this post was submitted on 02 Jul 2024
8 points (75.0% liked)

Privacy

833 readers
2 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
 

I know this is an outrageously bad idea, I don't need convincing. I am just looking for some more information and discussion on what exactly the exposure and surveillance risk is.

I'm asking both for my own education (I am still very green to networking), and to better explain to people in my life if and why they should care.

  1. Is it true that traffic can be tracked and logged by ISP through DNS lookups, as these routers are preconfigured to use their internal dns service?

  2. If this is changed (like base.dns.mullvad.net), how much does this actually mitigate the risk here?

  3. What about when a VPN (mullvad) is also being used at all times? Would it then be "overly paranoid" to fear this untrusted box all the traffic goes through?

I personally take a conservative approach to things like this and assume it's an unacceptable risk, but I don't really understand what the truth is.

Thank you in advance for your time and thoughts.

EDIT: I'm asking about US and US adjacent areas

top 15 comments
sorted by: hot top controversial new old
[–] [email protected] 7 points 4 months ago (1 children)

Even if you set your own preferred DNS server, the router can simply spoof it, and route the DNS request to their own servers. But for that, you can use SSL for DNS.

In general, the ISP could basically read everything you route through them that has not been encrypted. And even then, they know how much to talked with which web site.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

I see.

Just to make sure I understand, how does the situation change if the DNS resolver is set at the browser or OS level (DNS over HTTPS)

Thank you for your response.

[–] [email protected] 4 points 4 months ago

Then the ISP can only see that you are contacting certain machines (and from there guess you want to avoid their DNS server). But apart from blocking that service, they can't really do anything.

[–] [email protected] 5 points 4 months ago* (last edited 4 months ago)
  1. Yes, kinda. So if you use the default DNS servers on your ISP provided modem than the DNS requests are likely forwarded to a sever controlled by the ISP. Now, something to keep in mind they can see you do a lookup of DuckDuckGo.com but they can not see what you are searching. HTTPS protects you there

  2. A little, by default a DNS request is performed in clear text, so some ISP may intercept those requests and redirect them to servers they control. Yes there have been reports of this with Verizon. Good news there are 2 technologies that you can use to protect yourself. They are DNS over TLS (DoT) or DNS over HTTPS (DoH). Many applications support one of those technologies to secure your DNS traffic.

  3. Using a host based VPN may protect you from ISP DNS snooping. Depends on how you configured it.

[–] [email protected] 4 points 4 months ago (1 children)

If you're always using a VPN, that's not necessarily a privacy threat on your VPN'd device, but any other device on the network that doesn't have a VPN could be exposing itself to the ISP.

Also, you're at the mercy of whatever firmware updates your ISP issues for the router. Hopefully they remember to support your box when the next CVE is discovered...

We are forced to keep an ISP router/gateway combo in our home because it has certificates necessary to authenticate our subscription. However, behind that router we have the "real" router with settings and firmware updates that we control. The ISP router is just a hop between our router and the outside world. Everything on our network only connects to the router we control.

[–] [email protected] 2 points 4 months ago

Makes a lot of sense, thank you for explaining your setup

[–] [email protected] 2 points 4 months ago (1 children)

I always put a firewall that I own inside the ISP router. Right now I'm using an old ASA 5505 but I'm considering upgrading to a Firewalla Gold. I slay segment my network so that it phones and notebooks are on one network and the TV and Xbox and other things that I have no control over on another.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago) (1 children)

Seems like a fair solution, thank you for the reply.

Is the ISP router a bottleneck concern for you or do you have a recent/decent model?

[–] [email protected] 1 points 4 months ago (1 children)

I'm on SpaceX. I have their latest terminal.

I used to be in Bell Canada and before that a local ISP. I've always had a firewall inside the ISP router because I work in information security and don't want anyone inside my network. My high network can reach my low network but my low network can't reach my high network.

[–] [email protected] 2 points 4 months ago (1 children)

You've given me a lot to think about and look into, thank you.

[–] [email protected] 2 points 4 months ago* (last edited 4 months ago)

You're welcome. Check out Firewalla. They make nice devices and they are relatively affordable.

[–] [email protected] 2 points 4 months ago (1 children)

The DNS risk is not mitigated by a VPN, just shifted.Your VPN has full ability to log your connection if they wish. You have to decide who you trust more. Bear in mind that depending on your location, your ISP may be more legally restricted from snooping on you than a VPN hosted in another country (I know nothing about the US laws, further research would be required).

Also, unless you are using one of the encrypted DNS variants, just changing your DNS provider does nothing, as the ISP or VPN can snoop the unencrypted traffic regardless of its destination.

[–] [email protected] 2 points 4 months ago (1 children)

I'm assuming you're unfamiliar with US ISPs... Yeah they're less trustworthy than mullvad haha

Thank you for your response

[–] [email protected] 1 points 4 months ago

Yeah, probably. Although if a US ISP does something illegal to you, you can take them to court, whereas you have no recourse against mullvad. But of course you may have 0% chance of winning anyway, so :shrug:.

[–] [email protected] 1 points 4 months ago

I’ve noticed most responses are talking about DNS. The other issue with more modern ISP-supplied routers is that they can typically look into your LAN — this is a nonstarter for me.

I recently helped install such a router for a friend and they thought it was cool that from the ISP’s app they could approve/deny new devices joining their network. Sure the feature itself is cool, but there are routers on the market that do this without involving your ISP.