Alternative to firefox - DNS leaks!

[ianm_ozzy]

Hi all

I am looking for a decent browser in using ubuntu linux.
Firstly no DNS leaks.
No bloat
No spying.
can use addons like ublock origin & noscript
The ability to use a proxy independent of what the OS uses (not possible in chrome apparently).

Oh and  able to use a socks proxy.

So I dumping firefox sharpish.

Thanks

[SorryBella]

9 minutes ago, ianm_ozzy said:

no DNS leaks.

Have you considered just encrypting your DNS inquiry so a "leak" is useless in the first place? Also DNS over HTTPS is a thing now.

 

https://github.com/ungoogled-software/ungoogled-chromium Pretty much your only game in town. Its a two horse race, everyone is ditching their proprietary browser engine for Chromium, so if you want a privacy centric one its to completely degoogled Chromium, or get another Firefox reskin with more attachments like Tor Browser.

[WereCat]

1 minute ago, SorryBella said:

Have you considered just encrypting your DNS inquiry so a "leak" is useless in the first place? Also DNS over HTTPS is a thing now.

 

https://github.com/ungoogled-software/ungoogled-chromium Pretty much your only game in town. Its a two horse race, everyone is ditching their proprietary browser engine for Chromium, so if you want a privacy centric one its to completely degoogled Chromium, or get another Firefox reskin with more attachments like Tor Browser.

This and for example you can use NextDNS for free, turn off logs, set up protections and blocking. 

[ianm_ozzy]

1 minute ago, SorryBella said:

Have you considered just encrypting your DNS inquiry so a "leak" is useless in the first place? Also DNS over HTTPS is a thing now.

 

https://github.com/ungoogled-software/ungoogled-chromium Pretty much your only game in town. Its a two horse race, everyone is ditching their proprietary browser engine for Chromium, so if you want a privacy centric one its to completely degoogled Chromium, or get another Firefox reskin with more attachments like Tor Browser.

 

 I should have been more descriptive.

I am aware of https and encrypted dns.

 

It is for connecting firefox on my linux PC through the zerotier network.

 

Sadly tunneling traffic and DNS options are an issue on linux for zerotier.

 

Firefox connects  through zerotier to my router (opnsense). The proxy server plugin is installed & working on opnsense

It uses adguard for dns blocking and dnscrypt using encrypted DNS.

 

If using a public wifi,  then dns queries are leaked & unencrypted for all to see. That is an abysmal security situation.

 

 

 

[LAwLz]

Sounds like you want something that doesn't exist, although I highly question why you'd want these particular things anyway. Sounds like you've built a very complicated list of requirements for seemingly no purpose. Or at the very least not a purpose you have made clear to us. 

 

You have already said no to Firefox anf Chromium based browsers. So what is there left? 

 

 

I would just like to add however that you can set a specific DNS in modern browsers. So if you are out and about you could just turn on a specific DNS that encrypts DNS queries. Personally though, I don't see my DNS queries being leaked as an "abysmal security situation". 

[ianm_ozzy]

6 minutes ago, LAwLz said:

Sounds like you want something that doesn't exist, although I highly question why you'd want these particular things anyway. Sounds like you've built a very complicated list of requirements for seemingly no purpose. Or at the very least not a purpose you have made clear to us. 

 

You have already said no to Firefox anf Chromium based browsers. So what is there left? 

 

 

I would just like to add however that you can set a specific DNS in modern browsers. So if you are out and about you could just turn on a specific DNS that encrypts DNS queries. Personally though, I don't see my DNS queries being leaked as an "abysmal security situation". 

 

 

The purpose is to simply browse the web as though from home, with privacy. Also access resources at home - streaming and nas.

 

 

Using Public wifi is interesting.

 

The are usually severely firewalled. Standard vpn access, like openvpn or wireguard are a problem.

I have a VPS presently with both, and hit & miss if  I can connect.

zerotier is specifically designed to crash through them, and typically does.

 

 

So DNS leaks on an unencrypted  public wifi are not  a big  security concern?

Interesting.

 

So apparently there are no dns leaks using ungoogled chrome.

The extensions seem a little bit of  a challenge though, but will work it out.

 

Thanks for the info.

 

Well I need either firefox to be fixed, or zerotier to be fixed in linux.

