Question about DNS, VPN and routers...

dogfonos

Well-known Member
I'm looking at adding a DNS or VPN to my home PC setup purely for privacy/security reasons. Having read a few articles on DNS's and VPN's, there's one aspect (at least!) that I still don't understand: isn't it the router that determines what DNS server my PC connects to? How come there's any point adding a VPN to a PC or changing the DNS server address on a PC Ethernet card?

As a test, I just changed my PC's server address settings to use Quad9 but my router DNS server settings can't be changed. Obviously, I'm missing something. Would someone kindly explain, thanks.
 

EndlessWaves

Distinguished Member
DNS is the service that translates textual domain names (avforums.com) to actual internet address (IP addresses, 104.25.232.4).

So you send a request to the server of the DNS service asking what IP an address corresponds to so you can then connect to that IP address and communicate with the server to do what you want (e.g. request a web page).

The normal home setup is to have the router request the DNS server details from the ISP and then distribute them to computers via DHCP. The lookup is then done by the computer contacting the DNS server directly, rather than the computer requesting the router does it.

VPN is a way of encrypting traffic between your home network and another network across the internet, it's not really related to the DNS service.
 
Last edited:

jimscreechy

Active Member
You really need to know what you need since DNS and VPN serve different purposes. I often experience what I call "I think what I need is" syndrome where someone wants to achieve something technical, but not really knowing exactly how to do it, 'Latch' on to a technology or solution they heard or read about. (I'm not saying the acquisition of knowledge is a bad thing, I'm just saying sometimes its better to ask what you need, rather than assume you know what you do)

If your looking for privacy and security you really need a VPN. Forget about DNS it is a different Network mechanism.

DNS - a rough analogy - you want to send a letter to someone in Spain but you don't speak Spanish. A DNS server converts the English address to Spanish for you so you can send the letter and it will successfully reach the destination

VPN - a similarly rough analogy - you want to send a number of letters secretly to a source every day, so you can secretly conspire with them to take over the world. Obviously you don't want anyone who opens the letters to be able to read them and decipher your carefully laid evil plan. So you write them in a language only you and our recipient understand so even if they are intercepted no one can decode them! World Domination achieved!

Hope this helps.
 

dogfonos

Well-known Member
VPN - a similarly rough analogy - you want to send a number of letters secretly to a source every day, so you can secretly conspire with them to take over the world. Obviously you don't want anyone who opens the letters to be able to read them and decipher your carefully laid evil plan. So you write them in a language only you and our recipient understand so even if they are intercepted no one can decode them! World Domination achieved!
How did you find out about my devious plan! OK, who grassed on me?

I have an understanding of DNS server and VPN functions and I appreciate their different roles. I want a VPN but, having checked out the freebies, I realise I will have to pay for one that gives me the security and privacy I want. I'm currently assessing the available paid-for VPNs.

Meanwhile, it was real easy to change DNS server. Changing DNS server won't do everything I need but it's a (temporary) step in the right direction in terms of my PC's security and it was quick and easy to do. I chose Quad9 DNS, following a little research, as it majored on security and privacy.

The normal home setup is to have the router request the DNS server details from the ISP
Yes, I get that. I'd prefer not to use the ISP DNS server as I'm unconvinced it's truly private.

The lookup is then done by the computer contacting the DNS server directly, rather than the computer requesting the router does it.
This is the bit I can't get my head around. The PC is connected to the router and the router is connected to the Internet so how can the settings in the PC determine the DNS server (currently Quad9) when the settings in the router still 'point' to the ISPs DNS server? Does the PC's server address settings on the PC's Ethernet card override that of the router? Am I actually using the Quad9 DNS server or am I still using the ISP DNS server? Can I run a test to check?
 

EndlessWaves

Distinguished Member
Does the PC's server address settings on the PC's Ethernet card override that of the router?
You don't say which OS you're using, but IP settings would generally be per-connection rather than per-network device - although connections are often named after the network device they use.

So for example you could have different settings for different wi-fi networks you connect to using the same wi-fi card.

Does the PC's server address settings on the PC's Ethernet card override that of the router?
Yes. Device-specific settings will take precedence over DHCP ones.
 

psychopomp1

Member
I'm looking at adding a DNS or VPN to my home PC setup purely for privacy/security reasons.
What exactly do you mean by "privacy/security" reasons? Because even by using a VPN, your details (eg browsing habits) can still be passed over to the police by the VPN provider in a worst case scenario. Contrary to popular opinion, using a VPN doesn't magically give you 100% anonymity, even if that's what the commercial VPN providers (eg NordVPN) tell you. People mainly use commercial VPN providers to get around geo-blocking of websites and/or streaming services and there's nothing wrong with that. But using a VPN purely for privacy or security reasons is a total waste of money. But of course if it makes you feel better, then go ahead. Oh and your internet speeds will decrease as well as VPN servers are shared by lots of users.
 

dogfonos

Well-known Member
You don't say which OS you're using
Windows 10.

