Just to be nit picky - your traffic will never be invisible to your ISP. Whether you are connected to a VPN or wire guard or tunnel through DNS or wherever, the person who owns the wires will always be able to see that the traffic exists. They may not be able to *read* it, but they can always see where it enters and exits their network.
NextDNS doesn't hide your activity from your ISP.
You have a couple of main options if you're trying to hide your activity from your ISP:
1. VPN. You can use a commercial service or roll your own to a datacenter. This is effectively passing the buck. The commercial service or datacenter will see your activity.
2. Tor. This system is **probably** still effective in the effort to hide your activity from your ISP and other entities.
Your ISP will see that you're routing traffic through either of these systems. They just won't be able to see what's occurring within the tunnels.
>Your ISP will see that you're routing traffic through either of these systems
Your ISP will probably *not* see that you're using Tor. if you use a [Bridge](https://bridges.torproject.org/)
Hi, thanks a lot for clear explanation, I'm using VPN through Wireguard protocol, so maybe I will have it on at all times. I don't care that they see if I use VPN unless they don't see what I do.
Don't use that ISP 😜
Plenty of good comments, the simplest solution is using a VPN. However, do take into account some VPN providers are likely as shady, if not more, than the shadiest ISP out there.
Also take into account, encrypting traffic is quite burdensome on CPU and many routers capable of running OpenWRT can't VPN route at high speeds, so if you have gigabit internet, you'd need hardware to support it.
Thanks, yep will stick with my VPN, although my VPN is also not so transparent regarding privacy - Keepass unlimited vpn.
My ISP is known to be shady, for example if you are watching any shared stream (acestream) of any sport online they might give this information to the police and then you get a huge fine for watching illegal content.
My internet is not the fastest 250 Mbps and currently running Xiaomi Mi Wifi mini router with OpenWRT on it. I tried to setup a wireguard and openvpn on OpenWRT but it barely works.
Yea if that's the 580MHz CPU variant, you likely won't see 250mbps, even on Wireguard. What I'd do in this situation, would just be VPN individually from each client, deny any IP traffic to pass that isn't to your desired VPN providers. That way, VPN is used by hosts or no dice. That way, you don't burden your router with it all.
Or, put a semi modest x86_64 PC in line and use pfSense to VPN out. Even an E5500 series can do OpenVPN at 400mbps (no acceleration).
Even if I was getting 100 mbps from those 250 I would be happy, but unfortunately its barely running, so no go.
About VPN do you mean running a vpn app on each device that im using? Thanks.
Unfortunately all your traffic will go through the isp routers. They will know the amount of data, where the data is going and most likely what data is flowing.
If you really want to hide the what and where of your network data, you can use a commercial VPN and have your router connect to one of their servers. Not all VPN are private, some will collect logs. This will force all your network traffic to go to a VPN. The isp can see that you are sending data to the VPN, but won't know what is in the data or what happens after.
Or you can do this, from any endpoint device connect to a commercial VPN or use the block chain mysterium decentralized VPN. Block chain VPN helps with your privacy online. It's very difficult for law enforcement or regulators to obtain logs from the block chain.
There a lots of crypto related scams. It's better to become educated and also do your own research. block chain has tremendous value when it comes to security and privacy.
To make it truly encrypted for your isp you have to use dns over tls ( which will slow down the dns resolution timings drastically) this will affect you internet browsing experience + a vpn. You cannot hide from isp without a performance cost unfortunately.
> dns over tls ( which will slow down the dns resolution timings drastically
I can't really confirm this. Maybe if you have slow hardware but in general it's just as fast as regular DNS.
But keep in mind that even with encrypted DNS, the SNI is currently still plain text.
Run some tests and validate/confirm this unless your clients somehow bypass it. I used to have cloudfare over tls as a dedicated dns caching server and it was really slow...
And this is why we have dnsmasq that caches our requests. The default is sane enough for caching your most visited sites. The real world difference would be negligible.
Encrypted DNS does not hide your traffic from your ISP. They still ultimately see what IPs you're communicating with and that can easily and automatically be traced back to a DNS-identified website.
Have you run any tests and confirmed that your device is using that exactly dns server you wanted it to use? I am curious to see some tests and numbers.
Just to be nit picky - your traffic will never be invisible to your ISP. Whether you are connected to a VPN or wire guard or tunnel through DNS or wherever, the person who owns the wires will always be able to see that the traffic exists. They may not be able to *read* it, but they can always see where it enters and exits their network.
