Host Your Own Encrypted DNS Server
ฝัง
- เผยแพร่เมื่อ 27 ธ.ค. 2023
- In this video I teach you how to Host your own Encrypted DNS (DoH) server on a Vultr VPS
Use my affiliate link to get yourself a Vultr VPS, please and thank you
www.vultr.com/?ref=8791233
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - วิทยาศาสตร์และเทคโนโลยี
Use this link to get yourself a Vultr VPS
www.vultr.com/?ref=8791233
Use this link to get the little daemon T shirt (also available in long sleeve, pullover hoodie, and ladies shirts)
based.win/product/little-daemon-premium-short-sleeve-t-shirt/
Why you say private then sellout
Do you recommend a specific VPS from vultr or elsewhere?
Got any tips for mitigating BGP attacks?
Why are you being racist towards indians?
You are so freaking racist dude, you should delete the thumbnail goofball🤡🤡
Blink 2 times if you're ok. 3 times if the NSA is holding you hostage
Don't worry he is hiding near police station
Bro is off-grid...
njp, keep posting this comment on future videos. Also ask in livestreams
It's blinking like a Christmas tree
@@Abhinav_Nayana_Sailenbro is a deep fake
Love the Windows XP style theme! Also, yet another high quality video from you, thanks for being awesome man!
Love your channel man! We need people like you who care about privacy and freedom in this crazy digital world!
naomi brockwell, louis rossmann
Hes a grown man wearing a child like cartoon t shirt trying to stay anonymous on the Internet because he's probably half a sex offender. Half the people on this channel are either software pirates (myself) or an even worse kind of criminal. Wrap your mind around it
Another great deepfake👏
The deepfake tech just keeps getting better
@@MentalOutlawbased indeed 🙌
What?
@@maindepth8830he is AI
is his real face
Merry christmas Kenny, and hopefully a happy new year :^)
Thanks merry Christmas and happy new year to you too!
My limited understanding with DNS is that when one does a recursive DNS query, the queried DNS server needs to check the root server first, which eventually tells the DNS server what IP it is searching for. If this is hosted locally, only the local connection to the queried DNS server would be protected by DoH, and the DNS server making the actual query would be in plaintext still. Wouldn't it be actually worse than using a VPS, if you consider the ISP as a bad actor in the proposed threat model, since they can just read the outgoing traffic of the DNS server?
yes, it's worse than a VPS.
I think it's pretty silly as well
Not sure if is possible with Bind9. But I am using AdguardHome as my local DNS and I set the upstream DNS server as Cloudflare's DOH.
I noticed a small hit in response times for uncached requests, but other than that. All good!
So, in theory, the whole DNS request is encrypted - At least till it reaches Cloudflare.
And of course, blocking trackers and other nasty stuff through DNS blocklists is a very pleasant added bonus.
Yeah hosting it locally would be stupid.
I’d only host this locally if you have a script to do dns requests for random domains constantly, similar to trackmenot
Merry TLS 1.3 Christmas Mental Outlaw and have a happy DNSSEC New Year!! :D
The limit I see to privacy in this setup is it still depends on upstream DNS, and your private server may still be traced to you. To improve this you need your private DNS open for wider use, hence ambiguity of who is requesting a lookup.
I just break in to my neighbors house and use his computer. A few weeks ago, his wife left him due to his apparent affinity for ladyboys. I didn't know he was in to that as well. Him and I should hang out more.
his server is open and publicly available. but do you trust kenny?
thank you for taking time off playing for the boston celtics to bring us this video
I havent even watched the video yet... just logged in to give it an instant LIKE and thank you Kenny for always having our back. In a world where Governments and large Companies want to invade and completely STRIP us of everything when it comes to privacy... I truely hope for the new year 2024, a voice like your will continue be a light for us non-tech-savy to ensure that our privacy is protected and not SOLD or invaded. I wish you a happy New Year in advance🌹🤝 🌹 All the best. PS: I WISH there was a way to DM you regarding something... do hint me in the right direction if possible.
lol, hes given you more then you need. you really want to talk to him cough up the money. everyone of those situations has room for notes and messages. oooo, you just want more free? hes busy.
I actually wanted to do this for some time now. Perfect timing that you made that video
I've been thinking about this lately... good timing :)
Not just privacy but also speed when held locally.
Add you frequently visited sites to your local hosts file for snappier surfing.
Thanks for thr tutorial and its certainly a step that I plan to take with my network. My problem is that i want to keep tabs on all dns traffic and having DoH client-side is not ideal for that. Hopefully you or some forum guru will come out with an easy to follow guide for local recursive secure DNS when communicating with the outside world.
Important thing to note!
You should not run a UDP based DNS Server publicly accessible.