What exactly do you mean by "privacy/security" reasons? Because even by using a VPN, your details (eg browsing habits) can still be passed over to the police by the VPN provider in a worst case scenario.
For me, privacy means anonymity when browsing thus less tracking/ snooping. Security means an additional layer of protection against malware and phishing plus encryption of my data.

I appreciate that VPN providers have legal responsibilities. I have zero interest in accessing illegal websites. Whilst VPN providers would have visibility of their users' browsing habits, I have read that the default position for some (most? all?) VPN providers is that they don't, by default, log their users' browsing habits in a way that identifies individual users - although, if illegal activity is suspected, they often state they would start logging a user's browsing habits.

People mainly use commercial VPN providers to get around geo-blocking of websites and/or streaming services and there's nothing wrong with that.
Yes, I understand that's the main purpose for many who use a VPN - not me though.

But using a VPN purely for privacy or security reasons is a total waste of money.
I have no inherent knowledge of this subject so it's good to hear opinions from forum users. I have read there are several ways to implement a VPN - each has advantages and disadvantages. From my 'research' (i.e. Googling several VPN articles) I get the impression that VPN does offer additional privacy and security if the VPN is installed (if that's the correct term) in the router because it prevents the ISP knowing my browsing habits. Granted, the VPN provider has the opportunity to snoop on my browsing habits if they so choose, but I believe that's far less likely than my current ISP, Sky, doing so.

I also appreciate I will probably need to purchase a new router to have router based VPN because the NOW TV Hub2 (equivalent to Sky Q hub, evidently) probably cannot be 're-programmed for a VPN' (or whatever the correct phrase is).

I'd be grateful if you could point me towards any articles or tests that substantiate your assertion, thanks.
 

EndlessWaves

Distinguished Member
It sounds like you're in the UK so why not change ISP to one you do trust? There's a couple of hundred to choose from.

Also, bear in mind that most web connections these days are encrypted (HTTPS) so while the ISP could see which server you're transmitting data to, they can't see what that data is. So they can tell what your search engine of choice is, but not what you've searched for.

For smaller websites where multiple are hosted on one server they may not even be able to tell the site.
 

psychopomp1

Member
OP, if you're that concerned about privacy then change your ISP. This is probably the one for you:

 

dogfonos

Well-known Member
Why would I trust an ISP? I only trust organisations and individuals that have given me good reason to trust them. So no, I don't trust any ISP.

I appreciate many folks work on the opposite principle, i.e. they trust an organisation or individual until that organisation or individual is proven untrustworthy. Rouge traders, Rip off Britain, Fake Britain, Cowboy builders and numerous other TV consumer protection programs regularly feature such trusting folk.

You may be aware of this report already. It's four years old and USA biased so some of the figures will likely be outdated but it makes good points, especially that encrypted data isn't 100% safe from snooping:

 

Bill Woodcock

Novice Member
Am I actually using the Quad9 DNS server or am I still using the ISP DNS server? Can I run a test to check?
Yes, you can. Run the following query:

dig +short @9.9.9.9 id.server TXT chaos

and the result will tell you which Quad9 server you're reaching, assuming you're reaching one. For instance:

WoodyNet-2:~ woody$ dig +short @9.9.9.9 id.server TXT chaos
"res110.ams.rrdns.pch.net"
WoodyNet-2:~ woody$


That's saying that I'm receiving answers from one of the servers in Amsterdam (airport code AMS), which is not ideal (I'm in Paris, and there are Quad9 servers in Paris) but not unreasonable under the circumstances. I'm getting about 19ms to the Amsterdam servers, and about 4ms to the Paris ones. Which means that my ISP, Free, isn't peering with Quad9 in Paris, which is annoying but fixable if enough people were to complain to Free.

WoodyNet-2:~ woody$ ping res110.ams.rrdns.pch.net
PING res110.ams.rrdns.pch.net (74.63.25.248): 56 data bytes
64 bytes from 74.63.25.248: icmp_seq=0 ttl=60 time=19.050 ms
64 bytes from 74.63.25.248: icmp_seq=1 ttl=60 time=26.148 ms
64 bytes from 74.63.25.248: icmp_seq=2 ttl=60 time=20.466 ms
64 bytes from 74.63.25.248: icmp_seq=3 ttl=60 time=26.263 ms
64 bytes from 74.63.25.248: icmp_seq=4 ttl=60 time=25.510 ms
^C
--- res110.ams.rrdns.pch.net ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 19.050/23.487/26.263/3.088 ms
WoodyNet-2:~ woody$ ping res110.cdg.rrdns.pch.net
PING res110.cdg.rrdns.pch.net (66.185.123.246): 56 data bytes
64 bytes from 66.185.123.246: icmp_seq=0 ttl=55 time=10.973 ms
64 bytes from 66.185.123.246: icmp_seq=1 ttl=55 time=10.983 ms
64 bytes from 66.185.123.246: icmp_seq=2 ttl=55 time=8.766 ms
64 bytes from 66.185.123.246: icmp_seq=3 ttl=55 time=10.613 ms
64 bytes from 66.185.123.246: icmp_seq=4 ttl=55 time=3.941 ms
^C
--- res110.cdg.rrdns.pch.net ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.941/9.055/10.983/2.686 ms

