Why not use IP numbers instead of DNS?

[belham2]

Belham2, I see that Puppy has traceroute. I've never used it. It seems like it might tell us what we want to know. Here's a YouTube video describing traceroute and how to use it. How do I find the forum's IP address?

Right here, the guy seems to say that R1 (his name for the first server the packet hits) is the DNS server. I can't really tell because he talks too fast.

This guy definitely implies here that the DNS server is not called into play unless you use a host name instead of an IP address.

Hi Flash,

Nice Youtube find!

This is what I used for "www.murga-linux.com": '45.33.15.200/puppy/'

(have to add the "/puppy" part as if you just do 45.33.15.200 it takes you to a single page with John saying 'puppy linux home is under construction..." haha

I used the WHOIS gang (Ultratools) to convert the www to an IP, they've always hit the nail on the head when I test the responses they give:

https://www.ultratools.com/tools/ipWhoisLookupResult


Since I am over here across the pond, I think the dang GPDR stuff gives all ISP providers here the right to snoop & save (for two years) every darn site I go to. I am not entirely convinced we can bypass a DNS Server even if we use IPs only in our browsers.

It's be nice if that was the case, though. Gonna watch the Youtube several times and see if I can decipher what he is truly saying.

[Flash]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

[s243a]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Some websites are blocked by DNS servers. Also a DNS server can help man-in-the-middle someone, especially if the site isn't using TLS (aka HTTPS). Finally a DNS server is just one more actor that could log someones network activity. One wants to be especially careful about DNS leaks if they are using something like tor.

[belham2]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Flash & s243a,

What do you guys think or make of this?:

https://www.securityweek.com/new-cloudf ... le-devices"

The sentence that caught my eye was "....The 1.1.1.1 service is meant to provide users with increased privacy by preventing Internet Service Providers from seeing which websites a user accesses."

If our ISPs (outside of a VPN, of course) have to be able to see where we want to go---by reading either the www or the IP number---how can Cloudfare make this claim? What's true for mobile is true for us, right?

This (the example with Cloudfare) is why I get so dam# confused with this DNS stuff and how routing actually takes place from our computers to the final destination. And it is entirely possible I am just susceptible to marketing hyperbole from all these Net-related companies

[s243a]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Flash & s243a,

What do you guys think or make of this?:

https://www.securityweek.com/new-cloudf ... le-devices"

The sentence that caught my eye was "....The 1.1.1.1 service is meant to provide users with increased privacy by preventing Internet Service Providers from seeing which websites a user accesses."

If our ISPs (outside of a VPN, of course) have to be able to see where we want to go---by reading either the www or the IP number---how can Cloudfare make this claim? What's true for mobile is true for us, right?

This (the example with Cloudfare) is why I get so dam# confused with this DNS stuff and how routing actually takes place from our computers to the final destination. And it is entirely possible I am just susceptible to marketing hyperbole from all these Net-related companies

Cloudfare, MITMs (Man-In-The-Middles), TSL (i.e. HTTPS communication). Even if there intent is noble the prize is too big for governments, and so governments will try hard to compromise them or pressure them for information.

This is why I liked DNSCrypt, there were many independent DNS providers that one could choose from. Centralizing key internet services like this into a few cloud providers makes the free exchange of information too easy to subvert.

That said clouldflare does provide cool services which might be helpful to a given individual but for the internet as a whole such extreme centralize is very destructive!

[purple379]

I would also be interested if one of those involved with Brave Browser have anything to say.

I will look at this a few days from now, but I lack the knowledge set some of you folks have to interpret what one is reading/ to look at the replies.

[Flash]

S243a, it's hard to conclude anything from what I read about Cloudflare in the article belham2 linked to. I gather from it that what Cloudflare does is essentially provide an encrypted connection between its DNS server and your computer. Why that would help, I don't know. Your ISP and every other server along the traceroute path have got to be able to read the IP address of the packet's destination. Otherwise the packet never makes it.