This can be used for DNS amplification attacks. Either move your DNS to a VPN (with headscale for example) or only allow HTTPS requests.
Happy Holidays, and upcoming new year, MentalOutlaw.
Just learned about DNS leaks today! On an unrelated note, u should drop a tutorial on removing rogue-deepfake AIs from my walls
putting your recursive nameserver locally will NOT solve the DNS-information leak, because at the moment still all DNS-requests done recursive nameservers are still NOT encrypted. Sadly.
Perfect, I was planning on doing this for a few apps I wanted to deploy across a few machines
Great video as always. If only DNS was real.
This video is very timely, thanks, sir
There are some things it makes sense to host yourself but recursive DNS isn't one of them, you're isolating your queries to a single VPS in the cloud with no upstream anonymity. You're much better off using an on-premise DNS cache/filter like Adguard/Pihole and configuring it to use a privacy aware upstream DNS service like Quad9, over DoH of course. Route your queries over Mullvad if you're extra paranoid but that's overkill and not necessary for 99% of threat models.
Pretty much. Adguard and Quad9 are exactly what i was going to mention
Really good comment! +1
Your are best thanks for information and everything you do in the community.
I personnaly use Technitium DNS, and I like it very much. It's an authorative/recursive DNS, and it also can block ads.
When I set up an OPNsense router, I configured the firewall to capture all NTP and DNS requests, and I configured Unbound to serve DNS and to do DNS-over-TLS to Quad9, and I configured Chrony to serve NTP and to do NTPSec to System76.
This came at the perfect time for my project
Excellent video 👍 Thank you 💜
Technitium DNS is another nice option, particularly if you want a GUI. It also has adblock capabilities, and can do DNS wildcard, which is helpful for self hosted applications.
So it’s the most private DNS setup, even though the DNS server can be identified as yours, it talks to other DNS servers in the clear (because that’s how top-level DNS works), and you’re the only person/family using it.
you can use his server if you want
One day when I finally will understand how computers work your videos will be very helpful to me. Too bad I know jackshit atm. Keep up the good work!
good videos buddy - keep it up
Awesome! Thank you!
I love how DNS-over-https is: Doh!
Wow, not only a full time NBA player on the best team in the league, but you run a successful hacking TH-cam channel as well? Inspirational man
04:50 I was bloody jamming to that music. Why did it have to stop. I want to live my life with that soundtrack running.
ECH is really good if you're using TLS cipher suite based virtual host.
Hope you'll do an update when all the features you mentioned (secure hello etc) are available. Thanks
Mental, your are one of my favourite ytbers to love and hate at the same time. One day i will start paying proper attention to your videos teachings.
Props for the arcade music :D
Intresting! ...thanks
Mental Outlaw is a white guy from Boston.
Insane thumbnail well done
4:31 feeling the groove on that music!
@@Kuznet609 Thanks 😊!
The net provider can still see and log the raw IP on all the packets you send; at that point reverse DNS is a pretty trivial way to get those URL logs.
i didn't know jayson tatum knew about DNS servers
Also combine it with pihole to have the ultimate DNS server
number one thing you learn about DNS in networks is that its configuration has to be by IP, otherwise you have a "Chicken first or the egg" problem
not really, as the root servers are known ahead of time, and usually hardcoded into an app, so you can do your own recursion
How do you not have a handle?
Can I ask what server software you use for your Linode email server?....I was thinking of using Axigen, but am looking for advice. Thanks
I plan on this big fan 🎉🎉🎉
The fact that I was trying to do this on the router without any success
Doing this on a router would be interesting, might be possible with dnsmasq on OpenWRT
@@MentalOutlaw openwrt has unbound
@@MentalOutlawthis is possibile with Unbound package for OpenWRT.
Literally just got finished setting a DNS server up 🙃
personally i don't use dns and i just memorize the ip, but this is cool!
Other than making your network faster does this really add anything. I mean DNS list are pubic and are used to associate URLs to IPs, using your own DNS server or someone else does not stop your ISP or anyone from seeing the IPs of the websites you are visiting and if they can see that they can do a reverse DNS search to fined what website URL you are going to. Am I right about this?
Thanks drake
I don't understand what this is for, or how it works. You eventually need to get the data from somewhere, and you usually want the current data, so you have to regularly ask the TLD providers or the domain owners (or someone else who asked them before, like Google or Cloudflare) for that. You can cache the data for a while, but I thought, that is already been done automatically by your software (maybe the OS?), since every DNS entry has a Time To Live information.
Or is this only for people who want to offer a DNS service for other people?
Holy shit that thumbnail what the fuck
Man, now I feel like I see him in a different (negative) light lol
He's a frustrated mental incel.
