Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,960 --> 00:00:06,940
There are security and privacy concerns when you use domain name system or DNS that need to be aware
2
00:00:06,940 --> 00:00:12,540
of and this is when you use a VPN and even if you don't use VPN but generally if you're not using the
3
00:00:12,540 --> 00:00:17,250
VPN you won't be concerned necessarily too much about the DNS issues.
4
00:00:17,250 --> 00:00:22,320
But let's go through the more so that you can understand DNS and the security and privacy problems that
5
00:00:22,320 --> 00:00:23,610
you can have from it.
6
00:00:23,760 --> 00:00:30,160
Just in case you're not fully up to speed DNS is responsible for resolving domain names such as here
7
00:00:30,160 --> 00:00:30,460
.
8
00:00:30,540 --> 00:00:38,540
Wikipedia the old into an actual IP address to connect to know to resolve domain name to an IP address
9
00:00:38,920 --> 00:00:44,760
computer generally first looks to see whether it's already aware of the IP address by looking in the
10
00:00:44,760 --> 00:00:51,480
local cache on your operating system and Zain if you already knows the IP if it can't resolve DRL it
11
00:00:51,480 --> 00:00:55,330
sends a DNS request to an external DNS server.
12
00:00:55,480 --> 00:01:01,500
Now within the operating system whichever one you use you can specify which DNS server to use.
13
00:01:01,620 --> 00:01:08,790
And if you use in DHC pay to assign your IP address the DNS servers are usually assigned by your router
14
00:01:09,090 --> 00:01:15,530
and your router is given its primary and secondary DNS server by the ISP here in Windows.
15
00:01:15,630 --> 00:01:21,810
You can see here we've got obtain an IP address automatically so that means it's set to DHC pay.
16
00:01:22,140 --> 00:01:29,040
And then if this was set here it would obtain the DNS servers automatically that would come from the
17
00:01:29,040 --> 00:01:34,710
router what was set in the router and usually in the router when the router connects and gets given
18
00:01:34,710 --> 00:01:42,000
its IP address at the same time the ISP gives its DNS as well and ISP has generally run their own DNS
19
00:01:42,000 --> 00:01:42,980
servers.
20
00:01:43,350 --> 00:01:51,090
And if the answer to the DNS request is not in the ISP DNS server request is forwarded on to the hierarchy
21
00:01:51,450 --> 00:01:55,870
of DNS servers until it is fun or resolved and you get an IP address.
22
00:01:56,010 --> 00:01:59,890
And you know where are you going in and this all happens in milliseconds.
23
00:01:59,910 --> 00:02:05,730
And when then your operating system and also within your router you can change which is your primary
24
00:02:05,730 --> 00:02:09,360
and what is your secondary IP address which we've seen here.
25
00:02:09,360 --> 00:02:18,720
This is an example and you can choose alternatives such as Google Comodo Open DNS or the DNS servers
26
00:02:18,720 --> 00:02:20,540
of your VPN provider.
27
00:02:20,580 --> 00:02:26,610
There's a Web site here for alternative DNS servers which is pretty good.
28
00:02:26,610 --> 00:02:29,770
Gives you a whole bunch of different DNS servers.
29
00:02:29,830 --> 00:02:32,270
You can see whether they do any filtering or not.
30
00:02:32,400 --> 00:02:37,770
You get some ones that do filtering so that filters out malicious traffic and these do no filtering
31
00:02:37,770 --> 00:02:38,400
at all.
32
00:02:38,460 --> 00:02:44,610
When it says it filters out malicious traffic it means if it knows that a site is known to have something
33
00:02:44,610 --> 00:02:50,010
bad on it they'll send you back a page saying you know this is a bad site or something such as that
34
00:02:50,010 --> 00:02:50,930
.
35
00:02:51,180 --> 00:03:00,330
Now DNS queries happen over UDP port 53 and also TCAP port 53 depending on how it's configured and those
36
00:03:00,330 --> 00:03:04,690
queries happen in plain tax and authenticate it.