 

Thanks

 

 

 

 

 

 

 

[SorryBella]

2 hours ago, ianm_ozzy said:

If using a public wifi,  then dns queries are leaked & unencrypted for all to see

MITM on Public Wifi is practically dead in the water with WPA and HTTPS being standard on almost every network, and really at that point you really need to lock down your network permission instead of blaming it on edge cases like your browser. Or better yet, dont even use one in the first place, get a travel router/modem for your own use like i used to until i use my own hotspot, but that complicates things considering most mobile network runs on CG-NAT. But yeah, im kinda with @LAwLz on this one, DNS query leak is the least of your worry if this is your use case scenario, and you have straight up accidentally eliminated everyone from contention.

[Levent]

Eh? Firefox uses DoH and only if it’s blocked it reverts back to DNS. 
 

If you are this paranoid, why are you using ZeroTier to begin with?

1 hour ago, ianm_ozzy said:

Standard vpn access, like openvpn or wireguard are a problem

Never was for me. Running OpenVPN on port 443 shared with an actual web server for the last 12 years. 

[ianm_ozzy]

5 hours ago, Levent said:

Eh? Firefox uses DoH and only if it’s blocked it reverts back to DNS. 
 

If you are this paranoid, why are you using ZeroTier to begin with?

Never was for me. Running OpenVPN on port 443 shared with an actual web server for the last 12 years. 

zerotier can get through firewalls better than the openvpn setup I found.

Also now no need to hire a local vps for the job.

Its server static IP was also an issue

I was using  port 443 (udp).

 

 

[ianm_ozzy]

So if anyone cares, the DNS  leaks were due to the ublock origin add-on.

 

How extremely annoying.

I was under the impression it was a quality add-on.

Those ratings are meaningless.

Adguard (in the router) is doing a similar job anyway.

 

 

 

 

 

 

 

 

[LIGISTX]

Either I don’t know as much as I think I know about networking, or you are a bit too paranoid and a bit less sure of how technology works then you think you are. 

If you are running WireGuard on opnsense, once you connect to that from your machine, all traffic should be pipped through the vpn tunnel (unless you have it set up as a split tunnel). That includes DNS… 

 

Whenever I am off my local LAN, I have at a minimum a split tunnel running in WireGuard, and my DNS is redirected over the tunnel so I have ad blocking vis pfblockerNG within pfsense (my router at home). Then I can also hit all my home subnets, but with the split tunnel setup I don’t get all traffic routed over the VPN so I retain the physical internet speed of whenever I am. If wherever I am is not trusted, I switch to the full VPN and then all traffic is encrypted and sent over the WireGuard tunnel. 
 

If you own your own router and can open ports (sounds like you can….), you don’t need the “fancy” features of zero tier. Just use WireGuard, expose it to the WAN on whatever port you want, and that’s that. 

[ianm_ozzy]

9 hours ago, LIGISTX said:

Either I don’t know as much as I think I know about networking, or you are a bit too paranoid and a bit less sure of how technology works then you think you are. 

If you are running WireGuard on opnsense, once you connect to that from your machine, all traffic should be pipped through the vpn tunnel (unless you have it set up as a split tunnel). That includes DNS… 

 

Whenever I am off my local LAN, I have at a minimum a split tunnel running in WireGuard, and my DNS is redirected over the tunnel so I have ad blocking vis pfblockerNG within pfsense (my router at home). Then I can also hit all my home subnets, but with the split tunnel setup I don’t get all traffic routed over the VPN so I retain the physical internet speed of whenever I am. If wherever I am is not trusted, I switch to the full VPN and then all traffic is encrypted and sent over the WireGuard tunnel. 
 

If you own your own router and can open ports (sounds like you can….), you don’t need the “fancy” features of zero tier. Just use WireGuard, expose it to the WAN on whatever port you want, and that’s that. 

 

Why do so many assume that I want to open up a port. on my home router.

Firstly - not happening for security reasons.

Secondly - I will be 'upgrading' my home internet soon.

I am pretty sure I will be behind a NAT.

 

Whatever works for you, then great.

 

Also wireguard & openvpn as I have stated  quite  a bit, are  typically blockable on public wifi. 

It is the case where I am  anyway.

zerotier is specifically designed to get around them - and it typically does.

Also free, so no longer paying for a VPS for vpn use.

They are quite expensive if I want a local one.

Its only issue I am aware of setting for zeriotier up proper routing in linux.

I used a proxy server instead, but some 'quick' testing on the laptop, the DNS requests were not going through zerotier, hence the DNS leak.

