Scenario 1, i'm using my isp's internet connection with the default dns configuration (probably being the isp in most cases)
Scenario 2, i'm using my isp's internet connection with a custom dns provider (let's use quad9 here)
Scenario 3, i'm using a vpn connectins (let's make it mullvad) the vpn doesn't only act as my new isp but also as my new dns provider (also mullvad)
So the first scenario makes me naked, my isp can see my search requests, websites visited, etc.
Actually i'm not sure about the nr 1 scenario, what if i configure my browser to use https all the time, "hypertext transport protocol secure", will that lock out my isp from spying on me even when i'm using their ip and their dns, i don't think it will but then again i don't understand the details here.
With scenario nr 2 things become different, i still get my ip from my isp but my dns comes from another privacy oriented provider, how does scenario 2 compare against 1 and 3, what are the differences between each of those?
Scenario 2:
The easy way is to set dnsmasq config in /etc/config/dhcp
config dnsmasq
....
option noresolv '1'
option max_cache_ttl '3600000'
list server '/use-application-dns.net/'
list server '/mask-h2.icloud.com/'
list server '/mask.icloud.com/'
list server '1.1.1.2#53'
list server '1.0.0.2#53'
option min_cache_ttl '300'
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
In scenario 2, unless you're using encrypted DNS requests (like with https-dns-proxy or similar) or your country has very strong personal anonymity laws, your ISP can and most likely does either or all of the below:
- Monitor/log your DNS requests
- Sell the logs collected to third-parties
- Modify/Hijack the responses you receive from 3rd party servers (unless you're using DNSSEC)
You don't have to use VPN to secure your DNS requests, you can use DoH/DoT providers by adding a package (small and auto-configuring in case of https-dns-proxy) to your router.
Sadly i don't think there's any country having strong privacy laws today.
Can i change the openwrt-router's DNS server without connecting over ssh, instead using the GUI by connecting to the router via webbrowser?
luci-app-XXX - dns-hppt-proxy , dnscrypt etc.
yes, like @brada4 said, install luci-app-https-dns-proxy from WebUI and once installed it doesn't require (you can change the resolvers if you want) any additional tinkering to encrypt your dns requests.