So Cloudflare has their new encrypted DNS 1.1.1.1 and 1.0.0.1
Using this, wouldn’t I not need a VPN? My traffic is encrypted. ISP can’t see my date. No logs. Etc
First, do you trust Cloudflare? Various reasons as to why not (and their auditors) here.
When you navigate to reddit.com, you query the DNS server (by default this is your ISPs) for where that domain points to. The DNS server (after asking around a bit) replies with an IP address that points to that server. Then this is cached on your PC, so when you next navigate to reddit.com, for a period of time it won’t query the DNS server. The DNS knows your IP address was trying to navigate to that domain.
Then your browser starts navigating to reddit.com, and your ISP will know you’re navigating to reddit.com, and all websites will know you visited them.
A VPN will pass all of your internet through a third party. So you’d go, “Hey VPN, show me reddit.com”, your VPN will go “Hey DNS, where is reddit.com” and then when it gets a reply it will go “hey ISP, take me to this address” and then forward the information to you. In this case, your ISP knows you connected to a VPN, and all websites you visit will think you’re the VPN, not you.
So if you switch your DNS from your ISPs to a trusted third party DNS, you’re hiding your lookups, but your ISP can still see your actual connection. You need both to fully hide your traffic from your ISP.
A VPN will pass all of your internet through a third party.
Hopefully this line caught your attention. Both your DNS and VPN are hosted on other peoples servers, something you cannot audit or view. Something you cannot prove is not logging. Your encryption covers you from your home until the service*, stopping any interference en-route but is decrypted their side and easily viewed by your DNS or VPN. We saw recently IPVanish lying about “no logging”, HideMyAss and PureVPN did the same. Due diligence must be taken when routing (for a VPN) your entire internet connection through a third party which you can’t audit. Are you just paying money to be logged by a different company than your ISP? Are they also just as likely give up your information? We saw with Lavabit they may just ask for a way to access every users information, not just their target. Ultimately - if your threat model is government surveillance, don’t use a US based service at least, but any of the 14 eyes is something to take note of. Sorry Cloudflare, PIA…
* Edit: Assuming you’re using it. Your DNS requests aren’t encrypted by default, you’d have to look into DNSCrypt, DNS over TLS or DNS over HTTPS (and check https://dnsprivacy.org/). Using HTTPS encrypts your traffic, though your ISP (or VPN) would still see the base URL (reddit.com but not reddit.com/r/privacytoolsIO).
Do you honestly think one of the largest CDNs in the world isn’t going to keep logs?
You need VPN ESPECIALLY if you are using cloudflare lol. They are scumbags.
No, a DNS server is not enough. Even if 100% of your traffic is encrypted, you still blab all sorts of info about who you’re talking to just from the IPs you communicate with. They can still see who, when, how much, and can possibly make inferences about even more.
At one point I read an article about China’s Great Firewall slapping down certain kinds of traffic by recognizing patterns in timings and sizes of communications, even when run through an SSH tunnel. There’s plenty you can find out about a person without needing to crack open encryption. VPNs help reduce the amount of stuff that can be mined from watching your connection.
Thank you for this response! I actually do use PIA and have been for years (recommended by TorrentFreak.com) and have never had issues.
This is the second time in two-days I’ve heard this “14 eyes” terms - looking this up now.
It’s independently audited and verified.
Thank you for the thoughtful explanation.
PIA are brilliant for what they are. I doubt that they have turned over customer information to the government as of today. The only hint towards otherwise would be their adamant stance against warrant canaries. My only worry is that ultimately, they may be forced to do so in the future due to them being based in the USA. They could of course “pull a Lavabit”, delete all records and cease operations (and risk being arrested), but they may comply (and be forced to keep quiet about it). If your threat model is just corporations and not the government, I’d also go with PIA as they’re the fastest (for me, that I have tested). If your threat model includes your government (especially if you’re in one of the 14 eyes), I’d start looking around