Closed FrostBlade5 closed 2 years ago
davegson
commented
2 years ago Hey there, thanks for testing Portmaster!
@p2anav did a great write-up comparing the Portmaster with Simplewall. It covers your questions and I think you will enjoy the read: https://safing.io/blog/2022/04/11/portmaster-vs-simplewall/
If you have any feedback about the article and your experiences just let us know 😄
FrostBlade5
commented
2 years ago Hey there, thanks for testing Portmaster!
@p2anav did a great write-up comparing the Portmaster with Simplewall. It covers your questions and I think you will enjoy the read: https://safing.io/blog/2022/04/11/portmaster-vs-simplewall/
If you have any feedback about the article and your experiences just let us know 😄
Thank you for the link! I have one question now, simplewall doesn't support secure DNS but portmaster does, what does this mean? What is secure DNS? Edit: With encrypted DNS, only your DNS provider can keep track of your DNS requests, while Internet Service Providers (ISPs) and eavesdroppers cannot easily determine the websites you visit or the apps you use. You also benefit from increased security by preventing threats such as DNS-based man-in-the-middle (MITM) attacks.
So with portmaster my ISP will be unable to know which websites i visit is that correct? But my default DNS server is provided from my ISP so that doesn't make sense in this case, i guess i will have to change the DNS server then for example to 1.1.1.1 or 9.9.9.9 is that correct?
FrostBlade5
commented
2 years ago The site also claims that simplewall is blocking windows telemetry while portmaster is blocking mass surveillance. But what do you mean by mass surveillance, how am i under surveillance? I think i configured my OS so that i am in control what is allowed to connect to the internet and what is not, simplewall always asks me if i want to allow or deny network access for every program, so without my consent they program cant have any surveillance, or?
Also, does portmaster protect me from the built in computer backdor called IME, intel management engine?
davegson
commented
2 years ago So with portmaster my ISP will be unable to know which websites i visit is that correct? But my default DNS server is provided from my ISP so that doesn't make sense in this case, i guess i will have to change the DNS server then for example to 1.1.1.1 or 9.9.9.9 is that correct?
By default the ISP does see your DNS records. When installing Portmaster it takes over your DNS and configures a Secure DNS server for you - meaning a service which supports encrypted DNS. You can easily change this to your preferred provider in the settings or during the setup tour.
But what do you mean by mass surveillance, how am i under surveillance? I think i configured my OS so that i am in control what is allowed to connect to the internet and what is not, simplewall always asks me if i want to allow or deny network access for every program, so without my consent they program cant have any surveillance, or?
Because of your setup this is true for you. You have a good setup which prompts for every connection. For many people, this is too much work.
That is why we include tracker lists within the Portmaster - which are also used for Tracker-Blockers in your browser and by Pi-hole - to block lots of the surveillance system-wide by default, even without having prompts. This is what we mean with "block mass surveillance"
so without my consent they program cant have any surveillance, or?
Again, as an average person, by clicking "I agree" during Windows installation, sadly you agreed to a lot of things - as Snowden recently put it this is crazy!
Giving the average person more privacy by default is what Safing is all about.
Also, does portmaster protect me from the built in computer backdor called IME, intel management engine?
Portmaster is on the software level - between OSI layer 2 and 3 - it is technically impossible to protect from any potential hardware backdoors with software. Not even the Operating System itself could do that.
ghost
commented
2 years ago I see that David has already answered your questions. I just want to reply to one of your questions with a little more info.
So with portmaster my ISP will be unable to know which websites i visit is that correct? But my default DNS server is provided from my ISP so that doesn't make sense in this case, i guess i will have to change the DNS server then for example to 1.1.1.1 or 9.9.9.9 is that correct?
When you attempt to connect to a domain (for example, while browsing websites), your device is unsure which server to connect to. As a result, it queries a DNS resolver to get an IP address to connect to. So your DNS resolver now knows which domains you connect to, and your ISP knows which IP addresses you connect to.
Yes, if you change your ISP's default DNS servers, they can't spy on most of your traffic, but not all.
Assume you visited two sites.
Cloudflare and Hetzner both host hundreds, if not thousands, of websites. So, while you may believe that your ISP will not be able to see which specific website you visited, this is not the case.
There is something known as rDNS (Reverse DNS). The name is self-explanatory. Some websites, such as kde.org, use rDNS and it also allows the ISP to run a rDNS on an IP address and retrieve some of the domains that you visited. It is not always the case, and it is not perfect, but it is possible.
See for yourself
It gets even more complicated with BPG routing and other things, but that's for another time. I believe I have now overburdened you with information, but I hope it will help you and probably others understand - what is possible.
FrostBlade5
commented
2 years ago When you attempt to connect to a domain (for example, while browsing websites), your device is unsure which server to >connect to. As a result, it queries a DNS resolver to get an IP address to connect to. So your DNS resolver now knows which >domains you connect to, and your ISP knows which IP addresses you connect to.
What you said above about, "secure dns" might that cause issues when using a vpn? I use Protonvpn which claims to also encrypt dns, so if i use portmaster and protonvpn at the same time i have two services both using encrypted dns, sounds like a potential conflict? Protonvpn also told me that i should use my ISPs dns server and not cloudflare or quad9 because in that case they cant guarantee my activites arent leaking/dns leak or a record might be kept.
That link you sent https://nitter.net/ what is it? Never saw that but im a fan of snowden, he is like a hero no shit, just like julian assagne who for some reason faces 175 years prison just for saying the truth, ahh this world is so broken and f*cked really, that's why im super thankful for people who create programs like portmaster.
FrostBlade5
commented
2 years ago When you attempt to connect to a domain (for example, while browsing websites), your device is unsure which server to >connect to. As a result, it queries a DNS resolver to get an IP address to connect to. So your DNS resolver now knows which >domains you connect to, and your ISP knows which IP addresses you connect to.
Does this mean my DNS resolver can keep track of my entire browsing history since they know which websites i visited? Can they also see how long i visited them or what content has been viewed or what comments have been shared? When i use my ISPs DNS Server does that mean my ISP is my DNS Resolver? I mean, is my resolver always what i enter as dns server like 1.1.1.1 or 9.9.9.9 ?
That would also mean that whoever is my DNS server / DNS Resolver can keep track of my online activites, meaning i should choose a trustful DNS Provider otherwise im at risk of leaking my private data. Would you consider quad9 (9.9.9.9) trustful? And what about cloudflare? I mean cloudflare is pretty huge so im a bit concerned there. Other alternatives?
Cloudflare and Hetzner both host hundreds, if not thousands, of websites. So, while you may believe that your ISP will not be >able to see which specific website you visited, this is not the case.
I think i dont understand what you mean, if i use cloudflare as my DNS Server and at the same time visit a website which is hosted by cloudflare my DNS Provider/Resolver can see which websites i visited? But they already can even without hosting the site?
There is something known as rDNS (Reverse DNS). Some websites, such as kde.org, use rDNS and it also allows the ISP to run >rDNS on an IP address and retrieve some of the domains that you visited.
So github.com is a domain correct? But it is also a website correct? So a domain is basically a website and a website is basically a domain correct? I know that .com or.net or .eu is a so called topleveldomain. So example.eu/privacy is a website hosted under the eu domain? So if i visit multiple eu domains and one of those domains supports rDNS can it keep track of all other eu domains i visited? Can it keep track of non eu domains i visited? Sorry im a bit confused i never heared about rDNS, maybe i should just do some research instead of asking all this wired questions.
FrostBlade5
commented
2 years ago I got one more question, simplewall aswell as tcpview show active outbound and inbound connections on the pc, when i start my pc and monitor the connection for 10 minutes there is not a single service that has any other adress then 0.0.0.0 or 127.0.0.1 As far as i know both these adresses are local adresses meaning my computer does not have any network activites, but does it? It has been a while since i tested portmaster but if i remember correctly even when tcpview and simplewall did not show any inbound and outbound connections, portmaster still did show some connections, can that be? Another thing i noticed is windows regulary sends me a notifcation saying "update antivirus", this happens even when no connections are shown. Question is, is this an automatic notification because windows know that the antivirus is outdated or does it have a connection comparing the installed version with the latest one, in that case windows/microsoft does have a connection even when simplewall and tcpview dont show any connection, can that be?
davegson
commented
2 years ago hey there, sorry I (and we) cannot go in depth with all of your specific questions. It is great to see you being so eager to learn - it just is that we have limited resources. However, what I can do is to give you some pointers:
Learn more about DNS: https://www.cloudflare.com/learning/dns/what-is-dns/
Qur thoughts on our default DNS providers, including Quad9 and Cloudflare: https://safing.io/blog/2020/07/07/how-safing-selects-its-default-dns-providers/#our-selection
Two services trying to do Secure DNS often ends up in a conflict yes, and Portmaster gives you notice about this. Portmaster handles it on your full device so there is no need to do it there too - it just takes away visibility from PM.
There are some more FAQs for DNS which might interest you if you want to dive deeper into Portmaster:
FrostBlade5
commented
2 years ago hey there, sorry I (and we) cannot go in depth with all of your specific questions. It is great to see you being so eager to learn - it just is that we have limited resources. However, what I can do is to give you some pointers:
Learn more about DNS: https://www.cloudflare.com/learning/dns/what-is-dns/
Qur thoughts on our default DNS providers, including Quad9 and Cloudflare: https://safing.io/blog/2020/07/07/how-safing-selects-its-default-dns-providers/#our-selection
Two services trying to do Secure DNS often ends up in a conflict yes, and Portmaster gives you notice about this. Portmaster handles it on your full device so there is no need to do it there too - it just takes away visibility from PM.
There are some more FAQs for DNS which might interest you if you want to dive deeper into Portmaster:
* [FAQ: How do I make my VPN or other software compatible with Portmaster? #708](https://github.com/safing/portmaster/issues/708) * [FAQ: Why does the DNS Leak test say that I have a leak? #720](https://github.com/safing/portmaster/issues/720) * [FAQ: Why does Portmaster send plain/unencrypted DNS queries? #700](https://github.com/safing/portmaster/issues/700)
Thanks for the info, so when using two services who both use Secure DNS often ends up in a conflicts, what exactly can i do to avoid that other than dropping one of those services? I don't think there is an option in protonvpn that allows users to disable secure dns, pretty sure it's built-in. Ill also send an email to protonvpn but i would like to hear your suggestions. Should i turn off secure dns in protonvpn or in portmaster, and why? And how?
If i don't disable secure dns in any of those two services, what exact issue might happen? Can i even notice it?
Flashwalker
commented
1 year ago What about Opensnitch https://github.com/evilsocket/opensnitch ? And what about Douane https://douaneapp.com/ ?
I tested both portmaster and simplewall, extremly useful programs!! At the end i tought that simplewall might be more advanced but also needs alot more system resources.
What do the portmaster dev's think about simplewall? How is it different from what it can do compared to portmaster? https://www.henrypp.org/product/simplewall