Use this link to get yourself a Vultr VPS www.vultr.com/?ref=8791233 Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts) based.win/product/little-daemon-premium-short-sleeve-t-shirt/
My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?
Not sure if is possible with Bind9. But I am using AdguardHome as my local DNS and I set the upstream DNS server as Cloudflare's DOH. I noticed a small hit in response times for uncached requests, but other than that. All good! So, in theory, the whole DNS request is encrypted - At least till it reaches Cloudflare. And of course, blocking trackers and other nasty stuff through DNS blocklists is a very pleasant added bonus.
The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.
I just break in to my neighbors house and use his computer. A few weeks ago, his wife left him due to his apparent affinity for ladyboys. I didn't know he was in to that as well. Him and I should hang out more.
I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.
lol, hes given you more then you need. you really want to talk to him cough up the money. everyone of those situations has room for notes and messages. oooo, you just want more free? hes busy.
Important thing to note! You should not run a UDP based DNS Server publicly accessible. This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.
I think you meant DoS amplification attacks. NTP and Memcached have greater amplification but there is another problem which is it could be used for DNS cache poisoning and spoofing
There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.
putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.
So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.
When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.
using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists
The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.
Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.
DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.
Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?
Nice Tee shirt. ;*=[} Man, this is so over my head these days.... One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! ) [muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's. But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see CZcamss like this one...it makes dialup look good in retrospect!) Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!
Is it just Microsoft and Apple blocking your emails? I tried a few different configs with a few different cloud providers but always have trouble sending to outlook, hotmail, etc
@@MentalOutlaw Microsoft blocking all my mails. Google, apple aol, yahoo are sending me to spam. You can de-list your ip if you send a ticket to microsoft. I am using glockapps to check who is marking me as spamer.
If someone have no knowledge of online privacy/security, password and sensetive information management. Where should he start? And Do you recommend to learn how to use Linux and get rid of Windows?
Another reason this setup doesn't support ECH is the browsers that support it are very picky about which DoH servers they will allow for ECH. I tested even with a server with a real cert, with different SSL libs, and it simply will rarely if ever allow ECH on a personally owned server. They only trust certain parties for use with ECH, whether it be Chrome/Chromium or Firefox.
is there any reason for that? there may still be some advanced config change possible, or at worst case build from source with your server added. but who will do that?
@@apache937 Well, seeing as DoH is the big tech version of DoT, and no browser supports ECH with DoT either, I'm sure you can infer a pattern. A build from source with your own server trusted would do the job in theory, but like you said, aint nobody gonna do that.
if this is supposed to be for script kiddies and noobs, one only need read the comments to go completely insane. every argument sounds right. its maddening.
Před 8 měsíci
I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information. Or is this only for people who want to offer a DNS service for other people?
how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,
Hi, what version of bind9 you had, I have an issue here: BIND 9.16.44-Debian (Extended Support Version) root@dns:/etc/bind# nano /etc/bind/named.conf.options /etc/bind/named.conf.options:1: unknown option 'tls' /etc/bind/named.conf.options:5: unknown option 'http' /etc/bind/named.conf.options:13: unknown option 'http-port' /etc/bind/named.conf.options:14: unknown option 'https-port' /etc/bind/named.conf.options:19: '{' expected near 'tls' Any suggestions? Thanks
Use this link to get yourself a Vultr VPS
www.vultr.com/?ref=8791233
Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts)
based.win/product/little-daemon-premium-short-sleeve-t-shirt/
Why you say private then sellout
Do you recommend a specific VPS from vultr or elsewhere?
Got any tips for mitigating BGP attacks?
Why are you being racist towards indians?
You are so freaking racist dude, you should delete the thumbnail goofball🤡🤡
Blink 2 times if you're ok. 3 times if the NSA is holding you hostage
Don't worry he is hiding near police station
Bro is off-grid...
njp, keep posting this comment on future videos. Also ask in livestreams
It's blinking like a Christmas tree
@@Abhinav_Nayana_Sailenbro is a deep fake
Love the Windows XP style theme! Also, yet another high quality video from you, thanks for being awesome man!
Love your channel man! We need people like you who care about privacy and freedom in this crazy digital world!
naomi brockwell, louis rossmann
Merry christmas Kenny, and hopefully a happy new year :^)
Thanks merry Christmas and happy new year to you too!
Another great deepfake👏
The deepfake tech just keeps getting better
@@MentalOutlawbased indeed 🙌
What?
@@maindepth8830he is AI
is his real face
My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?
yes, it's worse than a VPS.
