Cable TPIA's out in Ontario - Page 2 - Canadian TV, Computing and Home Theatre Forums

 4Likes
Reply
 
LinkBack Thread Tools Search this Thread Display Modes

post #16 of 20 (permalink) Old 2019-08-16, 07:53 PM
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,121
I am looking at it from the perspective of Google already slurping too much personal information into their galactic database and just trying to eliminate some of it by reducing the use of their services when possible. I'm well aware that I cannot eliminate Google's snooping entirely due to some of the Google devices and services I do use.

If I were really concerned about privacy then I would use the DNS servers available from a proxy service provider. None of them showed up in the DNSBench server list so I would have some concerns about their reliability and speed, as well as the higher profile using their servers might create.

If I were concerned about rogue sites and malware, I would use a server provided by a company that provides DNS servers specifically designed for that purpose. As it is, I'd rather avoid DNS services that block or redirect DNS requests. That function is already provided by my AV software.

I ran DNSBench to see what servers are currently performing well. A few things have changed. Google's servers no longer are anywhere near the top of the list. Previously they were. As in several previous tests, several OpenDNS servers performed well and it's a fairly well respected service, though it looks like it has new owners. Several Toronto based ISPs, including Rogers, showed up near the top of the list as well. I assume that's due to their proximity.
ExDilbert is offline  
Sponsored Links
Advertisement
 
post #17 of 20 (permalink) Old 2019-08-16, 09:24 PM
Veteran
 
Join Date: May 2009
Location: Mississauga
Posts: 7,941
Quote:
If I were really concerned about privacy then I would use the DNS servers available from a proxy service provider. None of them showed up in the DNSBench server list so I would have some concerns about their reliability and speed, as well as the higher profile using their servers might create.
I run pfSense for my firewall. It has a DNS resolver, which goes right to the root DNS servers, bypassing Google, etc..
Gentleman and rapideye95 like this.

I haven't lost my mind. It's around here...somewhere...
JamesK is online now  
post #18 of 20 (permalink) Old 2019-08-22, 06:55 PM
Rookie
 
Join Date: Jan 2014
Location: Mississauga
Posts: 4
DNSBench does not tell the whole story due to use of RRL or response-rate-limiting, which is a common feature in BIND DNS servers that most techs simply don't know anything about. Most DNS servers should be using this feature to varying degrees, which has a huge impact, negatively or positively, by its configuration. In fact, the configuration of the DNS server alone is the most important factor impacting the performance of a public recursive DNS resolver. You could use DNSBench, which is great software for determining a fast record response and latency of a server from the public side, but the real-world behaviour will vary once you give it a real load from a network, and this is due to the default and custom configured server in relation to total inbound recursive requests plus caching policy of that server. A lot of applications make many unneeded and identical hostname requests and distribute that load across multiple UDP ports, which I believe DNSBench does not account for, but the server would begin to block in many cases where the DNSBench application would only detect that as a latency spike or delayed response, but in reality the server could be dropping the request without a response.

In relation to preventing malware, DNS is the most resource-friendly way to eliminate known malware threats that I've ever come across other than at a security-enabled firewall. AV is only effective if each endpoint is up-to-date and if the AV provider uses blacklists that are up-to-date as well. This means each endpoint has to be managed against the blacklist independently or from the central AV management server. Using the AV method to redirect only mitigates threats at the endpoint which needs to be done x amount of times over and over, where x is the amount of computers that need to connect to the internet. Even if the DNS responds quickly, the endpoint would slow the perceived speed of the internet to the user.

You are correct about the proximity argument. That is true. You can use DNSBench to help isolate the close servers vs the farther ones.

Regarding your second paragraph where you prefaced with "If I were really concerned about privacy". I'm confused because I thought that privacy was your initial concern, which spawned my initial response. I was trying to debunk that notion of privacy that I used to believe myself until I started to run my own public server to see the logs myself.

Regarding Google being able to snoop your data across multiple devices and what not...I am not sure if I mentioned Google apart from their DNS services...not sure if this even comes into play. Regarding their market dominance, though, I'm with you...They are too big and/or I share similar sentiments.

Regarding OpenDNS...they are no different than Google. They collect data. Regarding OpenDNS's performance...I have mixed experiences deploying their DNS in years past depending on the ISP deployed on location. They are a great choice as well, especially if you pay for additional features.
rapideye95 is offline  
 
post #19 of 20 (permalink) Old 2019-08-22, 07:09 PM
Rookie
 
Join Date: Jan 2014
Location: Mississauga
Posts: 4
Quote:
Originally Posted by JamesK View Post
I run pfSense for my firewall. It has a DNS resolver, which goes right to the root DNS servers, bypassing Google, etc..
pfSense is great. I took an old Nortel Contivity Firewall in 2012 one time and overwrote the firmware with pfSense...it was a fruitful and beneficial experience for the corporation, because it was able to work in a fanless appliance instead of having to load it up in a desktop or laptop. The server room was a tiny poorly ventilated closet...

It's a great way to manage DNS with a GUI on the cheap. I really like the versatility of pfSense also. I might use it again one day. Many features work very well, in many cases better than firewalls that costs anywhere between hundreds to tens of thousands of dollars.
rapideye95 is offline  
post #20 of 20 (permalink) Old 2019-08-22, 09:43 PM
Veteran
 
Join Date: Jun 2011
Location: 43° N, 81.2° W
Posts: 8,121
Quote:
Regarding your second paragraph where you prefaced with "If I were really concerned about privacy".
I said "really concerned" as opposed to just concerned. Maybe I should have said, "If I were really paranoid about privacy".

I ran pfSense for a few months then switched to OPNSense due to some issues with pfSense. OPNSense is a fork of pfSense and therefore very similar but seems to be a little more focused stability rather than adding new features. I've never had an issue with OPNSense. I'm running it on a lightweight PC which has more than enough power and resources. I already had most of the parts so it was cheaper than buying a consumer router.

These days, it looks like a good platform for pfSense or OPNSense is one of the Intel J1900 based mini PCs made to run pfSense. They have 4 gigabit LAN ports built in and can be configured with various hard drive and RAM options as needed. They aren't really cheap but are much less expensive than most preconfigured business routers.

The AV solution I use is very comprehensive and is updated regularly. It blocks questionable sites and scans all content for embedded malware. I'm not saying that DNS blocking or redirection is any better or worse, just that it is redundant for the most part. Both ways adds false positives and I don't want to compound that issue.
ExDilbert is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in













Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome