Why not use IP numbers instead of DNS?

[purple379]

What is wrong with keeping a text file of the IP numbers of websites I frequently go to, instead of using a name and a DNS?

Perhaps add a little program to inquire of several DNS servers simultaneously - what the IP number is for a website?

While I am asking questions. Does CloudFlare offer an encrypted DNS? Any reason not to trust CloudFlare?

[belham2]

What is wrong with keeping a text file of the IP numbers of websites I frequently go to, instead of using a name and a DNS?

Perhaps add a little program to inquire of several DNS servers simultaneously - what the IP number is for a website?

While I am asking questions. Does CloudFlare offer an encrypted DNS? Any reason not to trust CloudFlare?

I like this idea, purple.

But what has always confused me is this: let's use a simple example:

if you open a puppy, or ddog, or fatdog (or heck, any linux OS), and you open a browser to a blank page, if you type in a known website IP number (that you know to be good and valid), does your browser still communicate with your ISP's DNS server that is entered into your ISP-facing modem/router---despite the fact you typed in an IP number into your browser??? I've heard that no matter if we enter IP numbers, DNS Servers still get involved in sending our browsers to that IP address we specified/entered into our browsers.

Or does simply entering a website IP number in your browser bypass whatever is entered in your ISP modem and/or router-DNS list and/or your network setup inside your OS, & thus allows you to know in confidence that you are heading to your specified-intended IP address and bypassing the back-and-forth handoff of DNS Servers??


I wish someone could answer this clearly for me, because I have heard all sorts of arguments on both sides of the tracks from so-called experts. I would really like to know with 100% assurance that there is a way to bypass all DNS Servers when one is operating a browser inside their chosen OS.

[8Geee]

I can't directly answer the question, but there are domains that require a direct connection. In the browser address-bar this requirement has a green header to the left.

As a test enter this domain random.org

My FF27 indicates a green header to the left side.

Regards
8Geee

[upnorth]

@purple379
Cloudflare supports both dns over tls and dns over https.

Firefox 60 or above is easy to set up using about:config for dns over https (doH)
https://www.ghacks.net/2018/04/02/confi ... n-firefox/

For those with dnscrypt-proxy see toward bottom of this page:
https://developers.cloudflare.com/1.1.1 ... red-proxy/

ADDED 20181110: alternative publicly available servers for doH, including quad9 and google:
https://github.com/curl/curl/wiki/DNS-o ... le-servers

20190101: SNI encryption now available on ff64 via
network.security.esni.enabled;true
(when doH is enabled)

test page: https://www.cloudflare.com/ssl/encrypted-sni/

[s243a]

I wouldn't trust cloudflair. If you want good DNS security than use DNSCrypt with a DNS Caching program.

[belham2]

I wouldn't trust cloudflair. If you want good DNS security than use DNSCrypt with a DNS Caching program.

DNSCrypt lost itself, for good reasons (it was found to have known problems that cannot be fixed given how the code is currently written & implemented). No upkeep, no longer working, its not viable, period.

For many years I used DNSCrypt (with a DNS Caching) until they just up and left things go like they did. That gave me no confidence in them at all, despite the fact they've tried to get it going again.

DNS-over-TLS is better. Heck, it is even what DNSCrypt founders have said people should migrate to. If I recal correctly, even DNSCrypt-prooxy's founder said to go this route. More and more, DNS services are now compatible with DNS-over-TLS.


But still none of this answers the basic question I asked in the 2nd post of this thread, and it is the question that hangs over all of this and everything. Can DNS Servers (whosever they are, even f you've set up your own) be bypassed by sticking the simple formula of:

1) choose your OS
2) have your browser open itself to a blank page
3) enter an IP number and not a www address

....and thus the canary: does the browser completely bypass any & all DNS Servers when you click to head to that IP address. Many online gurus say yes, many online gurus say no (that even IP numbers wil pass through whosever DNS Servers/Caches you are using (including your own if you set your own DNS Server up).


Until this question can be answered with 100% verfiication, we are just twisting in the wind about anything we do and/or set up with DNS.