37
00:03:04,950 --> 00:03:11,620
So this means that anyone observing the traffic and particularly your Internet service provider or call
38
00:03:11,670 --> 00:03:17,990
university or a government can monitor and love the DNS queries you make disillusions prevent.
39
00:03:18,000 --> 00:03:26,340
This is a VPN to bypass the ISP or the government or whoever's monitoring you and send those DNS queries
40
00:03:26,850 --> 00:03:32,170
on read through the VPN tunnel to an alternative DNS server.
41
00:03:32,190 --> 00:03:34,120
So then they can't be seen.
42
00:03:34,140 --> 00:03:35,530
So that's the first issue.
43
00:03:35,640 --> 00:03:41,160
DNS queries are sent in plain text and anyone observe observing can see those DNS queries.
44
00:03:41,160 --> 00:03:48,250
Now the next problem or potential problem is DNS being redirected through transparent proxies.
45
00:03:48,300 --> 00:03:54,840
Now the diagram here to help understand this so a particularly nefarious trick as it's also hard to
46
00:03:54,840 --> 00:04:04,740
spot can be that some Ayas PS they intercept all of your DNS queries over both TCAP and UDP port 53
47
00:04:05,130 --> 00:04:10,470
and force them through their own proxy and to a DNS server of their choice.
48
00:04:10,470 --> 00:04:16,350
This effectively means that no matter what DNS server you choose in the operating system or the router
49
00:04:16,650 --> 00:04:19,740
the queries will get sent to their DNS server.
50
00:04:19,950 --> 00:04:22,520
This is done for the purposes of censorship.
51
00:04:22,680 --> 00:04:29,110
Also to show you and this is instead of a blank page when a site is down to test if your ISP is forcing
52
00:04:29,130 --> 00:04:35,910
to use a transparent DNS proxy change your DNS server and then go to a site like this that shows your
53
00:04:35,910 --> 00:04:42,200
DNS server and see whether it's changed it to the DNS server that you changed it to.
54
00:04:42,210 --> 00:04:52,910
So in Windows for example I just close this if I go here by typing that or work and share and sensor
55
00:04:53,810 --> 00:04:57,370
change data settings find the network adapter.
56
00:04:57,410 --> 00:05:07,610
I mean why will your local Ethernet whichever one is that you're using properties you need to find IPV
57
00:05:07,620 --> 00:05:12,310
for why here actually disable IP V-6.
58
00:05:12,420 --> 00:05:14,260
Talk more about that later.
59
00:05:14,570 --> 00:05:20,750
Go into IPV for properties and then here you can see I've got the IP addresses that I've changed it
60
00:05:20,750 --> 00:05:21,240
to.
61
00:05:21,380 --> 00:05:30,640
And when I look on the site I can see it is using the DNS server the primary one that I selected.
62
00:05:31,400 --> 00:05:36,870
So I know that it's going straight to the DNS server that is supposed to go to and it's not going by
63
00:05:36,880 --> 00:05:39,160
are transparent DNS proxy.
64
00:05:39,170 --> 00:05:45,770
Now if you do see that it's not used in the DNS that you selected you need to make sure there's no error
65
00:05:45,770 --> 00:05:46,610
somewhere.
66
00:05:46,720 --> 00:05:52,280
But if it turns out to be no error then it may be that your ISP is using a transparent proxy.
67
00:05:52,340 --> 00:05:59,990
You can obviously change your ISP but the solution again is to use a VPN to send the DNS queries on
68
00:06:00,000 --> 00:06:05,020
read through a VPN tunnel into a DNS server of your choice.
69
00:06:05,030 --> 00:06:10,190
Another related issue is DNS poisoning also known as spoofing.
70
00:06:10,190 --> 00:06:13,020
Now this happened in 2014.
71
00:06:13,010 --> 00:06:18,760
The Turkish government banned YouTube and Twitter through DNS poisoning.
72
00:06:18,770 --> 00:06:26,330
Most countries do use DNS spoofing to deny access to forbidden Web sites you Arel will instead resolve
73
00:06:26,330 --> 00:06:31,980
to an incorrect IP address usually showing a page saying that the site is banned or something like that
74
00:06:31,970 --> 00:06:32,140
.