 

I am very annoyed that the trusted ublock origin was the culprit. A dubious situation if using public wifi.

 

 

 

 

[LIGISTX]

21 minutes ago, ianm_ozzy said:

Why do so many assume that I want to open up a port. on my home router.

Firstly - not happening for security reasons.

Because that’s how services work… services need to make it through firewalls somehow, and the way in which they do that is via opening a port. I’d trust a port on my network, which I control, going to a service I own, on a VM or within my firewall that I setup, over routing my traffic through unknown jump points or proxy servers. No one should ever open ports to unknown services, but opening a port to WireGuard….. probably going to be ok. Of all the ways to get pwned on the internet, that is not going to be it. 
 

23 minutes ago, ianm_ozzy said:

I am pretty sure I will be behind a NAT

You are already behind NAT… opnsense is doing NAT for your network. Do you mean CGNAT?

 

24 minutes ago, ianm_ozzy said:

Also wireguard & openvpn as I have stated  quite  a bit, are  typically blockable on public wifi. 

How would they be blocked by public WiFi? You’re connecting to an IP address and a random port. I have never once had my WireGuard connection blocked. The only way they would be blocking it is if they just don’t allow you to connect to any IP that is part of an ISP’s block of IP’s (basically not allowing you to connect to any home IP address), or only allowing you to connect to whitelisted IP’s, which, if true, that’s a pretty unfortunate place to live. Is it possible to get something like starlink and just not deal with that? 
 

27 minutes ago, ianm_ozzy said:

I am very annoyed that the trusted ublock origin was the culprit. A dubious situation if using public wifi.

I don’t really understand this. If you have encrypted DNS, why does it matter if your on public WiFi? 
 

I am not sure if this is just obsessive fear mongering, being in a very suppressive country where you basically need to entirely hide, or just not fully understanding..? Maybe it would make more sense to just build a travel router and use that? 
 

At the end of the day, you have to trust something, and I’d trust WireGuard and a port I open on my own device I control over relying on proxy servers I do not control. 
 

To each their own I suppose. 

[ianm_ozzy]

34 minutes ago, LIGISTX said:

Because that’s how services work… services need to make it through firewalls somehow, and the way in which they do that is via opening a port. I’d trust a port on my network, which I control, going to a service I own, on a VM or within my firewall that I setup, over routing my traffic through unknown jump points or proxy servers. No one should ever open ports to unknown services, but opening a port to WireGuard….. probably going to be ok. Of all the ways to get pwned on the internet, that is not going to be it. 
 

You are already behind NAT… opnsense is doing NAT for your network. Do you mean CGNAT?

 

How would they be blocked by public WiFi? You’re connecting to an IP address and a random port. I have never once had my WireGuard connection blocked. The only way they would be blocking it is if they just don’t allow you to connect to any IP that is part of an ISP’s block of IP’s (basically not allowing you to connect to any home IP address), or only allowing you to connect to whitelisted IP’s, which, if true, that’s a pretty unfortunate place to live. Is it possible to get something like starlink and just not deal with that? 
 

I don’t really understand this. If you have encrypted DNS, why does it matter if your on public WiFi? 
 

I am not sure if this is just obsessive fear mongering, being in a very suppressive country where you basically need to entirely hide, or just not fully understanding..? Maybe it would make more sense to just build a travel router and use that? 
 

At the end of the day, you have to trust something, and I’d trust WireGuard and a port I open on my own device I control over relying on proxy servers I do not control. 
 

To each their own I suppose. 

So my new internet - probably behind a nat - and the other being my router. - cgnat or whatever.

How exactly do I access  a wireguard server (at home)  in that situation?

 

I do not know  exactly how some vpns are blocked in some public wifi.

All I know is zerotier can mostly get  through  them.

 

Encryped dns from my router to outside  - yep. My traffic is tunneled through it.

 

An a public wifi, where typical vpns are an issue, zerotier is the option.

It can only apparently operate as a split tunnel in linux.

If you know  how to tunnel all traffic on it, please let me know.

So  I just use a proxy server (on my router) accessed through the zerotier  virtual lan.

 

It means any DNS leaks on  unencrypted wifi are for all to see.

 

My motivation is mainly for convenience with no vpns to setup/manage.

Also saving a little cash - amounting to a lot in the long term.

 

Now working exactly as I wanted.

Yay

 

I just hate ublock origin now.