[rufwoof]

Belham2, I think this video is more informative. If I understand all this correctly, even if you don't use a DNS server, you still must go through your ISP which has to be able to see the IP address in order to forward the packets onward to the forum's server. Your ISP and every other server along the line that traceroute finds. I don't see how you gain much security-wise by not using DNS.

Some websites are blocked by DNS servers. Also a DNS server can help man-in-the-middle someone, especially if the site isn't using TLS (aka HTTPS).

HTTP with redirects to HTTPS are considered the easier targets. But even pure HTTPS alone is more vulnerable than HTTPS with HSTS.

For larger ISP's their top level routing table will map the entire internet, a collection of its own 'local' routings along with routings provided by other networks. Most likely reliable. As will be root DNS resolvers. The ISP however could be considered as a passive man-in-middle (mim), that gets to see/record your activities. When I ssh into a remote box and browse from there, my ISP only sees encrypted traffic to/from that remote ssh server and me, but I'm more exposed to harmful man in middle exploits. VPN's fall into that category (potentially greater risk of sharing your activities or even mis-routing your traffic).

It's a case of whether you're more concerned about local jurisdiction - your ISP knowing more about your activities, less inclined to induce harm, but potentially releasing private stuff to the state ... OR potential harmful man-in-middle due to using VPN/ssh, possibly via multiple hops across multiple jurisdictions that don't cooperate (which is slower also) - but where your ISP sees less detail (encrypted traffic between you and the first ssh server/VPN).

DNS resolution is a potential risk, reducing/eliminating a risk is obviously safer. Redirecting dns is one of the primary targets for any dark hat gaining access to a local network as that avoids having to penetrate into each individual PC's/systems and pwn's the whole net (breach one, pwn many).

[rufwoof]

S243a, it's hard to conclude anything from what I read about Cloudflare in the article belham2 linked to. I gather from it that what Cloudflare does is essentially provide an encrypted connection between its DNS server and your computer. Why that would help, I don't know. Your ISP and every other server along the traceroute path have got to be able to read the IP address of the packet's destination. Otherwise the packet never makes it.

A encrypted tunnel between you and a server will keep any communications within that private. Others, including your ISP won't see what names you were asking to be converted to IP's, so wont be able to monitor your traffic/requests other than a secret link occurred between you and that DNS server. When you follow that up with traffic then yes the ISP sees that (so conceptually could deduce what was actually contained within the secret dns communication) ... unless you also tunnel that traffic. In which case the ISP only gets to see that you had secret links between a dns server and a ssh/vpn server (no sight of anything the other side of that). If instead you used a open DNS that the ISP could see what IP you were looking up, combined with subsequent 'secret' traffic, then the ISP could just access the same site and often deduce what was contained within the secret packets. You need both the DNS and the transport to be secret, otherwise the content of both can be deduced and given both plain text and encrypted text you can deduce the cipher easily/quickly.

[s243a]

S243a, it's hard to conclude anything from what I read about Cloudflare in the article belham2 linked to. I gather from it that what Cloudflare does is essentially provide an encrypted connection between its DNS server and your computer. Why that would help, I don't know. Your ISP and every other server along the traceroute path have got to be able to read the IP address of the packet's destination. Otherwise the packet never makes it.

A encrypted tunnel between you and a server will keep any communications within that private. Others, including your ISP won't see what names you were asking to be converted to IP's, so wont be able to monitor your traffic/requests other than a secret link occurred between you and that DNS server. When you follow that up with traffic then yes the ISP sees that (so conceptually could deduce what was actually contained within the secret dns communication) ... unless you also tunnel that traffic. In which case the ISP only gets to see that you had secret links between a dns server and a ssh/vpn server (no sight of anything the other side of that). If instead you used a open DNS that the ISP could see what IP you were looking up, combined with subsequent 'secret' traffic, then the ISP could just access the same site and often deduce what was contained within the secret packets. You need both the DNS and the transport to be secret, otherwise the content of both can be deduced and given both plain text and encrypted text you can deduce the cipher easily/quickly.

