Jump to content
TorGuard

All Activity

This stream auto-updates     

  1. Today
  2. I have something like this: 2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> [init] === [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh>" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh interface ipv6>Ok." [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh interface ipv6>" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh>netsh>" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh interface ipv6>Ok." [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh interface ipv6>" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> "netsh>netsh>netsh>" [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stdout" ==>> [end] === [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === "stderr" ==>> [empty] === [2020-02-20 23:27:09.427 Pacific Standard Time D] netsh === exit code: 0 , exit status: QProcess::ExitStatus(NormalExit) === [2020-02-20 23:27:09.843 Pacific Standard Time D] WhatIsMyLocation/doQueryMyLocation: HTTP download progress [2020-02-20 23:27:09.843 Pacific Standard Time D] WhatIsMyLocation/doQueryMyLocation: HTTP download progress [2020-02-20 23:27:09.843 Pacific Standard Time D] WhatIsMyLocation/doQueryMyLocation: HTTP request was successful [2020-02-20 23:27:09.843 Pacific Standard Time D] WhatIsMyLocation/OnSuccess: location= 36.976 -137.956***** edit [2020-02-20 23:27:09.845 Pacific Standard Time D] WhatIsMyLocation/doQueryMyLocation: HTTP request aborted [2020-02-20 23:27:09.845 Pacific Standard Time D] WhatIsMyLocation/doQueryMyLocation: ReplyHandler destroyed [2020-02-20 23:27:11.786 Pacific Standard Time D] ComInitialize constructor failed, hresult= 80010106 Pretty much wondering whats up with the geolocation? why is my client performing it? why does it do it in clear text?
  3. chumleyex

    Super slow pfsense

    Ok, thank you for your reply.
  4. Yesterday
  5. Amir

    TG Android Client v1.56.2

    Any ETA for the next update for Windows?
  6. Support

    TG Android Client v1.56.2

    == Release v1.56.2, 2020-02-19 - Fix issue where VPN would not resume after pausing by screen off event on Android TV Downloads P.S. We are staging the rollout so you may not see it until we increase the exposure over the coming days - however you can download it directly from our downloads page here https://torguard.net/downloads.php Regards
  7. Support

    Super slow pfsense

    Hi, from experience, you will not get much more through this CPU, its not powerful to run anywhere near what you are looking to achieve - remember OpenVPN is single threaded - it only has the ability to use one core. Regards
  8. Support

    PayPal

    I guess its just a standard message they have to let you know that we will see your email/address you use on file - just like they warn you when installing extensions or apps that the app will potentially have the permission to see your traffic/personal details and other related info. Regards
  9. wotmate

    PayPal

    Yeah, it's standard info that Amazon would have... just want to know why it says " allowTorGuard VPN to access"
  10. Support

    PayPal

    This is a requirement by Amazon it would seem not TG, I will pass it over to billing to take a look - paying by credit card requires an address to validate the card and to prevent fraud - its no different via Paypal, they hold all your details as well? Regards
  11. Support

    no paypal, CC wanting address

    This is a requirement by Amazon and paying by credit card requires an address to validate the card - its no different via Paypal, they hold all your details as well? Regards
  12. wotmate

    PayPal

    Sorry, you must have missed the edit. Another thread started about it here:
  13. Support

    PayPal

    On the TorGuard website, we do not ask you to enter address details - you click to pay the invoice via Amazon Pay, it directs you to amazon to chose a payment source, once is complete, it takes you back to your invoice - please explain where you are asked for address details? Regards
  14. wotmate

    PayPal

    Yes, it is. And according to Amazon Pay, it is as per Torguards requirements. Someone else started a thread about it here:
  15. Support

    Blog Issue. looks unprofessional IMHO

    Thanks for pointing that out - maybe the author fell asleep? TorGuard users notice everything! Thanks
  16. Support

