HiFi Privacy, Data, Groups ... and You May Be The Product

[cjf]

On 2/10/2024 at 4:51 AM, Currawong said:

Encrypted DNS shouldn't slow down your internet, as it only encrypts the DNS queries. 

Tell that to Cloudflare. I've not seen or heard of an encryption method that is not also resource intensive for both ends of the pipe.

 

I guess you found one that isn't

[The Computer Audiophile]

9 minutes ago, cjf said:

Tell that to Cloudflare. I've not seen or heard of an encryption method that is not also resource intensive for both ends of the pipe.

 

I guess you found one that isn't

If DNS only slows down your internet, something is wrong. 
 

DNS queries to CloudFlare do nothing to my speed. Given CloudFlare’s footprint, I could see them even speed up some queries. However, once the query is made and the response received, CloudFlare secure DNS is no longer involved in the connection. 

[cjf]

2 minutes ago, The Computer Audiophile said:

If DNS only slows down your internet, something is wrong. 
 

DNS queries to CloudFlare do nothing to my speed. Given CloudFlare’s footprint, I could see them even speed up some queries. However, once the query is made and the response received, CloudFlare secure DNS is no longer involved in the connection. 

Can I assume you are already using Encrypted DNS and saw no speed hit after turning it on? If so, then I guess some people luck out and possibly have an ISP provider with more robust equipment in the chain.

 

I wont clutter up the thread listing out all of my equipment in use but I wouldn't disagree that something might be wrong but I'm pretty confident its not on my end (at least not from street to my Internal Network).

 

[Jud]

1 hour ago, The Computer Audiophile said:

If DNS only slows down your internet, something is wrong. 
 

DNS queries to CloudFlare do nothing to my speed. Given CloudFlare’s footprint, I could see them even speed up some queries. However, once the query is made and the response received, CloudFlare secure DNS is no longer involved in the connection. 

 

As mentioned I use Cloudflare on my home network. My nominal Internet download speed from my ISP is supposed to be 1.2Gbps. My actual speed to my PC over my home Ethernet network is usually 1.7Gbps. So Cloudflare is certainly not slowing anything down for me.

 

Edit: Oh BTW, I have 35 devices on my home network, including 3 TVs, 2 of them 4K in constant use, that run off a streaming service.

[AudioDoctor]

With cloudflare encrypted DNS and this is the best that can be expected from Comcast on my network.

 

 

 

[Currawong]

19 hours ago, cjf said:

Tell that to Cloudflare. I've not seen or heard of an encryption method that is not also resource intensive for both ends of the pipe.

 

I guess you found one that isn't

Are you sure you're only doing DNS with them, and not using their full WARP product which sends even the data through their systems (like a VPN does)?

[botrytis]

3 hours ago, AudioDoctor said:

With cloudflare encrypted DNS and this is the best that can be expected from Comcast on my network.

 

 

 

 

That is good for COMCRAP. If you rent their equipment, it is also 2 gens behind. Their wireless router will also be a public access point for other Comcast customers, that are traveling. Hence why I don't use their equipment (except the TV box).

[AudioDoctor]

29 minutes ago, botrytis said:

 

That is good for COMCRAP. If you rent their equipment, it is also 2 gens behind. Their wireless router will also be a public access point for other Comcast customers, that are traveling. Hence why I don't use their equipment (except the TV box).

 

I have their modem/router in bridge mode at the moment, however I am considering going back to a UniFi dream machine as my router and if I do, I will get the UniFi Cable Modem as well.

[botrytis]

33 minutes ago, AudioDoctor said:

 

I have their modem/router in bridge mode at the moment, however I am considering going back to a UniFi dream machine as my router and if I do, I will get the UniFi Cable Modem as well.

 

Well, they only allow specific hardware, what you can buy, and it is not many choices and getting smaller. Too monopolistic for my taste, but they are the only game in town around me.

[AudioDoctor]

55 minutes ago, botrytis said:

 

Well, they only allow specific hardware, what you can buy, and it is not many choices and getting smaller. Too monopolistic for my taste, but they are the only game in town around me.

 

I can't find it on their website at the moment, but Comcast business and home are two of the listed vendors that are compatible with it. Or were.

 

edit: Here it is, I must have been on a wrong site:  https://store.ui.com/us/en/pro/category/accessories-internet-solutions/products/uci

[cjf]

4 hours ago, Currawong said:

Are you sure you're only doing DNS with them, and not using their full WARP product which sends even the data through their systems (like a VPN does)?

Yes, I am only pointing my Firewall to their two DNS servers. No product/services were purchased from Cloudflare on my part.

 

I've used Google in the past for the same thing and Google was slower.

[AudioDoctor]

59 minutes ago, cjf said:

Yes, I am only pointing my Firewall to their two DNS servers. No product/services were purchased from Cloudflare on my part.

 

I've used Google in the past for the same thing and Google was slower.

 

That's really odd, who is your service provider?

[cjf]

21 hours ago, AudioDoctor said:

 

That's really odd, who is your service provider?