And if one uses a good VPN it will have it's own DNSServices as part of the VPN. This will negate the need for clouldflare's service. This is good because it reduces the number of parties that could potentially spy on you by 1/2.

[8Geee]

Flash, I think you've got it... Mr. ISP knows all and tells all. In the USA this essentially means Mr. ISP can insert ads, flag your news topics, and know your business. In a word, monetize. Of course theres an even darker 3rd-party aspect to all that knowledge.

As I have already opined before elsewhere here... The Government hates people that keep a secret, but the government keeps secrets from people every day.

FWIW
8Geee

[rufwoof]

The Government hates people that keep a secret, but the government keeps secrets from people every day.

... but likes people to feel they are secure.

Internet encryption is predominately based on a mathematical calculation that is easy in one direction, difficult in the other. With a private key the calculation is simple, with a public key the calculation is difficult. And where that calculation process is extended as processing power increases, ideally to where even state owned supercomputer cluster take too long to reasonably calculate. Snowden however revealed how Intel preferred their users to use the internal, un-auditable random number generator. Where a pseudo random is even partially predictable so the processing time to make the difficult calculation can fall right down. And where the NSA had influence in that to the extent that the US and British are able to crack those difficult calculations relatively quickly/easily. Hack the random number generator and for instance assign a fixed seed and in effect the same apparently random sequence might be repeatedly produced ... as good as using a random key comprised of all zero's ... useless.

Fundamentally it could mean that weak/insecure systems could be compromised in a manner such that apparently secure/encrypted communications are as good as being open text. More likely from the Intel/Windows perspective (nix's have been more careful about pseudo random number generation). Running as root! Not so good as even just a brief single browser flaw could much more easily result in all private keys being exposed (and hence access to all past encrypted traffic, and/or the likes of rand being 'tweaked' to as good as invalidate any future encryption). Let along potentially opening up the entire local LAN due to dns redirection.

[catsezmoo]

OP question was: Why not keep a list of IP addresses and use those instead of DNS?

A public IP does not necessarily have to resolve to only one domain name. It is possible to have multiple domain names sharing one public IP address. This is a convenient best practice for hosting companies and organisations that allows them to lower the cost of placing domains on the internet. The reverse IP to Domain lookup tool can list all domains hosted that resolve to the same server. By entering the DNS name or IP address of the intended domain, the reverse IP to Domain lookup tool will query a search engine server for all domains presently hosted on the same server as the lookup domain. The DNS records of the results and that of the lookup domain are compared to determine whether both domains reside on the same server.

If a shared hosting server is used to host a domain, a reverse IP to domain lookup tool can help in search engine optimisation practices. Search engines may point to different domains as possible results to a query because the domains are hosted on the same server. Because of this, a domain’s page rank in a search engine can be affected by other domains that are hosted on the same server. Being aware of this can help in search engine placement to ensure that a domain is hosted on a server that does not have questionable content.

Majority of websites are served from shared webhosting servers. When your request for a domain arrives at the destination webserver, it performs a lookup and, transparent to you, applies "host header redirection" (http 302). You receive content served from subdirectory XYZ, and in the server's response the content is attributed to (what you see in your urlbar) the site, aka domain, reflected in your http request.

Also, and this is not covered in text I copypasted, many of the large websites employ multiple (hundreds) of geopositioned webservers, using transparent round-robin redirection to provide failover protection (among other benefits). Similarly, they frequently use an infrastructure which employ a gang of "front door" IP addresses, on-the-fly switching over to use of a different IP address (and updating their domain's DNS record) so they can pull a server offline for maintenance, or in response to a DDOS attempt.

There are online tools you can use to explore which site(s) resides on the same IP address as XYZ". A websearch query would be something like "reverse IP to domains lookup"

[Burn_IT]

It is simply that people remember names easier than they do numbers and names often give a clue as to what the site does???