I think it's pretty silly as well
Not sure if is possible with Bind9. But I am using AdguardHome as my local DNS and I set the upstream DNS server as Cloudflare's DOH.
I noticed a small hit in response times for uncached requests, but other than that. All good!
So, in theory, the whole DNS request is encrypted - At least till it reaches Cloudflare.
And of course, blocking trackers and other nasty stuff through DNS blocklists is a very pleasant added bonus.
Yeah hosting it locally would be stupid.
I’d only host this locally if you have a script to do dns requests for random domains constantly, similar to trackmenot
The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.
I just break in to my neighbors house and use his computer. A few weeks ago, his wife left him due to his apparent affinity for ladyboys. I didn't know he was in to that as well. Him and I should hang out more.
his server is open and publicly available. but do you trust kenny?
I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.
lol, hes given you more then you need. you really want to talk to him cough up the money. everyone of those situations has room for notes and messages. oooo, you just want more free? hes busy.
Not just privacy but also speed when held locally.
Add you frequently visited sites to your local hosts file for snappier surfing.
Merry TLS 1.3 Christmas Mental Outlaw and have a happy DNSSEC New Year!! :D
Important thing to note!
You should not run a UDP based DNS Server publicly accessible.
This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.
I think you meant DoS amplification attacks. NTP and Memcached have greater amplification but there is another problem which is it could be used for DNS cache poisoning and spoofing
Just learned about DNS leaks today! On an unrelated note, u should drop a tutorial on removing rogue-deepfake AIs from my walls
thank you for taking time off playing for the boston celtics to bring us this video
There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.
Pretty much. Adguard and Quad9 are exactly what i was going to mention
Really good comment! +1
putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.
So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.
you can use his server if you want
Mental Outlaw is a white guy from Boston.
number one thing you learn about DNS in networks is that its configuration has to be by IP, otherwise you have a "Chicken first or the egg" problem
not really, as the root servers are known ahead of time, and usually hardcoded into an app, so you can do your own recursion
How do you not have a handle?
04:50 I was bloody jamming to that music. Why did it have to stop. I want to live my life with that soundtrack running.
Holy shit that thumbnail what the fuck
Man, now I feel like I see him in a different (negative) light lol
He's a frustrated mental incel.
@@omkarnaik6305his whitecel ass tryna cope in every way possible it seems
@@hydr0xx_ cry harder scammer
@@ihate4chan he is a salty chicken man
The fact that I was trying to do this on the router without any success
Doing this on a router would be interesting, might be possible with dnsmasq on OpenWRT
@@MentalOutlaw openwrt has unbound
@@MentalOutlawthis is possibile with Unbound package for OpenWRT.
When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.
Great video as always. If only DNS was real.
i didn't know jayson tatum knew about DNS servers
Care to explain the thumbnail? dark-skinned Sikh guy crying with a bindi. What exactly is it supposed to mean?
Wow, not only a full time NBA player on the best team in the league, but you run a successful hacking CZcams channel as well? Inspirational man
I love how DNS-over-https is: Doh!
using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists
kenny pls make more farm and lifting videos
also pls put the libre podcast somewhere where it's easy to stream
checkout my farming channel www.youtube.com/@TheBasedFarm
@@MentalOutlaw based joel salatin
Based tech drake
I've been thinking about this lately... good timing :)
Perfect, I was planning on doing this for a few apps I wanted to deploy across a few machines
I actually wanted to do this for some time now. Perfect timing that you made that video
The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.
Also combine it with pihole to have the ultimate DNS server
4:31 feeling the groove on that music!
@@Kuznet609 Thanks 😊!
Happy Holidays, and upcoming new year, MentalOutlaw.
Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.
One day when I finally will understand how computers work your videos will be very helpful to me. Too bad I know jackshit atm. Keep up the good work!
Hope you'll do an update when all the features you mentioned (secure hello etc) are available. Thanks
ECH is really good if you're using TLS cipher suite based virtual host.
Interesting thumbnail, especially the crying person in thr middle.
Does it refer to anyone specific?
His step-father, who is alleged to bang his mom in his full view.
This video is very timely, thanks, sir
is there a written guide?
*That thumbnail is racist and uncalled for.*
Bro what is that Indian character? Literally a mix of all the completely different stereotypes. 😂
DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.
Your are best thanks for information and everything you do in the community.
Hey Kenny, how would I start my own ISP?
Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?
😂 thumbnails are A1
Mom says we already have DNS at home.
DNS at home: /etc/hosts
Uff there is some dust on your meme but I appreciate it 😂 just like my old pentium.
20:29 Add domain to host file.
Nice Tee shirt. ;*=[}
Man, this is so over my head these days....
