> I agree that there is little gain in hiding DNS traffic from your ISP. And like you I'm wondering what the benefit of spreading around one's DNS profile should be. I think it's better to just pick the DNS provider one distrusts the least.
This assumes you trust your ISP. I know mine does metadata retention, therefore I do not trust them with my privacy. I also know mine blocks things based on a government "block list" which was implemented all in the name of stopping "serious criminals" such as pedophiles and terrorists.
However, in practice it's used for much more than that, of which does not constitute any criminality (news websites such as torrentfreak.com, that's because of corruption. The Minister for Communications https://en.wikipedia.org/wiki/George_Brandis that oversaw the implementation of this system was also the Minister for Arts and had heavy ties to the movie industry. He had a lot of collusion with Village Roadshow and Sony (evident by the leaked Sony emails) on this matter.
In other parts of the world I have heard that certain ISPs collect that data for marketing purposes.
> When you set up a private VPN to tunnel your traffic through, doesn't your VPN server just become your client? Or am I missing something here?
This is why I pipe everything through a VPN, that I trust more to protect my privacy than my ISP.
My DNS requests then go through to the DNS server on my VPN's network (it's in private address space), that recurses to Cloudflare. As far as those DNS providers are concerned "someone from that provider did a lookup for something", assuming that it isn't already cached.
The reason I use a VPN provider and don't run a VPN on my own server is because that would just link back to a server that is controlled by me, this way my network traffic is mixed with unrelated customers. For times when I need strong anonymity of course I use Tor. (Just before anyone points that out).
I have found issues in the past, particularly with EDNS subnet information not being available when accessing archive.is https://news.ycombinator.com/item?id=19828317 so that's why I have mine setup like so:
I believe this is the 'correct' way to ensure privacy. Essentially my network works like this:
VLAN2 -> direct to ISP via ppp0
VLAN3 -> through VPN via tun0
Local unbound server forwards everything into dnscrypt that first tries my VPN's DNS server, then tries to use DNSCrypt over the VPN
Regardless of which VLAN I am on, my DNS traffic is always sent through my VPN, https://www.dnsleaktest.com/ is a great site for testing that.
I tend to use VLAN2 for things like financial, or stuff where I do not want to be anonymous or cases that require extremely low latency such as gaming. In either case DNS lookups still go through the VPN.
This assumes you trust your ISP. I know mine does metadata retention, therefore I do not trust them with my privacy. I also know mine blocks things based on a government "block list" which was implemented all in the name of stopping "serious criminals" such as pedophiles and terrorists.
However, in practice it's used for much more than that, of which does not constitute any criminality (news websites such as torrentfreak.com, that's because of corruption. The Minister for Communications https://en.wikipedia.org/wiki/George_Brandis that oversaw the implementation of this system was also the Minister for Arts and had heavy ties to the movie industry. He had a lot of collusion with Village Roadshow and Sony (evident by the leaked Sony emails) on this matter.
In other parts of the world I have heard that certain ISPs collect that data for marketing purposes.
> When you set up a private VPN to tunnel your traffic through, doesn't your VPN server just become your client? Or am I missing something here?
This is why I pipe everything through a VPN, that I trust more to protect my privacy than my ISP.
My DNS requests then go through to the DNS server on my VPN's network (it's in private address space), that recurses to Cloudflare. As far as those DNS providers are concerned "someone from that provider did a lookup for something", assuming that it isn't already cached.
The reason I use a VPN provider and don't run a VPN on my own server is because that would just link back to a server that is controlled by me, this way my network traffic is mixed with unrelated customers. For times when I need strong anonymity of course I use Tor. (Just before anyone points that out).
I have found issues in the past, particularly with EDNS subnet information not being available when accessing archive.is https://news.ycombinator.com/item?id=19828317 so that's why I have mine setup like so:
https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...
My network has dual-stack IPv6 so with this kind of routing https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...
I believe this is the 'correct' way to ensure privacy. Essentially my network works like this:
Local unbound server forwards everything into dnscrypt that first tries my VPN's DNS server, then tries to use DNSCrypt over the VPNRegardless of which VLAN I am on, my DNS traffic is always sent through my VPN, https://www.dnsleaktest.com/ is a great site for testing that.
I tend to use VLAN2 for things like financial, or stuff where I do not want to be anonymous or cases that require extremely low latency such as gaming. In either case DNS lookups still go through the VPN.