When I set up an adguard DNS to block ads I checked if it changes the servers with “ping google.com” and it did (ip addresses were different) so I guess it acts as a VPN? By using their servers to send my info…
So what’s the difference between this and a VPN?
DNS is the phone book that turns domain names into IP addresses. It’s like someone handed you a special yellow-pages that Google or others can’t spy on. But anyone watching the traffic on your local network can see what domains you are resolving no matter what (dns is done in plaintext).
VPN tunnels and encrypts your entire network connection through a third-party server. Anyone on your local network can not see your internet traffic at all, it is encrypted and looks like gobbledygook to them.
You can use both private dns and vpn at the same time, but they are not the same thing.
address changes due to geo-location/load balancing
This is basically correct, but not all VPNs use a 3rd party server.
VPN tunnels and encrypts your entire network connection through a third-party server.
I’d bet hard cash there are more private VPNs out there run by individuals and corporations for their own privacy than there are subscribers to every commercial “privacy oriented” VPN you’ve ever seen advertised on youtube.
I run my own VPN server at home that I keep my phone connected to at all times, so I can use public wifi without concern. I run three other corporate VPNs as well, in order to allow access to different corporate networks remotely (which is what VPNs were invented to do).
Private DNS is encrypted, it use the DoT. But that on its own doesn’t hide the visited domain since SNI is plaintext.
I run my own VPN server at home that I keep my phone connected to at all times, so I can use public wifi without concern.
Wild take perhaps, but you should be able to use public wifi without concern anyway. Connections to websites will use HTTPS these days, and that encryption is effectively unbreakable. Meaning your data is completely safe and not inspectable/modifyable.
At most, the router of the local free wifi place might be able to see that your phone is connecting to the webserver from Reddit, for example. But that’s (in my humble opinion) not more sensitive information, than that router seeing at exactly which IP the home connection of you as a user is located.
I run three other corporate VPNs as well, in order to allow access to different corporate networks remotely (which is what VPNs were invented to do).
Exactly. Personally, I find this a much more interesting use case than the scare mongering “public wifi is not safe” nonsense. Such a VPN on a phone would allow me to access e.g. a personal NAS at all times, without exposing that NAS itself to the public internet.
Wild take perhaps, but you should be able to use public wifi without concern anyway. Connections to websites will use HTTPS these days, and that encryption is effectively unbreakable. Meaning your data is completely safe and not inspectable/modifyable.
Ever heard of an SSL stripping attack? Understand the potential threat vectors if the hotspot itself is compromised or just run by a bad actor? There are good reasons to use a VPN when on an untrusted network. You certainly cannot, or rather should not, use them “without concern.”
At most, the router of the local free wifi place might be able to see that your phone is connecting to the webserver from Reddit, for example.
No, “at most”, the hotspot you connect to is compromised and serving you compromised DNS records while performing SSL stripping and/or HTTP downgrade attacks, or even worse, installing a new root CA which will allow them to proxy every HTTPS connection you make, decrypting all traffic.
But that’s (in my humble opinion) not more sensitive information, than that router seeing at exactly which IP the home connection of you as a user is located.
My home IP is not secret or sensitive information and is almost constantly under automated attack anyway, as are most public IPs out there, especially those belonging to consumer ISPs. I run my own firewall/router, not ISP provided garbage, and short of zero-day exploits to the FreeBSD based firewall, there’s no way in.
Ever heard of an SSL stripping attack?
Not an actual problem for a normal user.
To use the obvious best browser as an example, Firefox includes a preloaded list of websites that use HSTS, and it’s not the 20 or 30 most popular sites, it’s a huge, insane list: https://hg.mozilla.org/mozilla-central/file/tip/security/manager/ssl/nsSTSPreloadList.inc
So, SSL stripping, as well as HTTP downgrade attacks are only possible if:
Those exceptional conditions would need to be combined with the provider of the wifi (not a random guest, the one managing the internet access) having all the measures in place to capture the traffic in realtime, deny the https reaction, hoping the client retries via http, and then reroutes all traffic via this MitM attack.
