Hacker News new | ask | show | jobs
by core-questions 2381 days ago
I assume every single DNS provider is logging and, if possible, selling my data. Why wouldn't I? This is actually why I use my own DNS server and resolve against the root, like anyone else who cares about privacy ought to be doing.

Still, if your goal is to block your kids' access to things, DNS is a good place to do it. Works across all your devices and doesn't require any install.
2 comments
icebraining 2381 days ago
> This is actually why I use my own DNS server and resolve against the root, like anyone else who cares about privacy ought to be doing.

How do you prevent the ISP from logging those requests to the root?

link
LinuxBender 2381 days ago
I can't speak for them, but I do the same thing and use a VPN to resolvers on numerous VPS providers. Those talk upstream to the root servers. Between the min-ttl cache at each layer and the large number of resolvers, correlation of my DNS requests is non trivial. I also ensure that client subnet EDNS is blocked.
link
autoexec 2381 days ago
Unless you're connected to a VPN 100% of the time wouldn't your ISP already have access to see every domain you browse to?
link
icebraining 2381 days ago
They do via the SNI header, but Firefox already includes support for encrypted SNI. So if the server supports that, all the ISP gets is the IP of the server you're connecting to. If that IP only hosts a single domain, then they can still tell, but in other cases (think sites behind Cloudflare, or using shared load balancers), they can't.

Or actually, they might still, using side-channel attacks, but it's significantly harder to accomplish, especially at scale.

link
core-questions 2381 days ago
Hey, good point. I guess there's not much I can do about that yet, without DNSSEC or whatever.
link
tptacek 2381 days ago
DNSSEC does nothing whatsoever to prevent your ISP from logging your requests.
link
newscracker 2381 days ago
I’d be interested to get to any links/descriptions on how you run your own DNS server and the monetary and time costs of it.
link
core-questions 2381 days ago
You should look into setting up a Pi-Hole.

https://pi-hole.net/

Good jumping off point for this.

link
newscracker 2377 days ago
Thanks. I have heard of pi-hole and know what it does (though I haven’t setup one myself). I’ll take a shot at it. I was wondering what stack the GP was using, where it was hosted and what the costs were.
link