine it with pihole to have the ultimate DNS server

👍👍

personally i don't use dns and i just memorize the ip, but this is cool!

Holy shit that thumbnail what the fuck

I love u mental outlaw

thanks

Man I didn't even know this would be possible in a usability sense

using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists

based

Jason Tatum 🔥

i never knew that Jayson Tatum also teach on how to host our own dns server

Hilarious FreeBSD t shirt

Can I ask what server software you use for your Linode email server?....I was thinking of using Axigen, but am looking for advice. Thanks

What software are you using for your email server?

Nice Tee shirt. ;*=[}
Man, this is so over my head these days....
One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! )
[muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's.
But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see RUclipss like this one...it makes dialup look good in retrospect!)
Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!

20:29 Add domain to host file.

I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information.
Or is this only for people who want to offer a DNS service for other people?

vegain gains

Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?

kenny pls make more farm and lifting videos
also pls put the libre podcast somewhere where it's easy to stream

goated tutorial

04:09 This looked like straight from the hacking time scene of Kung Fury (and I mean it as a positive thing). 😁

おはようございます

21:45 "it's a trap!" lol

is there a written guide?

I host adguard home on my raspberry pi with encrypted dns it's great

Interesting thumbnail, especially the crying person in thr middle.
Does it refer to anyone specific?

Hey Kenny, how would I start my own ISP?

Bro what is that Indian character? Literally a mix of all the completely different stereotypes. 😂

It was super annoying when Firefox ripped out ESNI support when literally nobody in the world was using ECH, hope ECH gets implemented soon

I don’t have much knowledge of DNS, and how the internet works in general, so my question is whats the difference between this and pihole + unbound?

Vultr Vait (Walter White)

Ayo it's Jayson Tatum

DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.

Some questions:
Did Secure SNI got added?
If SSNI hasn't been added is it a big disadvantage, can the ISP or Big Tech your traffic without SSNI?

If someone have no knowledge of online privacy/security,
password and sensetive information management.
Where should he start?
And Do you recommend to learn how to use Linux and get rid of Windows?

Always done something like this, DOT or DOH at least.

The thumbnail lmaooo

Who makes your thumbnails ?

I'm using a raspi with pihole and unbound... Don't think it's encrypted tho but I definitely am more secure

Is the host free service and is there easy way to backup with out doing it from scratch?

Would Technitium DNS Server be a good option for a local DNS server? I've had it running for a few weeks, and doing the same DNS tests gives the same results as in your video, but it is 1 click setup with a web interface. It does appear to also be open source.

how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,