And all of this is completely preventable by simply enabling the optional “https-only” browser setting, which forces everything via https regardless of HSTS. And if it does need to explicitly use HTTP, there will be a huge warning on screen, asking if you want to circumvent the thing you have configured to not be allowed.
No, “at most”, the hotspot you connect to is compromised and serving you compromised DNS records while performing SSL stripping and/or HTTP downgrade attacks, or even worse,
All of this is extremely unlikely to be an actual risk, only in weird, exotic hypothetical circumstances, and even then, one browser setting gets rid of that possibility. No need for VPN.
installing a new root CA which will allow them to proxy every HTTPS connection you make, decrypting all traffic.
Why would you even suggest this? This is not possible without admin/root access to the machine itself. This is a literally non-risk. If someone would have root/admin access to your machine, then enabling public wifi to be captured is not interesting, you can do much more effective things.
My home IP is not secret or sensitive information and is almost constantly under automated attack anyway
I’m not saying it’s interesting, but it’s more interesting for someone who sees you at Starbucks and wants to access your data than the knowledge that you have access the webservers of reddit and gmail.
run my own firewall/router, not ISP provided
Good. But at the same time, your distrust of public wifi suggests that your ISP or a VPN provider (assuming most people don’t have home VPN servers) are more trustworthy than a random public wifi. They are, but not much. We have good measures like HSTS exactly because no middle network should be trusted, regardless whether it’s your ISP or public wifi.
Stop spreading FUD please.
Ever heard of an SSL stripping attack?
Not an actual problem for a normal user.
It may surprise you to learn that you aren’t the arbiter of what a “normal user” is.
You may also need to brush up on your reading comprehension skills as you seem to have made the assumption that I was making some sort of recommendation. So how about before you add your two cents to a conversation, you read and understand it first, in context. Just common courtesy.
To use the obvious best browser as an example,
It may surprise you to learn that you aren’t the arbiter of what the “best browser” is.
All of this is extremely unlikely
It may surprise you to learn that you aren’t the arbiter of acceptable levels of risk for other people.
Why would you even suggest this? This is not possible without admin/root access to the machine itself.
Holy shit you’re not serious are you? For a little bit there I thought you might actually, kind of, a little bit, know what you’re talking about. Any captive portal system can prompt a user to install a CA and deny them internet access if they refuse. This is actually common for public wifi hotspots, ostensibly so they can scan HTTPS content for malware.
My home IP is not secret or sensitive information and is almost constantly under automated attack anyway
I’m not saying it’s interesting, but it’s more interesting
Well, says you, and you clearly don’t know what you’re talking about, because it’s not about “knowing” you have access to (which is pretty stupid wording, you probably meant “an account at”) reddit or gmail, but rather about hijacking that access. Something you bend over backwards to try to convince me and other readers that is just… unlikely… but clearly not impossible.
It may also surprise you to learn that you aren’t the arbiter of what is interesting to other people.
Good. But at the same time, your distrust of public wifi suggests that your ISP or a VPN provider (assuming most people don’t have home VPN servers) are more trustworthy than a random public wifi.
Ok so your illiteracy is showing again. My “VPN provider” is myself. And my ISP is not a public wifi ISP. They are certainly, without question, more trustworthy than a random wifi hotspot run by who knows who. For fucks sake dude you know you can just start a wifi hotspot of your own with your phone, right? Nevermind carrying one in a laptop in a backpack or something? You have no idea what you’re connecting to when you connect to “Starbucks 5G”.
Yeah. The VPN I’ve provided and my home ISP are more trustworthy than that. Period.
Stop spreading FUD please.
Learn what you’re talking about please, as well as how to read. There was no FUD here. After that, make an effort to understand that your personal priorities may not and often will not be the same as those of others.