    PayPal

    This info is not required for Amazon Pay? Regards
  17. wotmate

    PayPal

    The question has to be asked in regards to Amazon Pay, why does torguard, a company that does anonymous VPN, need to know my full name and where I live????
  18. Greetings, I am sure this has been asked and answered multiple times, but I wasn't able to quickly find my answers (not spending 10 hours sifting through pages and pages of pseudo related content). I am new to the VPN scene. I bought a small i5 6 core machine to use as a dedicated torrent box. I was initially going to set it up and use it as a VPN server dishing out DHCP to the rest of my network and also to 'turn on' VPN protection for the network with a few clicks of a button, but I don't think I have a real need for that. I downloaded 'torguard' app and I am running that. I did a speed test and I am getting about 25% of my regular ISP speeds through a speed test and it failed during the upload process. My regular ISP speeds are 100Mbps and a lightning fast 5Mbps (end sarcasm) upload. Do I need to purchase a dedicated IP to achieve close to my regular ISP speeds? I did see a few threads about persons not getting the speeds with their dedicated IP and a few users suggested that they make some checks and use google in the network settings..... but I think those users were using their router as a VPN device. I was looking in the TorGuard app but I don't see where to change any of those settings. Then I thought about changing them in the virtual network adapter properties but then wasn't sure if that would hinder me even more. Could someone be so kind as to give me a little guidance or at least link to a thread that answers my questions? Thanks
  19. Last week
  20. https://torguard.net/blog/attacks-against-citrix-vpn-servers-are-underway/ Last sentance ends in middle of thought. Particularly bad cause it a sales pitch... Love you
  21. chumleyex

    Super slow pfsense

    I run pfsense on a ASRock J3355B-ITX Intel Dual-Core Processor J3355 and it's connected to at&t fiber. Without going over vpn I get around 800mb down and 900mb up. I have openvpn tunneling out to torguard and the max I can get is well under 200mb down and most of the time a speed test shows 0 for upload. My example today has an upload speed though. I would love to see 400+ up/down and a stable connection. This is far from stable. There are many times I got to pull something up from the internet and the page isn't displayed for a very long time. Any ideas on how to help? While running the speed tests I check the cpu of the pfsense box and it's chilling at 25%, so it's not stressed out. The VM I run the speed test on has plenty of horse power too. Here are my configs. persist-key persist-tun remote-cert-tls server reneg-sec 0 auth-retry interact verb 1 fast-io sndbuf 524288 rcvbuf 524288
  22. Moss

    Streaming IP stopped working no help

    I actually emailed support instead of opening another ticket and the new guy helped me out and solved the problem. First guy didn’t understand the problem and was making me download other software. Glad I contacted a different person.
  23. NullTotality

    Port Forwarding not working

    Open your console and run this netsh command as admin: netsh interface portproxy add v4tov4 listenport=external_port listenaddress=0.0.0.0 connectport=internal_port connectaddress=127.0.0.1 You have to replace "external_port" and "internal_port" with the correct port numbers you're using.
  24. Gladonel

    Streaming IP stopped working no help

    I got my Netflix UK streaming IP stopped working but TorGuard's support was excellent and got my issue fixed in under 30 minutes.
  25. CitizenSmith

