Considering my threat model is just preventing my ISP to know which websites I am visiting and to prevent my government (India) from tracking me, do I need to use a VPN?
Currently, I am using a trusted VPN provider with a permanent kill switch and am never off of the VPN. Today, I was reading IVPN’s homepage and it says, “A VPN can be effective at encrypting your DNS requests so your ISP or mobile network provider cannot monitor or log the domains you visit.” But as far as I know, DNS over HTTPS does encrypt the DNS requests. Right?
I regularly clean my cookies, use hardened browsers, etc. So is a VPN really necessary for me? Or shall I just shift to using Quad9’s DoH or something?
Edit - I am using the router provided by the ISP and I cannot change it because I am behind CGNAT. I can use a separate device and install PfSense or OpenWRT or something on it and use that as a firewall. Any suggestions there?
They will see the IP of the site you are visiting if you do not have the VPN. Depending on the site it could be obvious which site it is, if it has a dedicated hosting for example
Most sites still send domain name in clear text. You can see it in Wireshark or PCAPDroid. You need VPN if you don’t want your ISP to see the sites you visit.
This is pretty easy to do with a network tap, but it’s a bit of data to capture an search. The SNI header tells a frontend at the IP what site you want. Something like SecurityOnion sitting on your net is a way to see it yourself.
Email is likely just as much a risk since the host would not only know who you communicate with but the content.
In your case a VPN makes more sense when you can’t really control the router. I like Cloudflares 1.1.1.1 Warp VPN it masks my IP and speeds up my connection. If you want to torrent or other questionable things something like Mullvad, Proton or IVPN is a better choice.
Whaaaaa?
No a vpn is NOT just about dns.
Dns is the starting point, but the main idea is to route your traffic through a central point without logs.
This means that from a network sniffing perspective, I know you’re sending data to the vpn endpoint, but the data is encrypted (also a vpn important point) and I don’t know where it’s going at all after that.
Even if I’m sniffing the traffic going out of the vpn endpoint , because there’s many people using the same point, while I can see that someone on the vpn was looking up pages on the pirate bay looking for the latest movie, I’m unable to match that to. A person connected. It could be one of thousands of people browsing with this vpn. So I don’t know that it was you looking for the latest minions movie.
Without the VPN, your ISP knows you are making a DNS request, but they can’t see what domain you are resolving. A moment later, they see the IP that request resolved to, when you request that site. They can see how much encrypted traffic is going back and forth. When they see that the IP address hosts a porn site, and traffic analysis shows you’re starting and stopping video streams, they know you’re jerking off, but can’t figure out your specific fetish.
With a VPN, your ISP only ever sees the VPN’s IP address. They know when you are sending and receiving traffic to/from that IP, but they don’t know the original source. With traffic analysis, they can probably figure out that you’re watching videos, but they probably can’t distinguish between YouTube and YouPorn.