[upnorth]

"Caveats

TRR doesn't read or care about /etc/hosts
In TRR-only mode, you might end up " held hostage " if you start up Firefox while behind a captive portal
There's no way to exclude or white list specific domains"

The bypassing of /etc/hosts is a very important
consideration for those that rely on it to block sites, and its other uses.
ublock origin can easily overcome the blocking part, though.

from the main author of trr mode on firefox:
https://www.tuicool.com/articles/V77j2yN

20190101: SNI encryption now available on ff64 via
network.security.esni.enabled;true
(when doH is enabled)

test page: https://www.cloudflare.com/ssl/encrypted-sni/

[Flash]

But what has always confused me is this: let's use a simple example:

if you open a puppy, or ddog, or fatdog (or heck, any linux OS), and you open a browser to a blank page, if you type in a known website IP number (that you know to be good and valid), does your browser still communicate with your ISP's DNS server that is entered into your ISP-facing modem/router---despite the fact you typed in an IP number into your browser??? I've heard that no matter if we enter IP numbers, DNS Servers still get involved in sending our browsers to that IP address we specified/entered into our browsers.

Or does simply entering a website IP number in your browser bypass whatever is entered in your ISP modem and/or router-DNS list and/or your network setup inside your OS, & thus allows you to know in confidence that you are heading to your specified-intended IP address and bypassing the back-and-forth handoff of DNS Servers??

Good question. I know nothing about the subject, so I'll just shoot from the hip here. Would traceroute or something like it work to tell if entering the IP address bypasses the DNS server? In other words, is the route different when you enter the URL instead of the actual IP address?

[purple379]

When OpenDNS was getting started, before it was bought by Cisco, I used that setting on my home computer connection. IP numbers were returned noticeable faster than using Google DNS 8.8.8.8 or letting the default of the ISP DNS give the IP address back. So obviously then it was not going through another DNS check.

I can guess that it is possible, for an ISP or a motel to capture the entire connection. For using a VPN, from say a hotel connection, we are guessing the encryption of the VPN is sufficient to warn of a "man in the middle attack." If I was in China or Iran, maybe the encryption would not be sufficient.

I say this with the belief that a VPN or Tor use their own DNS addresses. Else they would not be so very useful.

I have a Firefox addon IP from DNSlytics, which shows interesting information, but I really do not know if it is accurate.

Might be interesting to have a webpage of my own, somewhere, that I always used as my first hop, and then that webpage give me traceback information.

I am guessing some one could tell me how that could easily not give me accurate info back.

[s243a]

When OpenDNS was getting started, before it was bought by Cisco, I used that setting on my home computer connection. IP numbers were returned noticeable faster than using Google DNS 8.8.8.8 or letting the default of the ISP DNS give the IP address back. So obviously then it was not going through another DNS check.

I can guess that it is possible, for an ISP or a motel to capture the entire connection. For using a VPN, from say a hotel connection, we are guessing the encryption of the VPN is sufficient to warn of a "man in the middle attack." If I was in China or Iran, maybe the encryption would not be sufficient.

I say this with the belief that a VPN or Tor use their own DNS addresses. Else they would not be so very useful.

I have a Firefox addon IP from DNSlytics, which shows interesting information, but I really do not know if it is accurate.

Might be interesting to have a webpage of my own, somewhere, that I always used as my first hop, and then that webpage give me traceback information.

I am guessing some one could tell me how that could easily not give me accurate info back.

Many VPNs use there own DNS server but with tor it depends on whether or not the exit node runs a DNS server and keep in mind that many tor exit nodes are owned by government agencies. There are VPNs that you can connect to with a tor onion services. This way the VPN doesn't know who you are and you are not dependent on the tor exit node for DNS information.

https://www.reddit.com/r/TOR/comments/9 ... s_tor_use/

As for connecting to a VPN there are VPNs that you can connect to via SSH. This means that a government agency couldn't pressure a certificate authority to sign a fake certificate for them so that they could man-in-the-middle you.

