DNS leak? What is the best way to fix this?

[vailixi]

If I don't want my ISP or anyone else for that matter to know what websites I'm looking at, can I store all of the IPs on my machine so I don't have to make DNS requests whenever I'm looking up a site? I'm not sure where is the best place to start.

How do I set up a local DNS server? What is the recommened software for this?

How do I set up DNS proxies? Where's the configuration file typically located on a Linux machine? And what are the steps I need to take to set this up?

Also how do I test my anonymity?

[cooper]

What I think you're looking for is OpenDNS and specifically the DNSCrypt capability.

The best way to test your anonymity is to sniff the line going in and out of your network. Identify what's travelling there. What you can see on there, the ISP can see on there. If you can't make heads or tails of it, neither can your ISP. They do have a log that says traffic originating from IP A.B.C.D at time HH:MM is attributed to paying customer *YOU*. It's going to be difficult to prevent that bit.

So, to enhance your anonimity, you need to ensure that when someone says "Hey, who's that person using 1.2.3.4 as IP address on my machine at 12:34 today?" that 1.2.3.4 ISN'T you. In other words, you need a proxy - a machine that you can route your traffic through that you trust to not divulge your real IP when some feds walk by waving warrants and one-way tickets to Guantanamo Bay. Good luck with that.

Point is, people are very likely to not give a flying fuck about who the hell you are so long as you don't rub them seriously the wrong way. There's a lot of anonimity in a crowd, so long as you try to not stand out, and the crowd you're in is itself not, as a whole, engaged in suspect behaviour (like a torrent swarm or a botnet).

When you're online, you're going to have to be someone - you log on to forums, your browser has session cookies showing that you previously visited, etc. and all of that can be combined and produce what they consider to be 'you'. I'm quite certain that with the right databases combined, your current 'you' will be reasonably easily traced back to the real you. In order to become anonymous, you're going to have to create a new and completely separate you. To do so, create a virtual machine on your machine. When you're just you doing your everyday webbrowsing, shopping and what not, you use your regular machine. When you're investigating pipe bomb explosives, 'subversive' literature like the constitution, the detailed workings of prohibited chemicals or the latest virusses and hacking techniques employed against some commercial giant, you use the virtual machine.

Should any prying eyes come by and take a long, hard look at just who that serial killer/terr'ist is at IP 5.6.7.8 at 14:35, they'll find two very distinct individuals. At that point, all you need is an open wifi access point to get plausible deniability. It does help to erase the virtual before a tech goes to work on your machine. Storing it on a thumbdrive somewhere tends to be a good start.

In summary:

1. Don't get noticed.

2. If you think you will get noticed, use a virtual machine for the stuff that might get you noticed.

3. Never, *EVER* use the virtual for the casual stuff and never, *EVER* use the real machine for the noticable stuff. Once you do that - game over.

[barry99705]

Never never NEVER! Run an open access point in your home. The whole "plausible deniability" thing won't work. When the swat team breaks down the door, they can, and will confiscate everything that's capable of obtaining an ip address and storing data. They then will comb through everything they can to find out if it was you looking at kiddy porn, or the creepy dude next door. This could take months depending on how backlogged the PDs IT deparrment is.

Also, there's no such thing as anonomy on the internet.

Edited August 25, 2014 by barry99705

[cooper]

The main point I think is that if you make it interesting enough for them to find you, they can and they will. So either make it VERY hard for them to find you, or don't do the things that make you interesting to them.

[vailixi]

Cooper is there a way to automatically cache IPs of most major sites and store them in a local DNS cache, or to import a large DNS cache into my local machine so as to query DNS from remote computers as little as possible?

Also thank you for your input on clauseable deniablity. Not that I'm doing anything wrong. But Marxists everywhere.

[barry99705]

Cooper is there a way to automatically cache IPs of most major sites and store them in a local DNS cache, or to import a large DNS cache into my local machine so as to query DNS from remote computers as little as possible?

Also thank you for your input on clauseable deniablity. Not that I'm doing anything wrong. But Marxists everywhere.

I don't see the point. The ip addresses are still going to be transmitted from your house. It doesn't matter if you're making a dns request or not.

[cooper]

I don't know of a way to automatically keep a hosts file around in updated form or even to download such a file from somewhere. It'd be a BITCH to keep up to date...

I don't see the point. The ip addresses are still going to be transmitted from your house. It doesn't matter if you're making a dns request or not.

This is a very valid point. You see, there are 2 options, at least when it comes to standard browsing:

1. It's an HTTPS site. People can't monitor your traffic, but due to the way the protocol works there can only be 1 site certificate per IP address, so if they have your target IP (which they naturally do - they send your traffic that way) and they know it's encrypted traffic there can only be 1 domain that you're trying to access.

2. It's an HTTP site. People can monitor your request and simply see which site you're browsing to.

In the case of services other than web serving the 1-cert-per-ip rule might not apply which might help, but overall you're not really preventing something from happening. You could argue that your exposure was somewhat limited, but at what cost? I strongly feel your best bet is still to just run a local DNS server and accept the fact that every so often a few of those DNS requests need to be looked up externally. If you configure your DNS service to use a number of different DNS servers rather than act as a cache to the one at your ISP you make it slightly less convenient for interested parties to spy on you, but you won't be able to make it truly impossible.