- Mar 19, 2022
- 246
Which is better for security in insecure public wifi? DNS firewall or VPN?
DNS firewall vs VPN
- Thread starter SohanRay
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Mar 19, 2022
- 246
Just to be sure, you did consider the DNS firewall to be an encrypted dns filtering system right?
- Feb 26, 2021
- 972
A VPN will always be more secure. That being said, there's no reason why yo cannot have both. For example, Mullvad, IVPN, and AirVPN (just to name a few) are using well-known blocklists on their private DNS servers. You don't even have to have an account to use Mullvad's DoH.
- Mar 19, 2022
- 246
Ohh... Thanks. Actually I have already subscribed to surfshark, and they also have cleanweb feature that uses blocklists to block ads and malicious domains. They say they use reputed good sources but I don't exactly know which ones. So, the VPN although has a dns firewall, but I still asked because the Dns firewall I was talking about seems to be better at blocking malicious domains and ads and also is cheaper. So this was just to make sure if I am spending money smartly. Like I would be a fool if I am paying more for the VPN when the Dns firewall alone is enough.
- Aug 22, 2013
- 892
Most of the website we use today use https, ie encrypted traffic, hence the information you transmit is encrypted and in theory pretty much impossible to intercept. Yet there are chances of dns cache poisoning if you are not using encrypted dns ( like NextDns doh, cloudflare etc). So if you are using doh/dot/doq on your device and browse only "https" websites on public wifi you are mostly safe even without a vpn. But if you are browsing non https websites and if that's sensitive you must use a vpn to encrypt your traffic..
- Aug 21, 2020
- 609
VPN all the way.
I recommend a VPN like Windscribe Pro that turns on automatically on unsecured networks.
Deep packet inspection allows people monitoring your public WiFi to make inferences about what you are downloading or uploading though. I also wouldn't trust apps outside your browser to send and receive encrypted data, especially email clients. Apple addressed this with iCloud Private Relay sending all unencrypted traffic through their VPN.
I recommend a VPN like Windscribe Pro that turns on automatically on unsecured networks.
- Feb 26, 2021
- 972
Ok. So, let's get a couple things straight. A VPN, a firewall, and DNS blocking are all different things. What many VPNs call a "VPN firewall" is not the same thing you might think it is. It can be one of two things, depending on context. Either their VPN firewall is actually DNS blocking, which their rebrand to sound cool, or it could be a "killswitch", which prevents your location from leaking in the event of a drop. How long if your surfshark contract? If you are going month-to-month, I suggest getting NordVPN instead. That is if you wanted to be around the same cost. Otherwise, you can't be better than Mullvad. Computing is one of those situations where it's better to err on the side of caution/safety.
I was not able to find anything on the specific lists CleanWeb uses, and that's concerning. Without proof, they could just be saying buzzwords to make their product sound better.
I was not able to find anything on the specific lists CleanWeb uses, and that's concerning. Without proof, they could just be saying buzzwords to make their product sound better.
- Mar 19, 2022
- 246
Actually I chose Surfshark for a reason that was cost effective for me. It's one account subscription covers unlimited devices. Its definitely cheaper than Nordvpn. It has proper servers here in India. And the cost is reasonable. At first when I started using it,there were number of issues regarding speed, uptime, apps not working etc. But now it works seemlessly. Also over the time the suggestions that I gave were implemented, although it did take time. Eventhough its this stable now, its still adding technologies to make it even more stable and have more features. So that's why I have stuck with Surfshark. Even in most reliable website reviews Surfshark consistently ranks in the top 3 choices in most cases. About the blocklists it uses, I had tried to ask which ones they use exactly. But they said they use private lists which they won't be able to disclose about. I had seen the same case even in CleanBrowsing dns which also uses private lists and lists from their partners. So I think private lists cannot be disclosed about. And cleanweb and kill switch are 2 different features here. Cleanweb is the Dns firewall.
The blocking always happens at dns level,if I am not wrong. Whether its dns firewall or VPN.
- Mar 19, 2022
- 246
Exactly. Actually I am aware that my ISP uses Deep Packet inspection. And yes although its visible if the connection isn't secure in a browser, but it isn't visible at all in case of other apps. Eventhough, I have read that in Android 9 or 10, Google has implemented https by default, but that surely doesn't mean it actually enforces it. And devs are required to make just few changes for HTTP connections to work.
Windscribe VPN has lower speeds here in India. Plus they don't have a 24/7 chat service. I did use their ControlD dns service,which is not so great and lags behind others like NextDns. Actually, its CEO messaged me in forums that he considered NextDns's AI threat detection useless and just a bluff. Whereas, in tests NextDns's AI has performed even better than DNSFilter many times.
