Note that your ISP can see/log your internet history regardless of which Dns server you use (unless of course you use a Vpn/Tor.)
So be aware that using a Dns server other than your isp-provided-one, will result in giving your dns lookups to yet another third party (the public dns provider) without gaining an advantage. It might actually decrease privacy.
Therefor, in my opinion, it only makes sense to do this if for whatever reason you distrust your ISP to mess with your dns lookups (censoring etc.)
> Note that your ISP can see/log your internet history regardless of which Dns server you use (unless of course you use a Vpn/Tor.)
Not if you use DNSCrypt which is mentioned in TFA, and quite easy to install. It can't also be MITMed.
If you're using a VPN you can also fail to use DNS over VPN.
The article is furthermore rather specific about using a load of extensions (which is profilable), it suggests 1Password which is expensive (open source alternatives available, also cheaper alternatives available), it suggests WiFi Spoofing which is 20 USD on the App Store (free tools available in Homebrew and /sbin/ifconfig), it suggests some unknown VPN called Mullvad VPN which 'claims' it doesn't log (you never know that for sure). In short, reads like an advertisement without going into specifics about the competition. I, for one, would recommend ProtonVPN because of Secure Core and a wide array of VPN endpoints throughout the world. But I would not say I am an expert about knowing ProtonVPN's competition. Then it goes on: "By the way, should you be doing torrents, use qBittorrent." Why? Why not Transmission? Why not WebTorrent? Why not rtorrent? Etc. Why not use Usenet/NZBs? If you're cool shelling out 20 USD for a MAC spoofer and pay for 1Password why not consider also to pay for a Usenet provider?
That's not correct; Dnscrypt prevents against man-in-the-middle attacks, meaning your dns requests can not be manipulated.
However, it does not provide end-to-end encryption.
"DNSCurve uses high-speed high-security elliptic-curve cryptography to drastically improve every dimension of DNS security:
Confidentiality: DNS requests and responses today are completely unencrypted and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS packets.
Integrity: DNS today uses "UDP source-port randomization" and "TXID randomization" to create some speed bumps for blind attackers, but patient attackers and sniffing attackers can easily forge DNS records. DNSCurve cryptographically authenticates all DNS responses, eliminating forged DNS packets.
Availability: DNS today has no protection against denial of service. A sniffing attacker can disable all of your DNS lookups by sending just a few forged packets per second. DNSCurve very quickly recognizes and discards forged packets, so attackers have much more trouble preventing DNS data from getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but protecting DNS is the first step."
Your ISP will see encrypted traffic on say port 443 TCP or UDP, and that's it.
So my guess is that for example your dns requests could be intercepted/re-routed to say another dns server of an attacker and Dnscrypt would not notice/protect you against this.
However, indeed your ISP would not be able to see your requests :)
I'm not sure whether it does certificate pinning or not. You don't know the security of the recursor either, and there is no E2EE between the nameserver of their domain and you. A hostile recursor could still cause DNS poisoning.
An easy way to remember is that DNSCurve protects you between client and recursor whilst DNSSEC protects from (cc)TLD till name server (while also adding gigantic bloat to DNS requests).
Trust issues often occur at the first hop: LTE (SS7 for example, lol), (public) WiFi (example: hotel, train station), or plain hostile ISPs who hijack DNS requests (like Comcast has done), inject ads, or government interventions (such as during Arabic revolution). DNSCurve/DNSCrypt can protect against these attacks.
I know that the link isn't inviting at all, so here's a brief description:
In this Apple-user-orientend and safari-and-mail-centric guide to improve privacy, security, and speed for the Average Joe online experience, I suggest some small tricks, extensions, applications and components for both macOS an iOS. Based on this preamble, I don’t pretend to be writing the perfect guide. I just want to share what I find useful from this perspective and hope that it can be helpful to someone else. If you have better options and they are compatible with my premise I’d like to hear about them, if you please sharing them.
Thanks, I skimmed through it all (took me 5mins) and nice work! Some of the links and guides you’re referring to are indeed very helpful.
The thing that surprised me the most, however, was your recommendation for antivirus bitdefender. I think that’s not going to really help the average Joe but only give a false sense of security. Moreover, if I am concerned about privacy I wouldn’t want to install an all seeing software that is closed source and provides no control over what is shared with the parent company (which is russian?)
I can’t seem to find more links to the antivirus related argument (on mobile here) but in general folks on HN tend to strongly advise against using one.
In my experience, most anti-virus software is very poorly written. They don’t practice safe coding methods themselves.
Moreover, even if it was well-written, because of the nature of what you’re asking the software to do, it will have full and complete access to everything on your system, and usually with significant privileges. So, that would make it a very juicy target for malware writers, if nothing else.
For non-savvy computer users, Bitdefender is the only anti-virus software I would trust, but for more savvy computer users, even Bitdefender might be more of a risk than it is worth.
So, are you computer savvy enough that you know the risks presented by even the best anti-virus software, and would be better off without it? If you are, then maybe you’re not part of the target audience for this page.
Cookie 5 and WifiSpoof look interesting, but USD 20 each is steep.
To spoof your MAC address from the terminal, this used to work (until next reboot), but haven't tried it in High Sierra (use the correct interface (en0, en1, en2)):
This is a really good article. Thank you gacallea. I have read many guides of this sort, and most of them are trivial or full of general common sense stuff I already knew. This is the first guide of its type that had information that was both new and useful to me.
So be aware that using a Dns server other than your isp-provided-one, will result in giving your dns lookups to yet another third party (the public dns provider) without gaining an advantage. It might actually decrease privacy.
Therefor, in my opinion, it only makes sense to do this if for whatever reason you distrust your ISP to mess with your dns lookups (censoring etc.)