    Torguard Speed Test Best Settings Speed vs Security

    Not that up on VPN configs could you please direct me! you say this is best security I'm assuming that includes for downloading torrents! AES-256-GCM Block Outside DNS = Off Name Server = VPN DNS 164 18% 1. To block outside DNS I go to "network tab"/ "DNS"/ and untick "block outside dns" which equals off is that correct. 2. And to do the Name Server I go to "Network tab"/ "DNS"/ "-when VPN is connected" and select "VPN DNS" there!. Thanks for help you can provide
  26. LAN Interface For GETDNS and STUBBY Plus UNBOUND WHY YOU ASK ? ANSWER : IN LIFE ONE SHOULD HAVE OPTIONS IMPORTANT UPDATED INFORMATION !!! - READ FULL GUIDE BEFORE GETTING STARTED !!! Stop pfSense Router from occasionally allowing UNBOUND Root Hints to resolve queries on its own. This configuration ensures that localhost ( 127.0.0.1 ) will not be used as a resolver on pfSense Box. You will only use GETDNS and STUBBY DNS SERVERS if you follow this tutorial. You will use your One Main LAN Interface as the listening interface for STUBBY and the listening and outgoing interface for your UNBOUND DNS RESOLVER on pfSense. So, let's get started. See Below For Definition and Function Of Unbound Root Hints : Unbound is a caching DNS resolver. It uses a built in list of authoritative nameservers for the root zone (.), the so called root hints. On receiving a DNS query it will ask the root nameservers for an answer and will in almost all cases receive a delegation to a top level domain (TLD) authoritative nameserver. Source Document : https://man.openbsd.org/unbound First you all know the drill by now - " The Intro " we would all have a better world if we remember to practice the concept that - NOW ! is the time for all of US ( A ) to GET UP & GET INVLOVED and act with SOUL POWER ! - lyrics to sing along : https://genius.com/James-brown-get-up-get-into-it-get-involved-lyrics plus https://genius.com/James-brown-soul-power-lyrics and video : https://www.youtube.com/watch?v=1pvIarW3xHg Bonus JB : https://www.youtube.com/watch?v=v8TvBPshngE - I noticed on https://www.freshports.org/dns/getdns/ that ever since getdns 1.5.2_1 - stubby is included in the package by default. PLEASE TAKE SPECIAL NOTE UNDER Commit History : - Update to 1.5.2 - Build with STUBBY by default due to popular demand This got me to thinking about how to install DNS Privacy DNS OVER TLS on pfSense ( Special Thanks and Kudos to Ryan Steinmetz aka zi - the port maintainer and developer getdns on FreeBSD ). This is an updated guide / tutorial which explains how to setup adding DNS-Over-TLS support for pfSense - Please disregard and do not use any guides and / or tutorials which pre-date this one which covers installation and configuration of DNS Privacy on pfSense FireWall. I run GetDns and Stubby forwarded to and integrated with Unbound. For those who wish to explore Stubby and GetDns - this method is the one recommended by DNSPRIVACY - see here : https://getdnsapi.net/ https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound - please read this carefully - you will note that it indicates : Unbound As A DNS TLS Client Features:Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder). I was asked by a still skeptical devotee of DOH " What makes this way better than just running the DNS-over-https-proxy ? My answer was : Read this and make your decisions and conclusions concerning DOH vs DOT . Here is the article below : https://www.netmeister.org/blog/doh-dot-dnssec.html Short Synopsis of DOH: In other words , ( with DOH ) we gain the same protections as with DoT for our web applications, but leaves all other DNS traffic vulnerable. Subsequently, as a matter of fact and in practice with DNS OVER TLS ALL DNS traffic is invulnerable and protected.This is why I run DOT and eschew DOH on my pfSense Router. Further, Personally, I run GETDNS STUBBY and UNBOUND as described here along with ( wait for it ) FireFox DOH along with Encrypted SNI - plus TLS v 1.3 in Stubby and naturally a properly configured and encrypted VPN - Your pfSense /etc/resolv.conf file before and after configuring LAN Interface For GETDNS and STUBBY Plus UNBOUND as described in this tutorial. Your pfSense Firewall # domain secureone.duckdns.org # Domain Used In My # OpenWRT DuckDNS LET’S ENCRYPT CERTIFICATES MADE SIMPLE Tutorial Before Below : cat /etc/resolv.conf nameserver 127.0.0.1 search secureone.duckdns.org After Below : cat /etc/resolv.conf nameserver 192.168.7.11 search secureone.duckdns.org These are the reasons I choose to use GetDns and Stubby with Unbound. Those reasons being so that I can take full advantage of all of the most secure privacy features available when running DNS OVER TLS. What I give you here is the absolute best method of implementation and deployment of DNS OVER TLS. For any and all who may be wondering why DNS OVER TLS is all the rage - read this: https://tenta.com/blog/post/2017/12/dns-over-tls-vs-dnscrypt I always set up DNS OVER TLS first before configuring OpenVPN and / or WireGuard on pfSense - this DNS solution works flawlessly with either VPN protocol. So here we go. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml - Go to https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ as pfSense is based on FreeBSD 11 - C # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libev-4.24,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libidn-1.35.txz Lastly, install getdns along with stubby E # pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/getdns-1.5.2_4.txz GetDNS and Stubby are now installed on pfSense FireWall. In order to configure UNBOUND along with stubby ( and getdns ) follow the steps below. For pfSense 2.5.0 Development Snapshots which is based on FreeBSD 12 which includes openssl 1.1 with tls 1.3 support for Stubby get packages from pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ links for the same packages listed above - always check for latest packages first or you might encounter download issues. 2 - Now Ryan Steinmetz aka zi - the port maintainer and developer of this port was kind enough to include a start up script ( stubby.in ) for this package. See the stubby.in here in the raw : https://svnweb.freebsd.org/ports/head/dns/getdns/files/stubby.in?view=markup. All I had to do was ask him and he did for any and all who elect to use this great piece of FreeBSD software. 3 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 744 /usr/local/etc/rc.d/stubby.sh # chmod a+x /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 4 - You can and should also check real time status of DNS Privacy Servers as they are experimental and are not always stable - you can monitor DNS TLS Servers Real Time Status here below: https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/ I have read here: https://www.monperrus.net/martin/randomization-encryption-dns-requests that Also, it is good to set up some servers that listens on port 443 and others on port 853, so as to be resilient if you are on a network with blocked ports. You can also blend IPv4 and IPv6 addresses. Now you must configure Stubby to resolve DNS OVER TLS - nano /usr/local/etc/stubby/stubby.yml VERY IMPORTANT UPDATE: After checking, rechecking and the triple checking on this website mentioned above : https://www.immuniweb.com/ssl/?id=Su8SeUQ4 I have made some very serious discoveries regarding which DNS Privacy Test Servers to use. The bottom line that I strongly suggest you only choose to deploy servers which support the TLSv1.3 protocol. See here for information and importance of TLSv1.3 : https://kinsta.com/blog/tls-1-3/ I will save you some considerable leg work and post below the best configuration for your stubby.yml file. Here it is: ## All DNS Privacy Servers Below Tested and Updated On February 20 2020 With A+ Rating - 100% Perfecto Configuration on website: https://www.immuniweb.com/ssl/?id=Su8SeUQ4n ** These servers support the most recent and secure TLS protocol version of TLS 1.3 ** Good configuration - These server configurations support only TLSv1.2 and TLSv1.3 protocols - current most secure encryption. # Also I have added the Country Locations of These DNS PRIVACY Servers using the Alpha 3 Code Format # see country code lists here : # https://www.nationsonline.org/oneworld/country_code_list.htm or https://www.iban.com/country-codes # Use as many or as few depending on your specific needs ## Go Into SSH shell and enter : # nano /usr/local/etc/stubby/stubby.yml resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED dnssec_return_status: GETDNS_EXTENSION_TRUE tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] ## Enter Your One Main LAN Address Here tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_path: "/etc/ssl/" upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy Test Servers ### ## 1 - The Surfnet/Sinodun DNS TLS Server #3 A+ ( NLD ) - address_data: 145.100.185.18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ### Test servers ### ## 2 - The DNS Warden DNS TLS Server #1 A+ ( IND hosted in DEU ) - address_data: 116.203.70.156 tls_auth_name: "dot1.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= ## 3 - The DNS Warden DNS TLS Server #2 A+ ( IND hosted in DEU ) - address_data: 116.203.35.255 tls_auth_name: "dot2.dnswarden.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: aPns02lcGrDxnJQcRSHN8Cfx0XG+IXwqy5ishTQtzR0= ## 4 - The ContainerPI.com - CPI DNS TLS Server A+ ( JPN ) - address_data: 45.77.180.10 tls_auth_name: "dns.containerpi.