WoodyNet-2:~ woody$

But these differences are meaninglessly small relative to the scale of human perception. If one were 4ms and the other were 150ms, that would be problematic. 19ms is still really good.
 

jimscreechy

Active Member
Personally I think this is a 'cart before the horse' type scenario. Judging from your posts I'm not entirely certain you have the expertise to determine what it is you need. A condition I often encounter in IT were people here about a technology or application and latch onto it as a solution to cure all their woes.

I'm not trying to undermine your knowledge or intentions, I'm simply saying perhaps stating what your trying to achieve first, and asking what solutions would be best, or at least may be more prudent than deciding on what your going to use then asking for information on how it works and how to configure it.

Also you say..

"Changing DNS server won't do everything I need but it's a (temporary) step in the right direction in terms of my PC's security and it was quick and easy to do."

DNS does not provide privacy and definitely not security. Even if you use a DNS server on the moon, your internet traffic requests and connections are still then sent via your provider to the same addresses provided by said DNS servers. That is a bit like intending to rob a bank, and instead of asking your SATNAV for the address you stop and ask directions from some random passer by, secure in the supposed knowledge that you have foiled any attempt to track your intent. Well, your still going to the bank to hold it up, no? the risk isn't reduced because the record of SATNAV request isn't logged.

@pyschopom1 gives a fairly accurate account of the situation with VPN providers, privacy and security. Heed those word well. There are some severely overstated benefits of many VPN services. and you should be careful with your expectations as some benefits are downplayed or some drawbacks not even listed. As an example some individuals attempt to get IP streaming services from regions outside their domestic locale and are surprised when this doesn't work. However, many streaming service provides will detect a VPN and block the traffic, rendering the VPN useless. But, this is not a widely advertised shortcoming.

My two cents.
 
Last edited:

psychopomp1

Member
Judging from your posts I'm not entirely certain you have the expertise to determine what it is you need. A condition I often encounter in IT were people here about a technology or application and latch onto it as a solution to cure all their woes.
I think you've hit the nail on the head Jim. But I think what sways a large part of people's thinking is the marketing many commercial VPN providers use, scaring the hell out of people into thinking a VPN is an absolute must wrt privacy & security.
 

MarkyPancake

Distinguished Member
Depending on your router, you can set the DNS servers in the admin pages. For example, I can set my own WAN DNS servers, so the router sends requests to those instead of my ISP's, and I can send a separate pair of DNS servers to DHCP devices. It also has a DNS Filter option where I can specify another set of custom DNS servers and target devices by MAC to use one of three custom DNS servers or choose from a preset list, such as OpenDNS Family, Yandex Safe, and more.
 

dogfonos

Well-known Member
Yes, you can. Run the following query:

dig +short @9.9.9.9 id.server TXT chaos
Your name seemed familiar so I checked. I realised I saw your name when investigating alternative DNS servers because you (PCH) were/are part of the Quad9 project - along with IBM and GCA. Thanks for taking the time out to assist - much appreciated.

As has been mentioned, I'm not well versed in these matters! I've tried to run the query from command prompt in Windows 10 (my current OS - though hopefully, not for much longer) but the command is not recognised - maybe this is a Linux command? I have Ubuntu on trial so I'll try running the query on that OS when I have a moment.

DNS does not provide privacy and definitely not security.

Depending on your router, you can set the DNS servers in the admin pages.
I've read about this but unfortunately my router (supplied by the ISP) doesn't have user-configurable DNS server settings - I've tried.
 

psychopomp1

Member
There's an easier way to check which DNS server you're using, instead of faffing about with command lines:

Nearly every third party router allows you to setup a custom DNS - I'm using Cloudflare DNS and it works a treat. But others like OpenDNS and QuadDNS is also rated very highly. That's as far as I would go - I certainly wouldn't be spending money on VPNs for for privacy//security purposes. Its a akin to spending loadsa money on a gold plated HDMI cable :rotfl:
 

jimscreechy

Active Member
Voila! and as if by magic here is clear evidence of someone not understanding the what technology is doing but quoting evidence of what they believe it can offer them.

Ok I've tried. I'll leave you too it and sincerely hope you achieve what your looking for.
 

The latest video from AVForums

LG SN11RG Dolby Atmos Soundbar, plus, XBOOM Go PN7 & PL7 Wireless Speaker Reviews
Top Bottom