Hello,

 

ISP previously was Comcast (200mb) and now its Stratus IQ (300mb). I thought it may just be a Comcast thing because they are terrible in general but with Stratus IQ the same hit to download speeds remains. Both were a coax Cable based hookup and no Fiber options for me unfortunately. 

 

I'm not too concerned with it really. I just figured I would mention the potential of seeing a hit to download speeds while using EDNS if someone wanted to give it a try. I think the increase in security is well worth any reduction in download speeds though. I still have plenty of bandwidth for all of my purposes while using EDNS.

 

I'll be switching to Starlink by EOY so it will be interesting to see how this works using a better than average Satellite technology. I suspect I may have to turn it off altogether at that point but will see. 

 

 

[AudioDoctor]

54 minutes ago, cjf said:

Hello,

 

ISP previously was Comcast (200mb) and now its Stratus IQ (300mb). I thought it may just be a Comcast thing because they are terrible in general but with Stratus IQ the same hit to download speeds remains. Both were a coax Cable based hookup and no Fiber options for me unfortunately. 

 

I'm not too concerned with it really. I just figured I would mention the potential of seeing a hit to download speeds while using EDNS if someone wanted to give it a try. I think the increase in security is well worth any reduction in download speeds though. I still have plenty of bandwidth for all of my purposes while using EDNS.

 

I'll be switching to Starlink by EOY so it will be interesting to see how this works using a better than average Satellite technology. I suspect I may have to turn it off altogether at that point but will see. 

 

 

 

I am curious about your set up and how it might be affecting your speeds. If you have a space Pi4 around you can run AdGuard Home on it and get encrypted DNS with no speed penalty like I do.

[cjf]

1 hour ago, AudioDoctor said:

 

I am curious about your set up and how it might be affecting your speeds. If you have a space Pi4 around you can run AdGuard Home on it and get encrypted DNS with no speed penalty like I do.

 

I think if someone twisted my arm to point to one thing on my Internal network that "may" be a potential contributing factor to my reduced download speeds while using EDNS then I would probably point to my Linux based Router/Firewall that sits behind my Primary PFSense Firewall. The Linux box is a key component in my setup though so removing it would be a real headache. I do realize though that at some point I will have to face this headache when it gets too old to continue using it. Would my speed issues go away then? Maybe, maybe not. Will see I guess when the time comes.

 

The Linux box handles all of the Internal Routing between Internal network VLANS and is also the Primary "initial" Firewall that Internal network Clients hit first, before being allowed out to the Internet by way of the outer most PFSense Firewall (IOW, there is a DMZ involved here but it shouldn't matter).

 

I use Linux IP Tables on that small Linux Router/Firewall for close lock down of Outbound traffic/ports. Its a very powerful technology in this regard so I continue to use it. But with that said, it is a small Linux box with your typical small Linux appliance hardware specs (Cortex ARM Proc, 256MB RAM). Despite this though, I have never seen it appear/show itself as being busy at any point. Its just the only box that I could potentially point to because it is the one with the least amount of actual compute resources compared to all the other devices in the chain.

 

Ultimately though, the PFSense FW is responsible for all of the EDNS configuration settings. The PFSense is just basically intercepting any regular DNS queries it might receive from Internal network Clients and forces them to use EDNS instead. All the Internal Clients are just pointing to the Default Gateway for the VLAN they are located on as their Primary DNS Server. This ultimately just points to that small Linux Router previously mentioned. So from the Clients standpoint, the small Linux box is their Primary DNS Server.

 

But with all that said, the Linux box does have 1Gb Interfaces across the board and in theory once my DNS query is resolved to an Internet URL and a download is initiated, it shouldn't be a limiting factor. Web pages load quickly as you would expect. Its just during various Download Speed tests is where I can see that I'm not getting my full ISP advertised bandwidth. If I didn't check there I wouldn't know any better because I'm not really a heavy Internet bandwidth user.

[AudioDoctor]

@cjf This might sound silly, however occasionally I have to reboot my PFSense appliance because for some reason it will slow down my internet after a while. I have it set to do this automatically on Saturday night now. Have you tried this?

 

You can also run AdGuard directly on PFSense software/hardware too.

[DuckToller]

Anyone faces problem with Ubiquiti Edge OS routers, recently?

https://www.securityweek.com/fbi-dismantles-ubiquiti-router-botnet-controlled-by-russian-cyberspies/

 

[The Computer Audiophile]

10 minutes ago, DuckToller said:

Anyone faces problem with Ubiquiti Edge OS routers, recently?

https://www.securityweek.com/fbi-dismantles-ubiquiti-router-botnet-controlled-by-russian-cyberspies/

 

 

Wow. People still leave the defaults in place 😳
 

“cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords.”

[DuckToller]

Good morning, Minneapolis !

Seems to be the default way to use technical equipment for many  ...

[The Computer Audiophile]

28 minutes ago, DuckToller said:

Good morning, Minneapolis !

Seems to be the default way to use technical equipment for many  ...

 

You're correct Tom. Kind of crazy, especially becuase the Ubiquiti Edge equipment isn't something for the un-savvy consumer market. 

