Advanced Plus Security blackice's 2021 Security Configuration

TairikuOkami · May 11, 2021

blackice said:
I’ll wait until Windows update to natively support encrypted DNS in stable release.

Windows currently supports only 3 encrypted DNS (Google, Quad9, Cloudflare), I do not expect it to be updated very fast, so no adguard or nextdns anytime soon.

SecurityNightmares said:
While that's true in theory, remember that malware can just use direct IP connections without using any DNS.

But they prefer DNS, especially botnets, because IPs get blocked very fast, so they need to renew IPs.

SeriousHoax · May 11, 2021

TairikuOkami said:
Windows currently supports only 3 encrypted DNS (Google, Quad9, Cloudflare), I do not expect it to be updated very fast, so no adguard or nextdns anytime soon.

It's possible to use other DNS providers like NextDNS as encrypted by following this method in insider editions. I tested it and it works.

Windows Insiders can now test DNS over HTTPS | Microsoft Community Hub

This post will explain how to use DoH as a Windows Insider

techcommunity.microsoft.com

But as @blackice said, those of us who are on stable build needs to wait for it to be released (or use YogaDNS).

TairikuOkami · May 11, 2021

SeriousHoax said:
It's possible to use other DNS providers like NextDNS as encrypted by following this method in insider editions. I tested it and it works.

Thanks, that definitely something to watch out for, malware could easily add its own DNS server making it look as an official one.

ForgottenSeer 85179 · May 11, 2021

TairikuOkami said:
Thanks, that definitely something to watch out for, malware could easily add its own DNS server making it look as an official one.

As your screen confirm, this change needs admin rights. If malware get these, bigger problems exists.

blackice · May 11, 2021

SecurityNightmares said:
As your screen confirm, this change needs admin rights. If malware get these, bigger problems exists.

I was just thinking if malware hits your system and is trying to phone home with DOH you already have problems. Yes some mitigations can save you, but I don't need to worry about every single threat and vector. I mean how many enthusiasts on this forum even ever run into malware? It happens, but I'm too tired to be paranoid.

blackice · May 26, 2021

Went back to AdGuard for my desktop browsers and use NextDNS filtering for my phone. I like their service, but DNS filtering for ads takes a bit more tweaking than I'd like. May go back to it eventually.

Mostly using Firefox these days. Seems just as fast as Chromium with my Desktop, plus it forces Picture in Picture on videos that are blocking it in Chrome.

blackice · Jul 9, 2021

Got my hands on an RT-AX86U and put the most recent Merlin firmware on it with NextDNS DoT.

blackice · Sep 14, 2021

blackice said:
Got my hands on an RT-AX86U and put the most recent Merlin firmware on it with NextDNS DoT.

It turns out NextDNS is tremendously broken with DoT on this router. From what I hear their (NextDNS) DoT implementation has issues with a lot of devices/code. I have gone back and forth between Quad9 DoT (for filtering) and using the ISP (for functionality and getting the closest edge CDN resolved on the ISP's services). The ISP already has all my connections logged anyway if they want to, so I don't really care. Probably will land with using the ISP for the router and Quad9 on specific browsers as preferred.

SeriousHoax · Sep 14, 2021

blackice said:
It turns out NextDNS is tremendously broken with DoT on this router. From what I hear their (NextDNS) DoT implementation has issues with a lot of devices/code.

What is the problem actually? Connection drop?

blackice · Sep 14, 2021

SeriousHoax said:
What is the problem actually? Connection drop?

Certain devices would suddenly not resolve some addresses, but my phone and pc would resolve the same address. My wife’s phone was one of them, so a deal breaker around here. Also, and there’s a super long thread about this on their forum, the dns leaks to Cloudflare, google, and who knows what others when using DoT on ASUS routers. No other DoT implementation does that with this firmware, so I have no clue.

blackice · Sep 29, 2021

Giving NextDNS DoT on the router another shot. So far it seems to be working correctly now. May be a keeper. I like their solution for EDNS Subclient Privacy. Helps with getting close CDNs. If this fails then back to the ISP, because it's the only one that consistently provides the best CDNs.

blackice · Sep 29, 2021

blackice said:
Giving NextDNS DoT on the router another shot. So far it seems to be working correctly now. May be a keeper. I like their solution for EDNS Subclient Privacy. Helps with getting close CDNs. If this fails then back to the ISP, because it's the only one that consistently provides the best CDNs.

Ugh, just kidding. Internet completely disconnected, change DNS and instantly reconnected. These two just don’t play well. Oh well. $2 more a month for me.

blackice · Oct 14, 2021

Installed Windows 11 this morning on a whim since it's been working fine on my laptop for months. Everything went smooth and just works. Guess I gotta find something else to play with.

blackice · Oct 14, 2021

Also, moved to Edge for my daily driver again for a bit. I like Firefox, but streaming quality is better over here and found a javascript to run that re-enables PiP on sites that disable it.

Search

Advanced Plus Security blackice's 2021 Security Configuration

Looking for medium feedback.

TairikuOkami

Level 37

SeriousHoax

Level 49

Windows Insiders can now test DNS over HTTPS | Microsoft Community Hub

TairikuOkami

Level 37

Attachments

ForgottenSeer 85179

blackice

Level 39

blackice

Level 39

blackice

Level 39

blackice

Level 39

SeriousHoax

Level 49

blackice

Level 39

blackice

Level 39

blackice

Level 39

blackice

Level 39

blackice

Level 39

Similar threads