39
this post was submitted on 24 Feb 2025
39 points (100.0% liked)
Privacy
34309 readers
1888 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
As others have mentioned, DNS is probably your worst enemy. It doesn't take much technical knowledge to just create a DNS server and start logging all domains you're accessing. Say, to tell mom how often you're browsing porn or something.
Manually configuring DNS servers in your OS would resolve this issue, but also using VPN like mullivad would just bypass such worries with 99% certainty.
Or just keep using mobile data, because why not
Correct me if I'm wrong but- manually configuring your DNS in the OS would still enable traffic monitoring, wouldn't it? I always thought DNS traffic is not encrypted by default.
Generally true. You would want to use DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to be sure your DNS queries are encrypted in transit.
Technically if you have a NAT redirect rule that routes all outbound traffic on a specific port, you could redirect to port 53 on the pihole and it would be visible because the DoT/ DoH terminates at the Pi which his brother could control? VPN is still a safe bet.
You can redirect regular DNS like that, but DoH/DoT is encrypted using certificates with a chain of trust just like any other tls connection (that's kind of the whole point). It would throw security errors breaking dns resolution if you redirected the connection to your own server.
You would still be better off with a vpn wrapping the connection however as the SNI in each https connection is unencrypted and can be used to log your traffic.
That's true. Was going to setup a NAT rule to test it out but then realized that there's no way I can redirect outbound traffic on 443 to a Pi Hole on 53, lol.
I've configured my home wifi to capture all DNS regardless of its intended recipient. It's unencrypted so it's possible.
I also use encrypted DNS on my phone.
Oh, yeah you're absolutely correct. I was fixated too much on the DNS logging lol
DoH (DNS over HTTPS) or DoT (DNS over TLS) would fix that
Actually no. The SNI is still not encrypted. So every site you are visiting can still be sniffed.
This is resolved in TLS 1.3 with ECH. Adoption is still not wide though, so your concern is valid.
Was not aware ECH was actually in TLS 1.3 thanks for that. But yes it will take a long time for widespread adoption.
That merely moves it to the carrier knowing, though, right?
Nope, but OP mentioned in the post that they're sketched off from their brother who's in control of the home network