Hello, is this guide correct or is something missing
https://www.youtube.com/watch?v=MVfcK9dAvSg
(regarding the ending of video I have no idea how to do that extra step)
any additional instruction to harden security or what have you is welcomed.
So I set everything up and got connection through google dns but that stopped working after reboot so changed to cloud9 and it seems to be working now (atleast can use internet using it) here are settings
_______________
9.9.9.9
853
dns.quad9.net
and
149.112.112.112
853
dns.quad9.net
________________
I did enable the log queries option and then went into log like video says to check it and it seems to indicate that it is being used (after the test I disabled the log option incase it draws power etc).
However are there no online tests one can use to make sure this DNS over TLS is actually in effect? I tried some web adresses for this online test but they did not show that it was working so I have really only the log file to go on whether or not it is working. Is that enough or should I be able to test online somehow and if so what page to go to to test that everything is working correctly?
As mentioned also please instruct of any missing steps to make it work or work better.
Thanks
You can check here
https://on.quad9.net/ (https://on.quad9.net/)
Quote from: newsense on September 22, 2023, 04:41:33 PM
You can check here
https://on.quad9.net/ (https://on.quad9.net/)
Think I already did that, it says no. However in the log it reports I'm using it. So what's wrong?
edit: Actually it showed yes in chrome browser, however in firefox using free vpn addon it shows no.
1) Stop using "free" VPNs - there's no such thing
2) Your browser of choice will make a decent attempt to secure your DNS and keep all your data in the process - by defaulting to an encrypted DNS setting. You'll have to make sure that setting is disabled in every browser you want to obey your network's DNS settings.
Quote from: newsense on September 22, 2023, 05:18:00 PM
1) Stop using "free" VPNs - there's no such thing
2) Your browser of choice will make a decent attempt to secure your DNS and keep all your data in the process - by defaulting to an encrypted DNS setting. You'll have to make sure that setting is disabled in every browser you want to obey your network's DNS settings.
1. It's called SetupVPN - Lifetime Free VPN and I'm using it right now. How do you mean?
2. I think chrome might use it but not firefox, atleast not when the VPN that you say doesn't exist is enabled.
Don't ever trust free VPNs, how do you think they make money to provide the service? You are the 'product' !
Quote from: newsense on September 22, 2023, 05:18:00 PM
..
2) Your browser of choice will make a decent attempt to secure your DNS and keep all your data in the process - by defaulting to an encrypted DNS setting. You'll have to make sure that setting is disabled in every browser you want to obey your network's DNS settings.
I am sorry but this is not yet the case or otherwise there would be no more need for VPNs and other methods to keep browsers' data exchanges including DNS queries encrypted.
Free VPNs discussion nonwithstanding, which seems to be distracting the OP, valid points but unlikely to clarify the situation.
Note: I haven't clicked on the video link, I'm going by the "However are there no online tests one can use to make sure this DNS over TLS is actually in effect? I tried some web adresses for this online test but they did not show that it was working so I have really only the log file to go on whether or not it is working. Is that enough or should I be able to test online somehow and if so what page to go to to test that everything is working correctly?" question.
For brevity, to my knowlede there is no single "test" page/tool, etc online that will be accurate in detecting if DNS queries are being encrypted.
The only way I know that you can trust is doing packet captures after you've done your setup.
Firefox defaults to DoH so it will not use OPNSense and therefore DoT for resolution unless you change the configuration or block the mozilla.cloudflare-dns.com domain. https://wiki.mozilla.org/Security/DOH-resolver-policy
As such, every test you perform in FF will show Cloudflare as your DNS until you make the changes.
Quote from: cookiemonster on September 25, 2023, 05:33:37 PM
Quote from: newsense on September 22, 2023, 05:18:00 PM
..
2) Your browser of choice will make a decent attempt to secure your DNS and keep all your data in the process - by defaulting to an encrypted DNS setting. You'll have to make sure that setting is disabled in every browser you want to obey your network's DNS settings.
For brevity, to my knowlede there is no single "test" page/tool, etc online that will be accurate in detecting if DNS queries are being encrypted.
The only way I know that you can trust is doing packet captures after you've done your setup.
These have been available for years:
https://www.cloudflare.com/ssl/encrypted-sni/ (https://www.cloudflare.com/ssl/encrypted-sni/)
https://1.1.1.1/help (https://1.1.1.1/help)
they have indeed but for instance if you have two DoT servers (more than one) then if your testing browser session picks up their server, it will say OK. Otherwise it will say Not OK for encypted DNS. It should work with any but doesn't. 1.1.1.1 defo does that. My packet capture tells me for sure it does. Using FF however.