@@omkarnaik6305his whitecel ass tryna cope in every way possible it seems
@@hydr0xx_ cry harder scammer
@@ihate4chan he is a salty chicken man
OMG...this really work
Man I didn't even know this would be possible in a usability sense
20:29 Add domain to host file.
using a wildcard certificate would have been more private, especially given your DNS queries wouldn't be collected and sold, so ideally no one would know that domain even exists
😂 thumbnails are A1
What software are you using for your email server?
I don’t have much knowledge of DNS, and how the internet works in general, so my question is whats the difference between this and pihole + unbound?
kenny pls make more farm and lifting videos
also pls put the libre podcast somewhere where it's easy to stream
checkout my farming channel www.youtube.com/@TheBasedFarm
@@MentalOutlaw based joel salatin
Based tech drake
how much does it cost to run email and DNS off VPS ? Wouldnt want to do that with EC2 that is for sure. There is Vultr freebsd also. I moved to serverless as I dont have time to manage vps and security.,
Some questions:
Did Secure SNI got added?
If SSNI hasn't been added is it a big disadvantage, can the ISP or Big Tech your traffic without SSNI?
i never knew that Jayson Tatum also teach on how to host our own dns server
thanks
Huh, I haven't experienced any smtp port issues with vultr so far, they were open by default (Europe, though, not US).
awesome vid
is there a written guide?
Would Technitium DNS Server be a good option for a local DNS server? I've had it running for a few weeks, and doing the same DNS tests gives the same results as in your video, but it is 1 click setup with a web interface. It does appear to also be open source.
I've used Stubby and personalDNSfilter before as a Windows user and just found Technitium. Seems a lot more polished and feature rich.
If someone have no knowledge of online privacy/security,
password and sensetive information management.
Where should he start?
And Do you recommend to learn how to use Linux and get rid of Windows?
Nice Tee shirt. ;*=[}
Man, this is so over my head these days....
One of the problems of being standalone solar power is that this time of year one has to run a generator to charge the batteries, and THAT presupposes having money for gas at $5.00/gallon (yes - up here in NoCal Ecotopia Earth First gas is the sale price as Anchorage or Honolulu...from what I've heard people back east pay as little as $2.50! )
[muffled sobbing in the BG] Don't even ask about food prices....OTOH, it was 50'F today....not sunny but not raining...a few days before New Year's.
But don't even ask about internet - no Starlink = no real web (miraculously there's a trace of mobile which allows me to occasionally see TH-cams like this one...it makes dialup look good in retrospect!)
Another message in a bottle launched into the heaving Sea of Packets....Happy Gnu Year!
I love u mental outlaw
Hey Kenny, how would I start my own ISP?
Is the host free service and is there easy way to backup with out doing it from scratch?
what was the song being played around the beginning?
04:09 This looked like straight from the hacking time scene of Kung Fury (and I mean it as a positive thing). 😁
I host adguard home on my raspberry pi with encrypted dns it's great
You can't add a DNS name as a DNS server, how would it know how to resolve it?
Hi, what version of bind9 you had, I have an issue here:
BIND 9.16.44-Debian (Extended Support Version)
root@dns:/etc/bind# nano /etc/bind/named.conf.options
/etc/bind/named.conf.options:1: unknown option 'tls'
/etc/bind/named.conf.options:5: unknown option 'http'
/etc/bind/named.conf.options:13: unknown option 'http-port'
/etc/bind/named.conf.options:14: unknown option 'https-port'
/etc/bind/named.conf.options:19: '{' expected near 'tls'
Any suggestions?
Thanks
おはようございます
Is this different than the dns caching on a edgerouter? Forgive my ignorance
Any issues using DNS over TLS? Should I switch?
Always done something like this, DOT or DOH at least.
Hilarious FreeBSD t shirt
Who makes your thumbnails ?
21:45 "it's a trap!" lol
Doesn't your own DNS server still need to look up addresses to nameservers? At least they wouldnt have records each time you visit a site, but they'll still have record of you looking it up occassionally as your DNS server refreshes its cache
finally!!!!!!!!!!!!!!!
Dont forward dns servers keep records of responses?
Bro what is that Indian character? Literally a mix of all the completely different stereotypes. 😂
Awesome
vegain gains
should make a Nix Flake for this...
I'm using a raspi with pihole and unbound... Don't think it's encrypted tho but I definitely am more secure
DNS Cacheing will not speed anything up since 1) Caching will occur locally on your machine anyway. No need to cache anything on another DNS server. If your computer looks up the A record for google it will not ask again until the TTL expires. or you reboot your machine. 2) Today, Most DNS records have a TTL of around 5 minutes, so you will have to ask the authoritative DNS server again anyway after the TTL expires.
It was super annoying when Firefox ripped out ESNI support when literally nobody in the world was using ECH, hope ECH gets implemented soon