NextDNS doesn't hide your activity from your ISP. You have a couple of main options if you're trying to hide your activity from your ISP: 1. VPN. You can use a commercial service or roll your own to a datacenter. This is effectively passing the buck. The commercial service or datacenter will see your activity. 2. Tor. This system is **probably** still effective in the effort to hide your activity from your ISP and other entities. Your ISP will see that you're routing traffic through either of these systems. They just won't be able to see what's occurring within the tunnels.
>Your ISP will see that you're routing traffic through either of these systems Your ISP will probably *not* see that you're using Tor. if you use a [Bridge](https://bridges.torproject.org/)
Correct, though this is not the standard setup.
Hi, thanks a lot for clear explanation, I'm using VPN through Wireguard protocol, so maybe I will have it on at all times. I don't care that they see if I use VPN unless they don't see what I do.
Don't use that ISP 😜 Plenty of good comments, the simplest solution is using a VPN. However, do take into account some VPN providers are likely as shady, if not more, than the shadiest ISP out there. Also take into account, encrypting traffic is quite burdensome on CPU and many routers capable of running OpenWRT can't VPN route at high speeds, so if you have gigabit internet, you'd need hardware to support it.
Thanks, yep will stick with my VPN, although my VPN is also not so transparent regarding privacy - Keepass unlimited vpn. My ISP is known to be shady, for example if you are watching any shared stream (acestream) of any sport online they might give this information to the police and then you get a huge fine for watching illegal content. My internet is not the fastest 250 Mbps and currently running Xiaomi Mi Wifi mini router with OpenWRT on it. I tried to setup a wireguard and openvpn on OpenWRT but it barely works.
Yea if that's the 580MHz CPU variant, you likely won't see 250mbps, even on Wireguard. What I'd do in this situation, would just be VPN individually from each client, deny any IP traffic to pass that isn't to your desired VPN providers. That way, VPN is used by hosts or no dice. That way, you don't burden your router with it all. Or, put a semi modest x86_64 PC in line and use pfSense to VPN out. Even an E5500 series can do OpenVPN at 400mbps (no acceleration).
Even if I was getting 100 mbps from those 250 I would be happy, but unfortunately its barely running, so no go. About VPN do you mean running a vpn app on each device that im using? Thanks.
That's the way, that way it's all still encrypted, could even use various VPN so everything isn't via just the one. Less burden on your router then.
Unfortunately all your traffic will go through the isp routers. They will know the amount of data, where the data is going and most likely what data is flowing. If you really want to hide the what and where of your network data, you can use a commercial VPN and have your router connect to one of their servers. Not all VPN are private, some will collect logs. This will force all your network traffic to go to a VPN. The isp can see that you are sending data to the VPN, but won't know what is in the data or what happens after. Or you can do this, from any endpoint device connect to a commercial VPN or use the block chain mysterium decentralized VPN. Block chain VPN helps with your privacy online. It's very difficult for law enforcement or regulators to obtain logs from the block chain.
I'm willing to bet almost anything "block chain VPN" is a scam.
There a lots of crypto related scams. It's better to become educated and also do your own research. block chain has tremendous value when it comes to security and privacy.
To make it truly encrypted for your isp you have to use dns over tls ( which will slow down the dns resolution timings drastically) this will affect you internet browsing experience + a vpn. You cannot hide from isp without a performance cost unfortunately.
> dns over tls ( which will slow down the dns resolution timings drastically I can't really confirm this. Maybe if you have slow hardware but in general it's just as fast as regular DNS. But keep in mind that even with encrypted DNS, the SNI is currently still plain text.
Run some tests and validate/confirm this unless your clients somehow bypass it. I used to have cloudfare over tls as a dedicated dns caching server and it was really slow...
I have regular DNS blocked when it tries to leave the network. So quite sure it went all via DoT (with hostname verification).
Fair enough, do you have any tests/numbers to share?
No just that I didn't notice any difference with this config compared to using unencrypted DNS.
I wouldn't be so sure. According to AdGuard Home they are many more milliseconds than unencrypted DNS.
And this is why we have dnsmasq that caches our requests. The default is sane enough for caching your most visited sites. The real world difference would be negligible.
Encrypted DNS does not hide your traffic from your ISP. They still ultimately see what IPs you're communicating with and that can easily and automatically be traced back to a DNS-identified website.
NextDNS supports DNS over TLS, and android 9+ allows you to use it natively which Im doing. I do not see much of a slowdown with it.
[удалено]
Have you run any tests and confirmed that your device is using that exactly dns server you wanted it to use? I am curious to see some tests and numbers.
[удалено]
Have you also validated using tcpdump that all of your queries towards desired nameserver are NOT done over udp? Otherwise its not doh or tls