Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,960 --> 00:00:06,940 There are security and privacy concerns when you use domain name system or DNS that need to be aware 2 00:00:06,940 --> 00:00:12,540 of and this is when you use a VPN and even if you don't use VPN but generally if you're not using the 3 00:00:12,540 --> 00:00:17,250 VPN you won't be concerned necessarily too much about the DNS issues. 4 00:00:17,250 --> 00:00:22,320 But let's go through the more so that you can understand DNS and the security and privacy problems that 5 00:00:22,320 --> 00:00:23,610 you can have from it. 6 00:00:23,760 --> 00:00:30,160 Just in case you're not fully up to speed DNS is responsible for resolving domain names such as here 7 00:00:30,160 --> 00:00:30,460 . 8 00:00:30,540 --> 00:00:38,540 Wikipedia the old into an actual IP address to connect to know to resolve domain name to an IP address 9 00:00:38,920 --> 00:00:44,760 computer generally first looks to see whether it's already aware of the IP address by looking in the 10 00:00:44,760 --> 00:00:51,480 local cache on your operating system and Zain if you already knows the IP if it can't resolve DRL it 11 00:00:51,480 --> 00:00:55,330 sends a DNS request to an external DNS server. 12 00:00:55,480 --> 00:01:01,500 Now within the operating system whichever one you use you can specify which DNS server to use. 13 00:01:01,620 --> 00:01:08,790 And if you use in DHC pay to assign your IP address the DNS servers are usually assigned by your router 14 00:01:09,090 --> 00:01:15,530 and your router is given its primary and secondary DNS server by the ISP here in Windows. 15 00:01:15,630 --> 00:01:21,810 You can see here we've got obtain an IP address automatically so that means it's set to DHC pay. 16 00:01:22,140 --> 00:01:29,040 And then if this was set here it would obtain the DNS servers automatically that would come from the 17 00:01:29,040 --> 00:01:34,710 router what was set in the router and usually in the router when the router connects and gets given 18 00:01:34,710 --> 00:01:42,000 its IP address at the same time the ISP gives its DNS as well and ISP has generally run their own DNS 19 00:01:42,000 --> 00:01:42,980 servers. 20 00:01:43,350 --> 00:01:51,090 And if the answer to the DNS request is not in the ISP DNS server request is forwarded on to the hierarchy 21 00:01:51,450 --> 00:01:55,870 of DNS servers until it is fun or resolved and you get an IP address. 22 00:01:56,010 --> 00:01:59,890 And you know where are you going in and this all happens in milliseconds. 23 00:01:59,910 --> 00:02:05,730 And when then your operating system and also within your router you can change which is your primary 24 00:02:05,730 --> 00:02:09,360 and what is your secondary IP address which we've seen here. 25 00:02:09,360 --> 00:02:18,720 This is an example and you can choose alternatives such as Google Comodo Open DNS or the DNS servers 26 00:02:18,720 --> 00:02:20,540 of your VPN provider. 27 00:02:20,580 --> 00:02:26,610 There's a Web site here for alternative DNS servers which is pretty good. 28 00:02:26,610 --> 00:02:29,770 Gives you a whole bunch of different DNS servers. 29 00:02:29,830 --> 00:02:32,270 You can see whether they do any filtering or not. 30 00:02:32,400 --> 00:02:37,770 You get some ones that do filtering so that filters out malicious traffic and these do no filtering 31 00:02:37,770 --> 00:02:38,400 at all. 32 00:02:38,460 --> 00:02:44,610 When it says it filters out malicious traffic it means if it knows that a site is known to have something 33 00:02:44,610 --> 00:02:50,010 bad on it they'll send you back a page saying you know this is a bad site or something such as that 34 00:02:50,010 --> 00:02:50,930 . 