And when I had interacted with their customer help service through email and forums, I realized that the 24/7 chat support in Surfshark is way better experience.
Also, I feel if I am paying the whole year for the VPN service then I should leave it on at all times if it doesn't create any issues that way. In my case, it doesn't create any issues.
- Mar 19, 2022
- 246
What if someone poses as the ISP itself by say opening a rogue hotspot and tampers the dns requests? Will dns firewall be able to detect it?
Also, you only spoke about HTTP and Https connections. What about other types of network traffic?
- Aug 22, 2013
- 892
That's exactly why I suggested you to use an encrypted dns service like nextdns, it will prevent man in the middle dns spoofing and yes dns firewall like nextdns ( if doh is enabled) can detect and prevent such attacks.
To your second question, all the traffic except the ones that are encrypted ( for example port 443 is generally used for encrypted https traffic, but this is purely a convention, and any port could be used for HTTPS traffic.) can be intercepted pretty easily when you are on a public wifi hotspot. So you must understand that encryption is the key, any sensitive information about you or your system must be in an encrypted form if it leaves your system while on a public hotspot. In short if your network traffic on other ports is sensitive enough you must be on a vpn while using public hotspot.
Deep packet inspection is a type of packet analysis and filtering that looks at the data component of packets, as opposed to only its outermost headers, as standard packet analysis and filtering would do. This requires knowledge of the transport and application protocols and is thereof more complicated and costly, particularly to execute at line rate. It requires huge investment from the part of isp to do dpi on each and every customer, practically making it impossible. So I don't think your isp is doing dpi on you, unless you are worthy of 24/7 surveillance.
Last edited:
- Mar 19, 2022
- 246
Actually what I was talking about isn't dns spoofing. I know encrypted dns will prevent dns spoofing. But what if the ISP, the rogue wifi is providing the malicious IP instead of the right one. Dnssec validates responses so it will validate that the response is from the ISP and hasn't been tampered. But the ISP itself is a rogue malicious actor here. What then?
Ok, so the ISP may not be implementing deep packet inspection on me exactly. But say if they spot a remotely questionable traffic from my end using some algorithms like the police do then they might. Even when its actually just a false alarm if seen properly. Also, in case of insecure wifi the attacker might just lookout for when someone tries to access any banking sites and then try to steal info by maybe say degrading the https connections to HTTP ones in the background. Which is by the way possible as I read somewhere.
- Aug 22, 2013
- 892
Everything thing is possible with network traffic, there is no 100% security, nothing is impenetrable. Absolute security is anti State and anti social as it will cover or benefit anti social elements more. what one can can do to prevent such encroachment is to make it more difficult or near impossible to the actor so that he is forced to go after an easier victim. Even the vpn is not secure enough when it comes to appropriately tooled government authorities, so you are not supposed to act against authorities or do illegal activities to warrent attention from the State.
- Mar 19, 2022
- 246
Yeah nothing is 100% enough. But yeah which one would be better, the dns firewall or VPN was my question. Obviously no one is trying anything illegal here. Just using a VPN for greater security shouldn't be something to warrent attention in terms of illegal activities or such.
- Aug 22, 2013
- 892
Dns firewall doesn't encrypt entire traffic, it just filters dns queries, so vpn is always one step ahead when it comes to security.
- Mar 19, 2022
- 246
VPN does encrypt entire traffic, but then it encrypts the traffic from the user end to VPN server only. From there on its just normal like in any other cases when a VPN is not being used. This does increase the privacy as it hides IP address and all but I don't how much it does about security exactly....
- Aug 22, 2013
- 892
Using a vpn is like giving all your hard earned money to your neighbour for safe keeping. It's a relationship based on trust, you have no other option except to trust your neighbour. If the neighbour is a good man then every thing is well and good, otherwise .... So choose wisely, invest in a good, reputed and trustworthy vpn or make your own vpn, there are ways you can do it at the same cost of vpn subscription.
- Mar 19, 2022
- 246
About VPN being safe for the unencrypted traffic...... The VPN only encrypts them from the user/client end upto the VPN servers. Rest goes like it would normally, without the VPN. So say I visit a HTTP website, then I'll be in danger if I enter any personal details here,with or without the VPN. And if I don't enter any sensitive info here, I think I'll be safe with or without the VPN. Isn't that so?
- Mar 19, 2022
- 246
That comes later actually, currently I am questioning if VPN is actually providing better security than an encrypted dns firewall. It does provide better privacy but does it provide better security exactly?