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: xz8kGlumwEGkPwJ3QV/XlHRKCVNo2Fae8bM5YqlyvFs= ## 5 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 0xvfP+YW1Ueh+CRKPxHRyPTK7HSMfgd1KvYAVwSZqbI= ## 6 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: QU5xobzrRJeiNVUXh0bpUO42Xwj1HQgZo/uA3Uztfhc= ## 7 - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: SbMmQBuIp1HNX9FCCXuzHT0Nq4qnfwdwwH9i1/FYwT8= ## 8 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 9 - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 159.69.198.101 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: YZeyeJf/suAR2fMHLc9RDPkcQi/e8EEnzk5Y1N90QQE= ## 10 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 45.32.55.94 tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: oo7UO3PO7GhSEuOahGQRPpAcvdFUC7ZRDH3YpoGio4I= ## 11 - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: PID8ufrN/lfloA6y/C+mpR8MT53GG6GkAd8k+RmgTwc= ## 12 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 13 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## 14 - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 8A/1KQQiN+aFWenQon076nAINhlZjGkB15C4E/qogGw= ## 15 - The Foundation for Applied Privacy DNS TLS Server A+ ( AUT ) - address_data: 37.252.185.232 tls_auth_name: "dot1.appliedprivacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: w/3fNr64CFe2DQpbN3cRsGy2CgSRi51GsDwvcL4z8rg= ## 16 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: TSy1ZYYNACIkGRWFAH0IoPJI4HHksmpST4ckZCb7MRY= ## 17 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ZXYkM5saqxlSg6hM31XDJ62QlY89bSiPYFXaU3CmGoc= ## 18 - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: YR0JbM0oGw6C/4iGjEuDONzBCc0qfLoWU3vGl/SzEUU= ## 19 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 39DtR8cTs4rBfMnUxuAngI6XUc1HTeZVziSbSC56MIM= ## 20 - The Antoine Aflalo DNS TLS Server #2 A+ ( NLD ) - address_data: 176.56.236.175 tls_auth_name: "dns.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: cgtNzBzfLuhQ2DrFMoi55U1W+44KLJ2pU/UkqxS06Z8= ## 21 - The Privacy-First DNS TLS Server #1 A+ ( JPN ) - address_data: 172.104.93.80 tls_auth_name: "jp.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 5mweIYRkQwvITwGFbt+/zhcHFBdKjSwX4Vahut8nYgE= ## 22 - The Privacy-First DNS TLS Server #2 A+ ( SGP Hosted In USA ) - address_data: 174.138.29.175 tls_auth_name: "dot.tiar.app" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 5qmICfbLIMJkCngfDoIKd0QMXIPiyRuWamVPZUl9/vA= ## 23 - The ibuki.cgnat.net DNS TLS Server A+ ( USA ) - address_data: 35.198.2.76 tls_auth_name: "ibuki.cgnat.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Xgixyg7vSOO0jJQ/kWZE5/K6Z1HhrzPE2omwdpWD7cA= ## 24 - The PI-DNS.COM West USA DNS TLS Server A+ ( USA ) - address_data: 45.67.219.208 tls_auth_name: "dot.westus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: s2BoWwWBcEAy8iU2FXqNHUoPlQdp0fUtxaXf5irRHM4= ## 25 - The PI-DNS.COM DNS TLS East USA Server A+ ( USA ) - address_data: 185.213.26.187 tls_auth_name: "dot.eastus.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: SEdkdZ3k+dmLWoD7HIWZ8b9CwXrctzHb94GpN405Gms= ## 26 - The PI-DNS.COM West Europe DNS TLS Server A+ ( NLD ) - address_data: 31.220.42.65 tls_auth_name: "dot.westeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: bv7pN2V/E2ds5jhNiU9Qm/vgEkrhf7to2bTeX1R3m1g= ## 27 - The PI-DNS.COM North Europe DNS TLS Server A+ ( FIN ) - address_data: 95.216.181.228 tls_auth_name: "dot.northeu.pi-dns.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: n3TS/j9J67vVc2aV0ADzT8E/Tup4P1+SghLtvDCZCJc= ## 28 - The Snopyta DNS TLS Server A+ ( FIN ) - address_data: 95.216.24.230 tls_auth_name: "fi.dot.dns.snopyta.org" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 4N75mKYSJ0hU7b2Ptmp2splcB4LAQHQqvWXPdJN7YtQ= ## 29 - The SecureDNS DNS TLS Server A+ ( NLD ) - address_data: 146.185.167.43 tls_auth_name: "ads-dot.securedns.eu" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g= ## 30 - The NixNet Uncensored Las Vegas DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.lv1.dns.nixnet.xyz" ) - address_data: 209.141.34.95 tls_auth_name: "uncensored.lv1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: c+PSHI9qtGTOdmOJ+Npe6pEr/9Cr5SV9gj1bUOSeqfc= ## 31 - The NixNet Uncensored New York DNS TLS Server A+ ( USA ) ## - or use ( tls_auth_name: "adblock.ny1.dns.nixnet.xyz" ) - address_data: 199.195.251.84 tls_auth_name: "uncensored.ny1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: tot6FUW7X/eSbZ/1JtX7jLB57zc9oWz+6YhreoFEwWI= ## 32 - The NixNet Uncensored Luxembourg DNS TLS Server A+ ( LUX ) ## - or use ( tls_auth_name: "adblock.lux1.dns.nixnet.xyz" ) - address_data: 104.244.78.231 tls_auth_name: "uncensored.lux1.