35 00:02:51,180 --> 00:03:00,330 Now DNS queries happen over UDP port 53 and also TCAP port 53 depending on how it's configured and those 36 00:03:00,330 --> 00:03:04,690 queries happen in plain tax and authenticate it. 37 00:03:04,950 --> 00:03:11,620 So this means that anyone observing the traffic and particularly your Internet service provider or call 38 00:03:11,670 --> 00:03:17,990 university or a government can monitor and love the DNS queries you make disillusions prevent. 39 00:03:18,000 --> 00:03:26,340 This is a VPN to bypass the ISP or the government or whoever's monitoring you and send those DNS queries 40 00:03:26,850 --> 00:03:32,170 on read through the VPN tunnel to an alternative DNS server. 41 00:03:32,190 --> 00:03:34,120 So then they can't be seen. 42 00:03:34,140 --> 00:03:35,530 So that's the first issue. 43 00:03:35,640 --> 00:03:41,160 DNS queries are sent in plain text and anyone observe observing can see those DNS queries. 44 00:03:41,160 --> 00:03:48,250 Now the next problem or potential problem is DNS being redirected through transparent proxies. 45 00:03:48,300 --> 00:03:54,840 Now the diagram here to help understand this so a particularly nefarious trick as it's also hard to 46 00:03:54,840 --> 00:04:04,740 spot can be that some Ayas PS they intercept all of your DNS queries over both TCAP and UDP port 53 47 00:04:05,130 --> 00:04:10,470 and force them through their own proxy and to a DNS server of their choice. 48 00:04:10,470 --> 00:04:16,350 This effectively means that no matter what DNS server you choose in the operating system or the router 49 00:04:16,650 --> 00:04:19,740 the queries will get sent to their DNS server. 50 00:04:19,950 --> 00:04:22,520 This is done for the purposes of censorship. 51 00:04:22,680 --> 00:04:29,110 Also to show you and this is instead of a blank page when a site is down to test if your ISP is forcing 52 00:04:29,130 --> 00:04:35,910 to use a transparent DNS proxy change your DNS server and then go to a site like this that shows your 53 00:04:35,910 --> 00:04:42,200 DNS server and see whether it's changed it to the DNS server that you changed it to. 54 00:04:42,210 --> 00:04:52,910 So in Windows for example I just close this if I go here by typing that or work and share and sensor 55 00:04:53,810 --> 00:04:57,370 change data settings find the network adapter. 56 00:04:57,410 --> 00:05:07,610 I mean why will your local Ethernet whichever one is that you're using properties you need to find IPV 57 00:05:07,620 --> 00:05:12,310 for why here actually disable IP V-6. 58 00:05:12,420 --> 00:05:14,260 Talk more about that later. 59 00:05:14,570 --> 00:05:20,750 Go into IPV for properties and then here you can see I've got the IP addresses that I've changed it 60 00:05:20,750 --> 00:05:21,240 to. 61 00:05:21,380 --> 00:05:30,640 And when I look on the site I can see it is using the DNS server the primary one that I selected. 62 00:05:31,400 --> 00:05:36,870 So I know that it's going straight to the DNS server that is supposed to go to and it's not going by 63 00:05:36,880 --> 00:05:39,160 are transparent DNS proxy. 64 00:05:39,170 --> 00:05:45,770 Now if you do see that it's not used in the DNS that you selected you need to make sure there's no error 65 00:05:45,770 --> 00:05:46,610 somewhere. 66 00:05:46,720 --> 00:05:52,280 But if it turns out to be no error then it may be that your ISP is using a transparent proxy. 67 00:05:52,340 --> 00:05:59,990 You can obviously change your ISP but the solution again is to use a VPN to send the DNS queries on 68 00:06:00,000 --> 00:06:05,020 read through a VPN tunnel into a DNS server of your choice. 69 00:06:05,030 --> 00:06:10,190 Another related issue is DNS poisoning also known as spoofing. 70 00:06:10,190 --> 00:06:13,020 Now this happened in 2014. 71 00:06:13,010 --> 00:06:18,760 The Turkish government banned YouTube and Twitter through DNS poisoning. 72 00:06:18,770 --> 00:06:26,330 Most countries do use DNS spoofing to deny access to forbidden Web sites you Arel will instead resolve 73 00:06:26,330 --> 00:06:31,980 to an incorrect IP address usually showing a page saying that the site is banned or something like that 74 00:06:31,970 --> 00:06:32,140 . 