SECURITY: Complete blackice's 2021 Security Configuration

Last updated
Feb 17, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 11
OS edition
Home
Login security
    • Password-less (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Microsoft Defender
NoVirusThanks OSArmor
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Configure Defender - High
OS Armor - a few additional items ticked in the settings
Malware testing
No malware samples
Periodic security scanners
Malwarebytes, EEK, ESET online scanner, HitmanPro
Secure DNS
ISP / Quad9
VPN
IVPN
Password manager
1Password
Browsers, Search and Addons
Chrome -
AdGuard
1Password
Malwarebytes Browser Guard

Edge Chromium -
AdGuard
1Password

Firefox -
AdGuard
1Password
Malwarebytes Browser Guard
Maintenance and Cleaning
HWiNFO
Process Explorer
Everything
Bandizip
Personal Files & Photos backup
File History
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Macrium Reflect
Device backup routine
Automatic (scheduled)
PC activity
  1. Browsing the web. 
  2. Shopping. 
  3. Banking. 
  4. PC and cloud gaming. 
  5. Streaming. 
Computer specs
Ryzen 7 5800X
ASUS TUF Gaming X570-Pro Wifi
32GB G.Skill Trident Neo 3600 cl16
RTX 3070 DUAL OC
500GB WD SN550 NVME
1TB WD SN550 NVME
500GB WD Blue SSD
1TB WD Blue HDD
Personal changelog
DNS: Cloudflare->Quad9
2/17/21 - AVG Internet Security
2/20/21 - Removed Brave, updated PC Maintenance section
3/3/21 - Removed AVG
Added Microsoft Defender
3/22/21 - Keeping NextDNS so added it
Added Bitdefender Internet Security
4/15/21 - Removed Bitdefender IS
Added Microsoft Defender
4/19/21 - Added Malwarebyte Premium just kidding it’s broken, Defender still.
4/29/21 - Changed DNS to ControlD (by WIndscribe)
Removed adblockers in browsers, Added HitmanPro
5/10/21 - Back to NextDNS
6/14/21 - Currently using ISP DNS
7/9/21 - NextDNS DoT, RT-AX86U (Merlin Firmware)
10/14/21 - Windows 11
Feedback Response

General feedback

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
I’ll wait until Windows update to natively support encrypted DNS in stable release.
Windows currently supports only 3 encrypted DNS (Google, Quad9, Cloudflare), I do not expect it to be updated very fast, so no adguard or nextdns anytime soon.
While that's true in theory, remember that malware can just use direct IP connections without using any DNS.
But they prefer DNS, especially botnets, because IPs get blocked very fast, so they need to renew IPs.
 

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,718
Windows currently supports only 3 encrypted DNS (Google, Quad9, Cloudflare), I do not expect it to be updated very fast, so no adguard or nextdns anytime soon.
It's possible to use other DNS providers like NextDNS as encrypted by following this method in insider editions. I tested it and it works.
But as @blackice said, those of us who are on stable build needs to wait for it to be released (or use YogaDNS).
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
It's possible to use other DNS providers like NextDNS as encrypted by following this method in insider editions. I tested it and it works.
Thanks, that definitely something to watch out for, malware could easily add its own DNS server making it look as an official one.
 

Attachments

  • capture_05112021_190029.jpg
    capture_05112021_190029.jpg
    166.1 KB · Views: 169

blackice

Level 33
Verified
Apr 1, 2019
2,204
As your screen confirm, this change needs admin rights. If malware get these, bigger problems exists.
I was just thinking if malware hits your system and is trying to phone home with DOH you already have problems. Yes some mitigations can save you, but I don't need to worry about every single threat and vector. I mean how many enthusiasts on this forum even ever run into malware? It happens, but I'm too tired to be paranoid.
 

blackice

Level 33
Verified
Apr 1, 2019
2,204
Went back to AdGuard for my desktop browsers and use NextDNS filtering for my phone. I like their service, but DNS filtering for ads takes a bit more tweaking than I'd like. May go back to it eventually.

Mostly using Firefox these days. Seems just as fast as Chromium with my Desktop, plus it forces Picture in Picture on videos that are blocking it in Chrome.
 

blackice

Level 33
Verified
Apr 1, 2019
2,204
Got my hands on an RT-AX86U and put the most recent Merlin firmware on it with NextDNS DoT.
It turns out NextDNS is tremendously broken with DoT on this router. From what I hear their (NextDNS) DoT implementation has issues with a lot of devices/code. I have gone back and forth between Quad9 DoT (for filtering) and using the ISP (for functionality and getting the closest edge CDN resolved on the ISP's services). The ISP already has all my connections logged anyway if they want to, so I don't really care. Probably will land with using the ISP for the router and Quad9 on specific browsers as preferred.
 
Last edited:

blackice

Level 33
Verified
Apr 1, 2019
2,204
What is the problem actually? Connection drop?
Certain devices would suddenly not resolve some addresses, but my phone and pc would resolve the same address. My wife’s phone was one of them, so a deal breaker around here. Also, and there’s a super long thread about this on their forum, the dns leaks to Cloudflare, google, and who knows what others when using DoT on ASUS routers. No other DoT implementation does that with this firmware, so I have no clue.
 

blackice

Level 33
Verified
Apr 1, 2019
2,204
Giving NextDNS DoT on the router another shot. So far it seems to be working correctly now. May be a keeper. I like their solution for EDNS Subclient Privacy. Helps with getting close CDNs. If this fails then back to the ISP, because it's the only one that consistently provides the best CDNs.
 

blackice

Level 33
Verified
Apr 1, 2019
2,204
Giving NextDNS DoT on the router another shot. So far it seems to be working correctly now. May be a keeper. I like their solution for EDNS Subclient Privacy. Helps with getting close CDNs. If this fails then back to the ISP, because it's the only one that consistently provides the best CDNs.
Ugh, just kidding. Internet completely disconnected, change DNS and instantly reconnected. These two just don’t play well. Oh well. $2 more a month for me.
 
Top