Google VPN?

If you run a RaspberyPi with Pi-Hole and PIVPN or OpenVPN you can allow secure remote access over a VPN from iOS or MacOS etc. Total install time including downloading should be ~10 minutes on an RPi4, plus allowing access on UDP port 1194 for the VPN on your local router/CPE.

Pi-hole® - Network-wide Ad Blocking

PIVPN: Simplest way to setup a VPN

Combined doc for Pi-Hole and OpenVPN are available at: Overview - Pi-hole documentation

Once you get PiHole doing all your ad blocking it is painful to be without it.

Cheers

f

Ah. I missed the personal bit. Sorry.

You may want to look into a cloud based, UpNp to NAT solution, such as provided free with QNAP and Synology; there has to be an open source solution. I have zero concerns letting family and professional NAS talk to each other and allow remote access, as long as very strong password security is enforced. With keychains, it’s easy.

Or just put cloudflare’s Warp on your devices and don’t think about it. (;

Cheers

F

It is both a VPN and DNS solution.

https://blog.cloudflare.com/1111-warp-better-vpn/

https://1.1.1.1/

HTH

F

1 Like

Thanks, @frederico. Good stuff.

How would a less technically inclined home user specify 1.1.1.1 as a DNS address on an AirPort Express that is configured using DHCP, presumably by the ISP? (The field is grey like I cannot edit it, but I can put an insertion point in it, so it appears that I could overwrite the default.) And would putting the WARP client on the Mac make the first question unnecessary?

@Will_M, I just entered 1.1.1.1 and 1.0.0.1 (their secondary) and my AP Extreme showed both upon reboot.

[EDIT: Better clarity and image; 2020-11-04T07:00:00Z]

Yes, you can overwrite the gray text; those merely indicate the broadcasted defaults provided by your local or ISP gateway, which are currently in use.

Even if you are not concerned about security, Cloudflare just flat-out makes your browser queries when entering a domain name much faster.

Cloudflare DNS

Copy the following DNS IP Addresses, one line at a time; then hit the ‘+’ button (see image below); Paste the number in the highlighted field; pressing ‘Enter’ after each entry:

2606:4700:4700::1111
2606:4700:4700::1001
1.1.1.1
1.0.0.1

The first two very long numbers are IPv6, the last two traditional IPv4; modern devices will attempt to use IPv6 first (it’s faster in many cases and “more” secure), then fall back if needed; older devices may not be capable of using IPv6 and will fall back to IPv4.

[NOTE: See below posts for information about named DNS ‘Search Domains’; most people can safely ignore them]

NOTE: if editing a device/Mac, repeat the above procedure for each active connection type and profile (e.g., Ethernet 1, Ethernet 2, Firewire, Bluetooth, [name of each of your common] WiFi Network(s); you will find these settings under the ‘Advanced’ button for each connection type.

NOTE: if you have WiFi extenders providing independent DNS, or just passing along the default DNS from your ISP (as opposed to being in Bridge Mode, where the extenders simply pass requests to your router or gateway), be sure to install the custom DNS on each base station or WiFi router.

You will also note in the above image that I also have Google’s DNS listed after Cloudflare; this is just in case all four of Cloudflare’s DNS Servers go down (unlikely, but things happen); if they don’t respond quickly, your query will fall back to Google’s DNS and avoid the dreaded Unmoving Progress Bar, that once plagued virtually all ISPs; that is, in part, why Google, and FreeDNS, et al, started offering more reliable lookup servers.

Google DNS

2001:4860:4860::8888
2001:4860:4860::8844
8.8.8.8
8.8.4.4

(cf https://www.techradar.com/news/best-dns-server)

I swear, back in the 90s and 00s, my local ISP (Century Link née Qwest née Mountain Bell) had exactly one Pentium II hosting DNS lookup, and when it crashed, no one got anywhere without a numbered IP address. This worldwide phenomena set off the once-popular self-hosted DNS tables; Mac and PC users alike would run trace route to discover the static IP address for all their frequented sites, and edit their hosts file; this way your own machine automatically translated domain names to IP addresses in a blink. No more dreaded Unmoving Progress Bar (cf How To Setup A Local DNS Host File On Mac OS X)

You can still do this today, if you wish, of course; there are freeware GUI editors for doing this automatically; at one time there were (and probably still are) browser plugins that automatically and silently edit the hosts file on the fly.