One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! )
[muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's.
But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see CZcamss like this one...it makes dialup look good in retrospect!)
Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!
Mental, your are one of my favourite ytbers to love and hate at the same time. One day i will start paying proper attention to your videos teachings.
I personnaly use Technitium DNS, and I like it very much. It's an authorative/recursive DNS, and it also can block ads.
It was super annoying when Firefox ripped out ESNI support when literally nobody in the world was using ECH, hope ECH gets implemented soon
This came at the perfect time for my project
personally i don't use dns and i just memorize the ip, but this is cool!
Jason Tatum 🔥
Excellent video 👍 Thank you 💜
What software are you using for your email server?
i never knew that Jayson Tatum also teach on how to host our own dns server
btw. I have mail server on linode too and yes, it is not ok. Most of my e-mail are marked as spam.
Is it just Microsoft and Apple blocking your emails? I tried a few different configs with a few different cloud providers but always have trouble sending to outlook, hotmail, etc
@@MentalOutlaw
Microsoft blocking all my mails. Google, apple aol, yahoo are sending me to spam.
You can de-list your ip if you send a ticket to microsoft.
I am using glockapps to check who is marking me as spamer.
Have you guys set up SPF record?
@@user-dc9zo7ek5j Yes, spf dmarc dkim are in place, but they do not help against bad IP reputation.
Props for the arcade music :D
Insane thumbnail well done
good videos buddy - keep it up
Awesome! Thank you!
04:09 This looked like straight from the hacking time scene of Kung Fury (and I mean it as a positive thing). 😁
I want everything hosted locally.
Thanks drake
Voltr has offices in Israhell so it's not an option
If someone have no knowledge of online privacy/security,
password and sensetive information management.
Where should he start?
And Do you recommend to learn how to use Linux and get rid of Windows?
Real men don't need a DNS, we just go directly to the IP addy
21:45 "it's a trap!" lol
You can't add a DNS name as a DNS server, how would it know how to resolve it?
OMG...this really work
Luke Smith is not uploading on his main channel due to focusing on creatimg great deepfakes for this channel, good job Luke
The thumbnail lmaooo
Intresting! ...thanks
I host adguard home on my raspberry pi with encrypted dns it's great
おはようございます
Can I ask what server software you use for your Linode email server?....I was thinking of using Axigen, but am looking for advice. Thanks
Some questions:
Did Secure SNI got added?
If SSNI hasn't been added is it a big disadvantage, can the ISP or Big Tech your traffic without SSNI?
vps is not safe
my VPS has armed guards
thats why u buy a server >:)
Another reason this setup doesn't support ECH is the browsers that support it are very picky about which DoH servers they will allow for ECH. I tested even with a server with a real cert, with different SSL libs, and it simply will rarely if ever allow ECH on a personally owned server. They only trust certain parties for use with ECH, whether it be Chrome/Chromium or Firefox.
is there any reason for that? there may still be some advanced config change possible, or at worst case build from source with your server added. but who will do that?
@@apache937 Well, seeing as DoH is the big tech version of DoT, and no browser supports ECH with DoT either, I'm sure you can infer a pattern. A build from source with your own server trusted would do the job in theory, but like you said, aint nobody gonna do that.
Good solution, if reverse-DNS lookups are not routinely done by ISPs on general population.
I plan on this big fan 🎉🎉🎉
if this is supposed to be for script kiddies and noobs, one only need read the comments to go completely insane. every argument sounds right. its maddening.
I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information.
Or is this only for people who want to offer a DNS service for other people?
Is the host free service and is there easy way to backup with out doing it from scratch?
I don’t have much knowledge of DNS, and how the internet works in general, so my question is whats the difference between this and pihole + unbound?
Vultr Vait (Walter White)
I'm using a raspi with pihole and unbound... Don't think it's encrypted tho but I definitely am more secure
how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,
awesome vid
Hi, what version of bind9 you had, I have an issue here:
BIND 9.16.44-Debian (Extended Support Version)
root@dns:/etc/bind# nano /etc/bind/named.conf.options
/etc/bind/named.conf.options:1: unknown option 'tls'
/etc/bind/named.conf.options:5: unknown option 'http'
/etc/bind/named.conf.options:13: unknown option 'http-port'
/etc/bind/named.conf.options:14: unknown option 'https-port'
/etc/bind/named.conf.options:19: '{' expected near 'tls'
Any suggestions?
Thanks
Huh? But root hints and forwarders.... The DNS all originates from authoritative (corporate/government) sources.
fire 🗿
Always done something like this, DOT or DOH at least.