Sunday, July 16, 2023

To VPN or Not

UPDATED 9/14/23

Over Prime Day(s), there were sales everywhere for VPNs. They tempted me but then I thought through it.

I'm always interested in "good" prices but I'm not sure why I really need a VPN. Most all the web is using https now.

The biggest risk (and it's not so big) is using public Wi-Fi. For example, I automatically connect to xfinitywifi. But if someone were to put up a fake xfinitywifi my laptop/phone would connect to it. The web data would be encrypted with https but DNS is still in the clear unless you're running DNS over HTTPS (DoH). This blog (archive.org) post explains what that is and how to enable it in Windows.

DoH was first introduced in Build 19628 (run winver to find your build). Between Build 19628 and Build 20185, you have to enable it with a registry entry.
  1. Type regedit into the search box and click Registry Editor.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
  3. Right-click on the Parameters folder and click New > DWORD (32-bit) Value, then name it EnableAutoDOH.
  4. Double-click on the new key and set its value data to 2.
Use one of the following DoH servers:
  • Cloudflare - Primary: 1.1.1.1, Alternate: 1.0.0.1
  • Google - Primary:8.8.8.8, Alternate: 8.8.4.4
  • Quad9 - Primary: 9.9.9.9, Alternate: 149.112.112.112
To enable DNS over HTTPS in the Settings > Network & Internet menu:
  1. Select Settings in the Start menu.
  2. Open Network settings.
  3. Under Network status, open the Properties menu for the desired internet connection.
  4. Click Edit under DNS settings.
  5. Select the Manual option, and then specify the Preferred DNS and Alternate DNS IP addresses. DNS providers currently supported by Windows 10 are:
    ● Cloudflare – Primary: 1.1.1.1, Alternate: 1.0.0.1
    ● Google – Primary:8.8.8.8, Alternate: 8.8.4.4
    ● Quad9 – Primary: 9.9.9.9, Alternate: 149.112.112.112
  6. (Only after Build 20185) Select Encrypted only (DNS over HTTPS) for encryption under Preferred DNS and Alternate DNS.
  7. If desired, you can configure the same for IPv6 (the previous steps were for IPv4).
Don't miss the "for the desired internet connection." You'll need to do this for EVERY network you connect to.

To enable encrypted DNS at home, you can use the above technique or your router will probably have a setting for that. Here's my router's settings:


Still simpler, for most of us, is to enable DoH in Chrome.
  1. Click the three-dots menu and choose Settings.
  2. Under the Privacy and security tab, click Security.
  3. Locate Use secure DNS, enable it and choose a provider from the drop-down menu.
The only other risk I've found is exposing your PC's devices to a public network.

Here's how to disable that:


And then:


The only other thing I see needing a VPN for is exiting in a different geographic location, e.g. exiting in the UK to get the BBC.