HiFi Privacy, Data, Groups ... and You May Be The Product

[cjf]

A few other things people can do at an attempt to achieve some level of additional privacy are below:

 

Configure/Enable DNS over TLS or HTTPS (ie..Encrypted DNS). The Cloudflare DNS servers support it as does Google (oof) and probably some others.

• A few drawbacks to the above option
   
  • Reduced Internet connection download/streaming speeds. Upwards of a 50% hit while using Encrypted DNS would not be shocking to see. But if your going to use it, it should be used 24/7/365 or its not worth it.
     
  • For some the download speed thing can be a real problem, especially if your download speeds aren't that great to begin with. But, for others who have more than they will ever use in terms of connection speed, the download hit may be a non-issue (ie..1GB Fiber to home, fairly light bandwidth User..etc). 
     
  • I suspect (I haven't taken the time to prove it yet) that using Encrypted DNS is problematic while attempting to stream music content above 24/96 from QoBuz

But...if you can survive with the reduced Internet download speeds I think this is a very worthwhile step to take.

 

Assuming you have no DNS Leaks taking place, you can confirm the above is working by setting up a "Port mirror" on your Firewalls Outside Interface (I'll assume the person has such an option). From there you can watch all traffic leaving your network with Wireshark to confirm that you no longer see any clear text Internet URL's being shown over Unencrypted DNS Port 53. 

 

You should also block all destination Internet URL's that are not using Port 443/HTTPS but this can be problematic at times.

 

Another step to consider is that you should try to take full advantage of your Network switch/Routers capabilities. If you have one that supports VLAN's, you should use them. All of them if possible.

 

Lastly, try and group your home network usage into a few categories. Something as simple as ....Trusted, UnTrusted isn't a bad way to start.

 

You could put all the "Shady stuff" like Roku players, Robot Vacuums, Alarm Panels, Gaming Consoles, Alexa's (oof)...etc..etc on the UnTrusted VLAN.

 

You could then put everything else on the Trusted VLAN.

 

From here you could configure some Firewall rules to do something like:

 

Allow all Ports Outbound on the UnTrusted VLAN
 

Then

 

Allow only Ports 80/443 Outbound on the Trusted VLAN.

• This would block all the remaining 65,533 TCP/UDP Ports from being used by "Sneaky code".

 

In any case, none of the above is foolproof but it sure reduces the attack/information leak surface by quite a bit.

[cjf]

On 2/10/2024 at 4:51 AM, Currawong said:

Encrypted DNS shouldn't slow down your internet, as it only encrypts the DNS queries. 

Tell that to Cloudflare. I've not seen or heard of an encryption method that is not also resource intensive for both ends of the pipe.

 

I guess you found one that isn't

[cjf]

2 minutes ago, The Computer Audiophile said:

If DNS only slows down your internet, something is wrong. 
 

DNS queries to CloudFlare do nothing to my speed. Given CloudFlare’s footprint, I could see them even speed up some queries. However, once the query is made and the response received, CloudFlare secure DNS is no longer involved in the connection. 

Can I assume you are already using Encrypted DNS and saw no speed hit after turning it on? If so, then I guess some people luck out and possibly have an ISP provider with more robust equipment in the chain.

 

I wont clutter up the thread listing out all of my equipment in use but I wouldn't disagree that something might be wrong but I'm pretty confident its not on my end (at least not from street to my Internal Network).

 

[cjf]

4 hours ago, Currawong said:

Are you sure you're only doing DNS with them, and not using their full WARP product which sends even the data through their systems (like a VPN does)?

Yes, I am only pointing my Firewall to their two DNS servers. No product/services were purchased from Cloudflare on my part.

 

I've used Google in the past for the same thing and Google was slower.

[cjf]

21 hours ago, AudioDoctor said:

 

That's really odd, who is your service provider?

Hello,

 

ISP previously was Comcast (200mb) and now its Stratus IQ (300mb). I thought it may just be a Comcast thing because they are terrible in general but with Stratus IQ the same hit to download speeds remains. Both were a coax Cable based hookup and no Fiber options for me unfortunately. 

 

I'm not too concerned with it really. I just figured I would mention the potential of seeing a hit to download speeds while using EDNS if someone wanted to give it a try. I think the increase in security is well worth any reduction in download speeds though. I still have plenty of bandwidth for all of my purposes while using EDNS.

 

I'll be switching to Starlink by EOY so it will be interesting to see how this works using a better than average Satellite technology. I suspect I may have to turn it off altogether at that point but will see. 

 

 

[cjf]

1 hour ago, AudioDoctor said:

 

I am curious about your set up and how it might be affecting your speeds. If you have a space Pi4 around you can run AdGuard Home on it and get encrypted DNS with no speed penalty like I do.

 

I think if someone twisted my arm to point to one thing on my Internal network that "may" be a potential contributing factor to my reduced download speeds while using EDNS then I would probably point to my Linux based Router/Firewall that sits behind my Primary PFSense Firewall. The Linux box is a key component in my setup though so removing it would be a real headache. I do realize though that at some point I will have to face this headache when it gets too old to continue using it. Would my speed issues go away then? Maybe, maybe not. Will see I guess when the time comes.

 

The Linux box handles all of the Internal Routing between Internal network VLANS and is also the Primary "initial" Firewall that Internal network Clients hit first, before being allowed out to the Internet by way of the outer most PFSense Firewall (IOW, there is a DMZ involved here but it shouldn't matter).

 

I use Linux IP Tables on that small Linux Router/Firewall for close lock down of Outbound traffic/ports. Its a very powerful technology in this regard so I continue to use it. But with that said, it is a small Linux box with your typical small Linux appliance hardware specs (Cortex ARM Proc, 256MB RAM). Despite this though, I have never seen it appear/show itself as being busy at any point. Its just the only box that I could potentially point to because it is the one with the least amount of actual compute resources compared to all the other devices in the chain.

 

Ultimately though, the PFSense FW is responsible for all of the EDNS configuration settings. The PFSense is just basically intercepting any regular DNS queries it might receive from Internal network Clients and forces them to use EDNS instead. All the Internal Clients are just pointing to the Default Gateway for the VLAN they are located on as their Primary DNS Server. This ultimately just points to that small Linux Router previously mentioned. So from the Clients standpoint, the small Linux box is their Primary DNS Server.

 

But with all that said, the Linux box does have 1Gb Interfaces across the board and in theory once my DNS query is resolved to an Internet URL and a download is initiated, it shouldn't be a limiting factor. Web pages load quickly as you would expect. Its just during various Download Speed tests is where I can see that I'm not getting my full ISP advertised bandwidth. If I didn't check there I wouldn't know any better because I'm not really a heavy Internet bandwidth user.

[cjf]

On 2/14/2024 at 9:52 PM, AudioDoctor said:

@cjf This might sound silly, however occasionally I have to reboot my PFSense appliance because for some reason it will slow down my internet after a while. I have it set to do this automatically on Saturday night now. Have you tried this?

 

You can also run AdGuard directly on PFSense software/hardware too.

Hello Doc, sorry for the delay in response.

 

At the moment I do not have a weekly reboot setup on the PFSense but I agree this should be done when possible. The past week or so has been a bit special though in that the power company is screwing around with something on the block resulting in power loss at least once a day. So, as a side effect, the PFSense has been rebooted a few times.

 

No difference to report in regards to download speeds though.