💾 Archived View for republic.circumlunar.space › users › jdn06 › gemlog › 2019.07.14-Privacy_Paradox… captured on 2023-07-10 at 14:25:47. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
One of the big paradoxes in the actual internet seems to be that if you try to protect your privacy from GAFAM and Internet Providers, you expose yourself more to everyone else.
A decade ago, under the influence of people like
I decided to host the services I used in my house, on my server. I began with a webserver and a files synchronization service with SSH and Unison. A mailserver, an XMPP server and an Owncloud server came quite quickly and I felt happy with them.
But dealing with a mailserver is not really a piece of cake and it needed a lot of improvements to be really usable to mail people using GAFAM: reverse DNS, SPF and DKIM for example.
As I wanted a mail with my last name as domain, I had to link my IP at home to my last name for the reverse DNS, which means that everyone can know guess my name when I connect to a webserver from my house. No anonymity anymore.
To navigate, I didn't like the idea of using the DNS resolver of my Internet Provider. In France, they are used to censure administratively sites without warning, which I judge a very bad policy. And your Provider can know almost everything about your navigation, without any Deep Packet Inspection: your DNS requests are enough. That is why I built an Unbound server with DNSSEC enabled and used it from my house.
But the problem is perhaps worse here: now everybody who listen the DNS traffic near the DNS Roots can know the requests I make with this linked to my name IP address.
In a way, your anonymity is better protected when you use a Windows computer with standard tools: you are lost in the big data. Companies can still register a lot about you, but not your name if you don't use it.
For this DNS issue, I recently discovered
You renounce to resolve yourself the DNS, but your queries are encrypted via TLS till a resolver without log. You have to trust them, but if they act like they say, your DNS requests don't leak anymore. You can enable DNSSEC and the answers are not under the power of the french government.
As these requests are slower than local ones to a self-hosted server, you can improve the resolution by caching results in the local unbound server.
The DNS-over-HTTPS integration in Firefox shows that DNS encryption will soon be a default configuration, as HTTPS has become.