Edit: Some VPNs that you can connect to as a tor Onion service are:

1. Anonymous VPN - murga-linux.com, onion site, onion site


Or as an alternative to connecting to a VPN over tor one can connect over i2p. However, i2p address while more secure than tor aren't as fast. Here are some VPNs that one can connect to over i2p.

1, Fossmint - murga-linux.com, fossmint.com, opensource.com (note I think this is only a tool to set up your own VPN over i2p, but there should be commercial services based on it.

Other VPNs can be used in conjection with tor but maybe not as a VPN. For example:

1. PIA VPN - suggested by Anastasis on the Facebook Termux Community.

[belham2]

So, officially, is it best to say that there is---currently---no way to know, as what Flash wrote above:

"is the route different when you enter the URL instead of the actual IP address?"

I cannot figure out if my ISP is directing my browser to murga here (using the IP number in the browser instead of www) using their DNS Servers. Even when I change/remove their DNS Servers out of my router & computer, as stick in Google's DNS Servers, I cannot tell if the browser is FIRST passing through Google's servers after I've entered murga's IP number and not its www.

Dang....it sure seems into today's age we could know this little fact. I get the feeling even if we use IP numbers, our browser's designation is STILL getting logged by DNS Servers no matter if you arrive at that DNS Server with an IP address already in your browser.

Hope I am wrong....or just not understanding things clearly here

Doesn't peer-to-peer go straight from one computer to another while bypassing any and all DNS Servers? Hard to remember from the days (years ago) of when I experimented with torrents and everything related to them.

[purple379]

As some of the posters on this forum suggest, a VPN does not offer security. Many of the VPN's require one to register, or pay.

TAILS says they do not recommend the use of a VPN as no one can be sure of how it works in practice, even if the VPN owner says no data on users kept. Suggesting only using Tor, but "end to end encryption" to keep one safe. I have my suspicions about how much the NSA may have a lot of Tor nodes in its pocket, whether by owning them, or owning the first hop out of many Tor Node. (which is not a lot by itself, but.) Then again, I would have to guess no one can beat the NSA anyway.

Being one of millions does not give anonymity, given the accuracy of the NSA Computers/Servers keeping information, and being able to relate on thing to another.


A VPN could in the control of an actor I would not agree with.

I don't have answers. Like a lot of privacy/security computer topics, it just leads to more perplexions, and puzzles.

[Flash]

Belham2, I see that Puppy has traceroute. I've never used it. It seems like it might tell us what we want to know. Here's a YouTube video describing traceroute and how to use it. How do I find the forum's IP address?

Right here, the guy seems to say that R1 (his name for the first server the packet hits) is the DNS server. I can't really tell because he talks too fast.

This guy definitely implies here that the DNS server is not called into play unless you use a host name instead of an IP address.

[s243a]

As some of the posters on this forum suggest, a VPN does not offer security. Many of the VPN's require one to register, or pay.

TAILS says they do not recommend the use of a VPN as no one can be sure of how it works in practice, even if the VPN owner says no data on users kept. Suggesting only using Tor, but "end to end encryption" to keep one safe. I have my suspicions about how much the NSA may have a lot of Tor nodes in its pocket, whether by owning them, or owning the first hop out of many Tor Node. (which is not a lot by itself, but.) Then again, I would have to guess no one can beat the NSA anyway.

Being one of millions does not give anonymity, given the accuracy of the NSA Computers/Servers keeping information, and being able to relate on thing to another.


A VPN could in the control of an actor I would not agree with.

I don't have answers. Like a lot of privacy/security computer topics, it just leads to more perplexions, and puzzles.

If you only connect to the VPN via tor and pay for the VPN via bitcoin than the VPN does not know who you are. Using a VPN after tor helps keep sites that you visit from identifying you as a tor-user. This will prevent any special treatment of your traffic: ex. annoying captchas, security measures or possibly special logging/tracking measures.

Also since the traffic between you and the VPN through tor is encrypted it will be very difficult for an exit node to eaves drop on you communications even if you use an unencrypted protocol such HTTP.