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: bY/t7KxNzX0t+b8ve4m4UFWXvGsya7FGi86VfSSfOTo= ## 33 - The Lelux.fi DNS TLS Server A+ ( FRA Hosted In GBR ) - address_data: 51.158.147.50 tls_auth_name: "resolver-eu.lelux.fi" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /Gv53+cvMW9zvbIbw4bg0WSvKAnsUxCYsvUp1TaOSb0= ### Anycast DNS Privacy Public Resolvers ### ## 34 - The DNS.SB DNS TLS Server #1 A+ ( Anycast ) - address_data: 185.222.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 35 - The DNS.SB DNS TLS Server #2 A+ ( Anycast ) - address_data: 185.184.222.222 tls_auth_name: "dns.sb" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /qCm+kZoAyouNBtgd1MPMS/cwpN4KLr60bAtajPLt0k= ## 36 - The NixNet Uncensored Anycast DNS TLS Server A+ ( Anycast ) - address_data: 198.251.90.114 tls_auth_name: "uncensored.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: QEO37CPr6IgWZR+YE2XtzhTwP/7YW7/L8G9Ehc30wo8= ## 37 - The NixNet Adblock Anycast DNS TLS Server A+ ( Anycast ) - address_data: 198.251.90.89 tls_auth_name: "adblock.any.dns.nixnet.xyz" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: QEO37CPr6IgWZR+YE2XtzhTwP/7YW7/L8G9Ehc30wo8= ## 38 - The DNSlify DNS TLS Servers A+ ( Anycast ) - address_data: 185.235.81.1 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= - address_data: 185.235.81.2 tls_auth_name: "doh.dnslify.com" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: w5AEEaNvoBOl4+QeDIuRaaL6ku+nZfrhZdB2f0lSITM= ## 39 Quad9 'secure' service - Filters, does DNSSEC, ## doesn't send ECS A+ ( Anycast ) ## ( NOTE: recommend reducing idle_timeout to 9000 if using Quad9 ) - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= - address_data: 9.9.9.9 tls_auth_name: "dns.quad9.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= Save and Exit 5 - Configure Stubby To Implement TLSv1.3 For pfSense 2.5.0 Development Snapshots Add this entry ( found directly below ) to the bottom of your stubby.yml configuration file ( aka /usr/local/etc/stubby/stubby.yml ) - make sure to skip a line after last entry before appending these settings: # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the # tls_ciphersuites option. This option can also be given per upstream. # tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_3 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. # tls_max_version: GETDNS_TLS1_3 Starting with pfSense 2.5.0 Snapshots in order for TLSv1.3 protocol to work properly ( read at all ) in your Stubby instance, OpenSSL 1.1.1 must be active and configured in the kernel. pfSense 2.5.0 and above does provide OpenSSL 1.1.1 support. When you have OpenSSL 1.1.1 with TLSv1.3 support simply add the section above in order to set Stubby to implement TLS1.3. The operative lines necessary are these two specifically found at the bottom of the stubby.yml file above: tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" tls_min_version: GETDNS_TLS1_3 See below for TLS1.3 Support Check SSH Commands - openssl s_client -connect 46.101.66.244:853 OR : openssl s_client -connect 45.32.55.94:443 Read Out Will Be Verified By These Lines Below: Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_CHACHA20_POLY1305_SHA256 OR : Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Depending on Configuration on Tested DOT Server Lastly, you can and should take advantage of this new DNS OVER TLS provider. You need to sign up and use configured settings in order to use it. NextDNS is a free service - ANYCAST and pretty much cutting edge. ANYCAST speeds up your DNS - Here it is: NextDNS https://my.nextdns.io/signup or feel free to use and test NextDNS " Try it now for free " Feature go to : https://nextdns.io/ 6- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. Go To Services > DNS Resolver > GENERAL SETTINGS UNDER DNS Resolver > GENERAL SETTINGS Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Under Custom options enter the following : server: forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] ## ( Your One Main LAN Address ) ## END OF ENTRY ## Note : do-not-query-localhost: no ## this entry is necessarily removed ## from this UNBOUND configuration ## Disabling DNS Queries From Localhost ( 127.0.0.1 ) Outgoing Network Interfaces = Select LAN ONLY ! # IF You Have Multiple Lan Interfaces - Select ALL LAN INTERFACES Make Sure to NOT CHECK - DO NOT CHECK - the box for DNS Query Forwarding. Save and Apply Settings Next -Under System > General Setup > DNS Server Settings Set the first DNS Server to Your One Main LAN Address ( 192.168.7.11 ) with no gateway selected / Make sure that DNS server option A - Allow DNS server list to be overridden by DHCP/PPP on WAN - Is Not I repeat - Is Not Checked ! and DNS server option B - Disable DNS Forwarder Is Checked - I repeat - Is Checked ! - Save and Apply Settings All of these name servers listed above DO NOT log ! repeat DO NOT log ! your DNS queries. In full disclosure some name servers claim to log traffic volume only. See here for details : https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers and look under " Logging " column. C'est Fini C'est Ci Bon C'est Magnifique Reboot your router just to sure. Lastly, you can check your DNS at GRC DNS Nameserver Spoofability Test - DNSLeak.com - or any such service. Your results will render the DNS PRIVACY Name Servers which you selected in your stubby.yml configuration file. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. Note: Starting with Unbound 1.7.2 qname minimisation is enabled by default. However, I still add these settings manually. These settings are entered under Unbound " Custom Options": qname-minimisation: yes qname-minimisation-strict: yes harden-below-nxdomain: yes Use either or both of these two methods to verify QNAME Minimisation A - Run command : drill txt qnamemintest.internet.nl and / or B - Run command: dig txt qnamemintest.internet.nl +short and / or dig -t txt qnamemintest.internet.nl ( for more complete readout including DNSSEC results ). AD = Authenticated Data (for DNSSEC only; indicates that the data was authenticated) The results in any of these scenarios will show either: "HOORAY - QNAME minimisation is enabled on your resolver :)!” or “NO - QNAME minimisation is NOT enabled on your resolver :(.” Reference https://discourse.pi-hole.net/t/unbound-and-qname-minimisation/10038/4 You will and should get HOORAY ! - if you used the name servers listed in this guide for your Stubby configuration. VERY IMPORTANT TIP: Please note that right at the top of the main DNS Privacy Test Servers Homepage ( https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ) It Ominously Declares: DoT servers The following servers are experimental DNS-over-TLS servers. Note that they are experimental offerings (mainly by individuals/small organisations) with no guarantees on the lifetime of the service, service level provided. The level of logging may also vary (see the individual websites where available) - the information here about logging has not been verified. Also note that the single SPKI pins published here for many of these servers are subject to change (e.g on Certificate renewal) and should be used with care!! For these reasons it is most important to check and verify your SPKI pin(s) for TLS authentication manually yourself from time to time. There are sure fire methods to make sure that you are using the correct value for any upstream nameserver ( aka tls_pubkey_pinset value ) - Go to https://blahdns.com/ and scroll down to the section to the yellow section entitled What is DNS OVER TLS click on it and it will open up. When you do it will state some general information, but what you want to pay attention to is this section: How to get SPKI Most Simple and Direct Method: gnutls-cli --print-cert -p 853 159.69.198.101 | grep "pin-sha256" | head -1 And / Or With Adjustment For SSL Port and Address Being Tested gnutls-cli --print-cert -p 443 159.69.198.101 | grep "pin-sha256" | head -1 - where you must pkg install gnutls OR echo | openssl s_client -connect '185.49.141.37:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 Remember to change port to 443 or port for IPV6 if different than standard 853 where applicable. https://www.dnsleaktest.com/ https://www.perfect-privacy.com/dns-leaktest https://cryptoip.info/dns-leak-test https://www.grc.com/dns/dns.htm https://www.vpninsights.com/dns-leak-test and last but not least https://cmdns.dev.dns-oarc.net/ for a thorough in depth DNS Test https://bash.ws/dnsleak/test/ Now all you need to do is run is a properly configured VPN Service. By doing so, running DNS over TLS with Stubby and GetDns will keep your VPN provider from spying on your encrypted DNS look ups - and also your DNS providers both the ISP ( replaced by encrypted Stubby ) and your Encrypted TLS DNS Service Provider will see your IP as the one from your encrypted tunneled VPN provider. I am convinced this setup is the right strategy for both security and privacy. I think it to be the best practice for all those most serious about multi-layered cyber security.
  27. My streaming IP was working fine till today. It completely cuts out my connection to the internet when I connect to it now. All other IP addresses on the service work fine including my Dedicated IP address. I have tried it in my iPad, iPhone and laptop computer (all the same). I have requested a new Streaming IP since I have paid for this service and it has stopped working. TorGuard support has been unable to help me, and has been ignoring my request. I have done all the steps they asked me to do and still the same. I will also contact my credit card company to request a refund for unmet services. If anybody else has similar issues with TorGuard, please let me know the outcome.
  1. Load more activity
×
×
  • Create New...