75 00:06:32,250 --> 00:06:40,250 A country could in fact block access to all but it's approved DNS servers and hackers can also potentially 76 00:06:40,260 --> 00:06:42,110 poison DNS too. 77 00:06:42,200 --> 00:06:49,730 And there's been many known attacks both over the Internet and locally over local network and there's 78 00:06:49,740 --> 00:06:51,410 various ways of doing that. 79 00:06:51,470 --> 00:06:56,990 Now if it interests you and you want to understand more about DNS poisoning and spoofing it is actually 80 00:06:57,000 --> 00:07:04,950 something you can play around with yourself and there's a good Web site here to look to do that which 81 00:07:04,940 --> 00:07:07,790 is here it's quite a long you. 82 00:07:07,880 --> 00:07:15,560 If you google this like a pro how to spoof DNS on a LAN to redirect traffic to your fake Web site. 83 00:07:15,650 --> 00:07:18,350 You'll be able to do that with coule. 84 00:07:18,490 --> 00:07:20,830 But that's really if you want to dig into the details. 85 00:07:21,170 --> 00:07:28,400 So there's not much that an individual can do to stop poisoning and spoofing because the solution is 86 00:07:28,400 --> 00:07:31,370 within the DNS infrastructure itself. 87 00:07:31,460 --> 00:07:38,060 DNS SEC and other services that the infrastructure of the Internet has not adopted those things yet 88 00:07:38,080 --> 00:07:38,260 . 89 00:07:38,420 --> 00:07:47,510 So again the solution is a VPN to send DNS queries on readable through a VPN tunnel and to a DNS of 90 00:07:47,510 --> 00:07:48,270 your choice. 91 00:07:48,270 --> 00:07:55,370 And outside of the control of your adversary so in Turkey they send their traffic free VPN ends to the 92 00:07:55,380 --> 00:07:57,490 United States and other countries. 93 00:07:57,500 --> 00:08:01,040 And then there was able to access the sites that they wanted to access. 94 00:08:01,040 --> 00:08:07,430 If you want to prevent spoofing by hackers as opposed to countries and nation states there are a couple 95 00:08:07,430 --> 00:08:15,630 of things that you can look at using and one is this DNS crypt. 96 00:08:15,690 --> 00:08:21,890 And as it says here in the script is a protocol the authenticates communication between DNS client and 97 00:08:21,890 --> 00:08:23,300 a DNS resolver. 98 00:08:23,370 --> 00:08:31,730 It prevents DNS spoofing uses cryptographic signatures to verify that responses originate from the chosen 99 00:08:31,740 --> 00:08:34,730 DNS resolver and haven't been tampered. 100 00:08:34,740 --> 00:08:40,160 So this will authenticate you with the open DNS servers so you'll know that they are the genuine servers 101 00:08:40,170 --> 00:08:40,830 . 102 00:08:41,900 --> 00:08:49,710 And there's also this here which is simple DNS which is a management tool to configure DNS create proxy 103 00:08:49,700 --> 00:08:58,310 on Windows based systems using DNS script when you stop your ISP seeing a traffic only stop DNS spoofing 104 00:08:58,310 --> 00:08:59,670 via hackers. 105 00:08:59,850 --> 00:09:06,530 So still a VPN is needed if you're not wanting your Internet service provider or local observers or 106 00:09:06,530 --> 00:09:09,720 general observers from seeing your DNS queries. 107 00:09:09,720 --> 00:09:15,060 And if you're interested in this topic and looking a little bit further into it there's a good report 108 00:09:15,090 --> 00:09:19,730 here call pretty bad privacy pitfalls of DNS encryption. 109 00:09:19,730 --> 00:09:23,760 So we just talked about DNS crypto there's also DNS set. 110 00:09:23,930 --> 00:09:30,670 And this goes through even if we do have those things and introduce them into the Internet infrastructure 111 00:09:30,680 --> 00:09:34,250 still there are pitfalls to DNS encryption. 112 00:09:34,250 --> 00:09:36,020 And this is a very good report on the 12757