So how do you protect form such things?
I mean is there a way to analyze all you outcoming traffic (from a specific machine for example) and route every connection(like dns and similar stuff) though desired endpoint?
You can use a VPN or ssh tunnel and send DNS queries through that tunnel or proxy - however, that just adds another layer for anyone who wants the information to go through.
No, but they're (statistically) less interested, know less about you, and furthermore you're less beholden to them. Chaining VPNs multiplies the effect, with the end result looking a lot like TOR.
Centralization is bad precisely because it concentrates the information, adds context to it (what you're doing relative to others), and amortizes the cost of building surveillance infrastructure and developing the business relationships for exploiting it.
Indeed. You can pick VPN providers who aren't vulnerable to your adversaries. In China, you maybe pick US providers. In the US, maybe you pick Chinese providers. And when you're chaining VPNs, you cross jurisdictions, to reduce the risk of coerced collaboration.
VPN chaining does start to look somewhat like Tor. But the bandwidth can be a lot greater. However, it's far less anonymous, because there's just a static circuit. Tor switches circuits frequently, at ten minute intervals by default.
Also, one can combine VPN services and Tor. By hitting Tor through VPNs, you hide Tor use from your ISP and its friends. And you hide your ISP-assigned IP from potentially evil entry guards. By routing VPNs through Tor, you hide Tor use from sites that you visit, and also hide your traffic from potentially evil exit nodes. One can even run VPN servers as Tor onion services.
Although last mile wireline providers have surveillance in their genes, having descended from state surveillance organs (eg Ma Bell). They already make good money servicing warrant requests for IP address records, and preemptively keeping a record of customers' communications partners would be extremely cheap. And such "network intelligence" ties right in to fighting against the commodification otherwise driving profit margins on transporting bits to zero.
I'd bet on the infrastructure-less provider that starts off only knowing my rough geographical location and what type of gift card I paid with, and that I can drop any time.
I don't use my ISP for DNS. Nor for email. Not sure that really protects anything but at least it sidesteps any log mining they're doing on their own servers.
I use my ISP (Comcast) for DNS mainly for 2 reasons:
1. No other public DNS is faster. 75.75.75.75 is 6 "hops" away at 15ms rtt. Google's 8.8.8.8 is 10 hops away at 25ms rtt. DNS adds about 3 ms of latency for both services.
2. It's my understanding that many services can use DNS to do geographical load balancing when Anycast isn't an option. When using Google DNS I would routinely get pointed to Akamai nodes in Chicago. I live in Nashville. After switching back to Comcast I know reach Akamai in Atlanta, which provides much lower latency and higher throughput.
If you have the ability, you can run DNSmasq[0] locally (i.e. 1 hop or less) on your router. For the sites that you interact with frequently, it is quite helpful.
Sacrificing privacy for speed is a bad tradeoff in this instance as DNS request speed is over emphasized in almost all cases (case in point classifying 15ms vs 25ms as a "problem").
If a site is not already cached at the OS level than a typical DNS lookup from the central / east coast US to EU takes ~120-130ms. 8x slower may at first sound really bad until you pause to consider that the unit in question is milliseconds.
Your web browser and the webpage itself are generally doing far more damage to your page load times than the DNS lookup.
There is an important difference to recognize between your ISP inspecting network packets 24x7 to target and collect your DNS queries vs you handing the infomation directly to them.
The other problem with using your ISP's DNS severs is they can hijack your request, or be slow/down all the time. 4/5 when the "internet doesn't work" it's just the cable company DNS not working and using Google or OpenDNS "restore service"
This is true, earlier this morning my ISP's secondary DNS server for my state was down. Good thing I roll with my ISP's main server first, and 8.8.8.8 as my secondary nameserver.
There are certainly honeypots inside the Tor network as there are on the internet in general. Tor itself is an invaluable network when used properly for a variety of people and purposes. Perhaps not a major point but I believe Tor originated out U.S. Navy and DARPA, not the NSA.