Also, yes. If you want a good VPN then you will probably have to pay because otherwise they will have little incentive to resist efforts by government to get information about your traffic. The only exception might be a VPN run by activists like riseup.net but governments are always trying to infultrate/comprise such activists groups. Besides, I couldn't figure out how to get an account at riseup.net. I think I need an invite, which I don't have.

[Flash]

I found the forum's IP address is 45.33.15.200 by using ping:

Code: Select all

ping murga-linux.com

Apparently ping continued to send pinging packets about one per second until I closed the console window. Does that sound right? How else can I stop it?

Edit: I found out I needed to tell ping how many times to do its thing by adding -c plus the number of times to ping:

Code: Select all

ping murga-linux.com -c 1

[belham2]

Belham2, I see that Puppy has traceroute. I've never used it. It seems like it might tell us what we want to know. Here's a YouTube video describing traceroute and how to use it. How do I find the forum's IP address?

Right here, the guy seems to say that R1 (his name for the first server the packet hits) is the DNS server. I can't really tell because he talks too fast.

This guy definitely implies here that the DNS server is not called into play unless you use a host name instead of an IP address.

Hi Flash,

Nice Youtube find!

This is what I used for "www.murga-linux.com": '45.33.15.200/puppy/'

(have to add the "/puppy" part as if you just do 45.33.15.200 it takes you to a single page with John saying 'puppy linux home is under construction..." haha

I used the WHOIS gang (Ultratools) to convert the www to an IP, they've always hit the nail on the head when I test the responses they give:

https://www.ultratools.com/tools/ipWhoisLookupResult


Since I am over here across the pond, I think the dang GPDR stuff gives all ISP providers here the right to snoop & save (for two years) every darn site I go to. I am not entirely convinced we can bypass a DNS Server even if we use IPs only in our browsers.

It's be nice if that was the case, though. Gonna watch the Youtube several times and see if I can decipher what he is truly saying.

[Flash]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

[s243a]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Some websites are blocked by DNS servers. Also a DNS server can help man-in-the-middle someone, especially if the site isn't using TLS (aka HTTPS). Finally a DNS server is just one more actor that could log someones network activity. One wants to be especially careful about DNS leaks if they are using something like tor.

[belham2]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Flash & s243a,

What do you guys think or make of this?:

https://www.securityweek.com/new-cloudf ... le-devices"

The sentence that caught my eye was "....The 1.1.1.1 service is meant to provide users with increased privacy by preventing Internet Service Providers from seeing which websites a user accesses."

If our ISPs (outside of a VPN, of course) have to be able to see where we want to go---by reading either the www or the IP number---how can Cloudfare make this claim? What's true for mobile is true for us, right?

This (the example with Cloudfare) is why I get so dam# confused with this DNS stuff and how routing actually takes place from our computers to the final destination. And it is entirely possible I am just susceptible to marketing hyperbole from all these Net-related companies

[s243a]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Flash & s243a,

What do you guys think or make of this?:

https://www.securityweek.com/new-cloudf ... le-devices"

The sentence that caught my eye was "....The 1.1.1.1 service is meant to provide users with increased privacy by preventing Internet Service Providers from seeing which websites a user accesses."

If our ISPs (outside of a VPN, of course) have to be able to see where we want to go---by reading either the www or the IP number---how can Cloudfare make this claim? What's true for mobile is true for us, right?

This (the example with Cloudfare) is why I get so dam# confused with this DNS stuff and how routing actually takes place from our computers to the final destination. And it is entirely possible I am just susceptible to marketing hyperbole from all these Net-related companies

Cloudfare, MITMs (Man-In-The-Middles), TSL (i.e. HTTPS communication). Even if there intent is noble the prize is too big for governments, and so governments will try hard to compromise them or pressure them for information.

This is why I liked DNSCrypt, there were many independent DNS providers that one could choose from. Centralizing key internet services like this into a few cloud providers makes the free exchange of information too easy to subvert.

That said clouldflare does provide cool services which might be helpful to a given individual but for the internet as a whole such extreme centralize is very destructive!