75
00:06:32,250 --> 00:06:40,250
A country could in fact block access to all but it's approved DNS servers and hackers can also potentially
76
00:06:40,260 --> 00:06:42,110
poison DNS too.
77
00:06:42,200 --> 00:06:49,730
And there's been many known attacks both over the Internet and locally over local network and there's
78
00:06:49,740 --> 00:06:51,410
various ways of doing that.
79
00:06:51,470 --> 00:06:56,990
Now if it interests you and you want to understand more about DNS poisoning and spoofing it is actually
80
00:06:57,000 --> 00:07:04,950
something you can play around with yourself and there's a good Web site here to look to do that which
81
00:07:04,940 --> 00:07:07,790
is here it's quite a long you.
82
00:07:07,880 --> 00:07:15,560
If you google this like a pro how to spoof DNS on a LAN to redirect traffic to your fake Web site.
83
00:07:15,650 --> 00:07:18,350
You'll be able to do that with coule.
84
00:07:18,490 --> 00:07:20,830
But that's really if you want to dig into the details.
85
00:07:21,170 --> 00:07:28,400
So there's not much that an individual can do to stop poisoning and spoofing because the solution is
86
00:07:28,400 --> 00:07:31,370
within the DNS infrastructure itself.
87
00:07:31,460 --> 00:07:38,060
DNS SEC and other services that the infrastructure of the Internet has not adopted those things yet
88
00:07:38,080 --> 00:07:38,260
.
89
00:07:38,420 --> 00:07:47,510
So again the solution is a VPN to send DNS queries on readable through a VPN tunnel and to a DNS of
90
00:07:47,510 --> 00:07:48,270
your choice.
91
00:07:48,270 --> 00:07:55,370
And outside of the control of your adversary so in Turkey they send their traffic free VPN ends to the
92
00:07:55,380 --> 00:07:57,490
United States and other countries.
93
00:07:57,500 --> 00:08:01,040
And then there was able to access the sites that they wanted to access.
94
00:08:01,040 --> 00:08:07,430
If you want to prevent spoofing by hackers as opposed to countries and nation states there are a couple
95
00:08:07,430 --> 00:08:15,630
of things that you can look at using and one is this DNS crypt.
96
00:08:15,690 --> 00:08:21,890
And as it says here in the script is a protocol the authenticates communication between DNS client and
97
00:08:21,890 --> 00:08:23,300
a DNS resolver.
98
00:08:23,370 --> 00:08:31,730
It prevents DNS spoofing uses cryptographic signatures to verify that responses originate from the chosen
99
00:08:31,740 --> 00:08:34,730
DNS resolver and haven't been tampered.
100
00:08:34,740 --> 00:08:40,160
So this will authenticate you with the open DNS servers so you'll know that they are the genuine servers
101
00:08:40,170 --> 00:08:40,830
.
102
00:08:41,900 --> 00:08:49,710
And there's also this here which is simple DNS which is a management tool to configure DNS create proxy
103
00:08:49,700 --> 00:08:58,310
on Windows based systems using DNS script when you stop your ISP seeing a traffic only stop DNS spoofing
104
00:08:58,310 --> 00:08:59,670
via hackers.
105
00:08:59,850 --> 00:09:06,530
So still a VPN is needed if you're not wanting your Internet service provider or local observers or
106
00:09:06,530 --> 00:09:09,720
general observers from seeing your DNS queries.
107
00:09:09,720 --> 00:09:15,060
And if you're interested in this topic and looking a little bit further into it there's a good report
108
00:09:15,090 --> 00:09:19,730
here call pretty bad privacy pitfalls of DNS encryption.
109
00:09:19,730 --> 00:09:23,760
So we just talked about DNS crypto there's also DNS set.
110
00:09:23,930 --> 00:09:30,670
And this goes through even if we do have those things and introduce them into the Internet infrastructure
111
00:09:30,680 --> 00:09:34,250
still there are pitfalls to DNS encryption.
112
00:09:34,250 --> 00:09:36,020
And this is a very good report on the
12757
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.