[botrytis]

32 minutes ago, The Computer Audiophile said:

 

You're correct Tom. Kind of crazy, especially becuase the Ubiquiti Edge equipment isn't something for the un-savvy consumer market. 

 

With many of the ISP-provided equipment it is hard to change the password. 

 

I always change them - first thing.

[Duke40]

On 2/9/2024 at 7:10 AM, The Computer Audiophile said:

I will also add, my Samsung Frame TV phones home constantly. When I look at the Pi-Hole logs, every second it's communicating with the mothership. Now that Samsung owns Roon, I'm a bit more concerned than when Roon was owned by a few guys who loved music. 

 

Chris, I have seen something similar with Naim Audio and I am concerned enough to take some action to mitigate.

 

Have Naim Audio Uniti Atom Headphone Edition & MuSo 2 soundbar - they phone home, or more specifically to Google via URL "connectivitycheck.gstatic.com" every few seconds and an IP address that I found out by using "WhoIs" called "Internet Assigned Numbers Authority (IANA)". Not sure why a soundbar and all in one streamer/DAC/headphone amp connected to my Focal Utopia 2022 headphones need to constantly contact Google 🤷‍♂️.

 

Years ago got rid of my ISP modem/router and now use a FireWalla Gold connected straight to the FTTP connection from my Telco.

 

FireWalla was created by some ex Cisco engineers, what I like is that they have created a rich interface which allows me to identify the flows in my home network by device along with inbuilt links to WhoIS, Cisco Talos, and other tools to identify. This allows me to place anything into a block list [by device, group, or whole LAN] for outbound traffic.

 

Naim Audio is by far the largest outbound traffic, of the nearly 90% blocked outbound traffic, approximately half is Naim Audio related. As a result of all this unnecessary phoning home, I block the ability of both Naim Audio devices for all outbound/inbound internet traffic. This does not affect their ability to play music as I use Roon [and I also have concerns about the increased outbound traffic by Roon, especially in last couple of years]. The only nuisance is that if I want to apply software updates to either Naim Audio product then I must temporarily allow internet access for them or use USB to apply software updates.

 

90% blocked outbound traffic leaves only 10% that is really needed for me to use the internet.

I find that ratio astounding.

 

For DNS across a range of devices I use a mix of:

1. Apple Private Relay

2. DNS over HTTPS

3. Unbound [validating, recursive, caching DNS resolver installed locally on my FireWalla Gold].

 

By utilising different DNS methods across a range of devices on my network I hope to minimise the amount that gets collected, and for whatever gets collected then it for at least be inaccurate.

 

IoT devices get allocated to a guest VLAN on my WiFi 6 mesh so do not see my main network.

I could do better regarding IoT devices by putting them on another VLAN created by the FireWalla Gold, then I would have more visibility to see what is happening for them, but I prefer more of a brick wall approach for these devices so they do not see my main LAN and accept information such as home air quality could be being delivered to more than just the manufacturer of my air purifiers. 

 

Another thing which astounds me is the rapid change in peoples attitudes regarding privacy.

As an example, here in Australia in the late 1980's [?] the federal government proposed an Australia Card which met very strong opposition due to privacy concerns. Yet by the early 2000's we were knowingly giving our information to technology companies like Google et al, all in return for a search engine and maps. All in the space of 15 to 20 years, about half a generation, there was a complete turnaround in peoples thoughts about privacy. 

 

It is not like I have anything to hide [OK, my favourite female vocalists are Shelby Lynne and Melody Gardot], I am quite boring, what I find about all this encroachment on people privacy is that it just feels creepy and unnecessary, along with increasing risk. I wonder what real benefit we the people - as opposed to we the product - actually receive.

 

[cjf]

On 2/14/2024 at 9:52 PM, AudioDoctor said:

@cjf This might sound silly, however occasionally I have to reboot my PFSense appliance because for some reason it will slow down my internet after a while. I have it set to do this automatically on Saturday night now. Have you tried this?

 

You can also run AdGuard directly on PFSense software/hardware too.

Hello Doc, sorry for the delay in response.

 

At the moment I do not have a weekly reboot setup on the PFSense but I agree this should be done when possible. The past week or so has been a bit special though in that the power company is screwing around with something on the block resulting in power loss at least once a day. So, as a side effect, the PFSense has been rebooted a few times.

 

No difference to report in regards to download speeds though.

 

 

[Allan F]

On 2/8/2024 at 3:14 PM, AudioDoctor said:

 

+1 for Signal

 

The hardest part of getting off of the facebook bandwagon is how little motivation everyone else has to do the same.

I have never signed up for Facebook because of privacy concerns, so that is not an issue for me. However, what pisses me off is the number of companies that have switched from using their own websites to forcing you to sign up to Facebook if you want to access their site information. Add to that how Facebook and Google encourage you to use them as logins so those behemoths can track your every move.

[AudioDoctor]

1 hour ago, Allan F said:

Add to that how Facebook and Google encourage you to use them as logins so those behemoths can track your every move.

 

Yes, that is very frustrating. Most still allow a traditional sort of log in, some make you hunt for it though.