For iOS users, here’s the easy to use, free for DNS (subscription for VPN data): ‎1.1.1.1: Faster Internet on the App Store

HTH

Frederico

2 Likes

I don’t want to lose the use of my current VPN, which I like (and pay for).

1 Like

Thanks, @Simon and @frederico.

Done, almost. I entered the IP addresses and restarted the Airport Express. Sure enough, the new numbers were there. Then I saw the “Domain Name” field and tried to copy and paste “Cloudfare DNS” into it, but it would not accept the paste. (The computer beeped and blinked.) I tried typing “Cloudfare DNS” into the field, and the computer beeped and blinked at the space. I took the space out, copied, and pasted. But then I didn’t update because things weren’t exactly right. What does the “Domain Name” field do?

I almost asked about IPv6 in my earlier post, but I thought baby steps were more appropriate for me. Thanks for including those.

If you’re running your own DNS server (e.g. for the names of hosts on your LAN), then you would enter your LAN’s domain name there.

For instance, if your devices are named foo.mysite.example.com, bar.mysite.example.com and baz.mysite.example.com, then you would enter mysite.example.com in the domain name field.

If you don’t have your own DNS domain, then leave the field blank unless your ISP requires a particular value.

1 Like

Unless you have your own domain name, and you host that domain name as a proxy or gateway ahead of your personal machines or routers, you can (usually) safely ignore this field. If you’re paranoid, you can enter:

.local

Specifically, DNS Search Domain [name] is a feature that allows you to look up different machines/devices or sub-domains under a distributed server; e.g., store.apple.com, where apple.com is the parent/default search domain; or MyMac.MyPresonalDomainNameHostedByMe.org, where myMac is your machine directly hosted by your server providing access to your network via domain name.

When/if you have either of these scenarios, when you want to find a machine or subdomain on your network, you can just type store or MyMac, and whether or not you are currently searching from a machine that is inside or outside your LAN, store or MyMac will automatically add the parent domain name as shown above, and try to contact the machine or subdomain under that named address (as opposed to needing to know the fixed IP address; e.g., 74.59.169.32).

This is easily demonstrated by opening System Preferences –> Sharing –> [select] File Sharing:

Note that macOS (and Windows and Linux) creates its own server and broadcasting service – nearly always .local – it simply creates this for peer-to-peer services within the local subnet on your LAN.

In the example below, the “proper” Computer Name can contain spaces, but note that spaces aren’t allowed in any URL, but rather than convert a Space character to %20 or +, macOS adds a hyphen (sadly, this predates the WWW, and the Web chose +, which I find more appealing, but, alas…; I just wish it were consistent, given you can enter both types of URLs in a browser or terminal.

You can even install numerous named domains there, and if MyMac isn’t found on the first, it will fall back to the second, etc., until it runs out of options, at which point most browsers will kick you out to your default search engine.

You can test this now by typing just a word in your in your browser’s address field. If it just goes to your search engine of choice, you can just ignore this field; if it goes to your ISP and shows you a custom error page, you can change it.

Again, if you’re paranoid, just enter:

.local

… and you can be sure that your ISP isn’t first grabbing your query and then bouncing you to a real search engine.

You can even enter any Qualified Domain Name, like Apple.com, and if you type MyMac, it will search for MyMac.apple.com, which, of course, will bounce and kick you to your search engine.

HTH

1 Like

Where does

2606:4700:4700::1111
2606:4700:4700::1001

Go?

Never mind, it was what I thought it was, IVP 6

1 Like

For others:

@ace seems like this might make a nice follow-up article; though I swear you have one in the archives somewhere. With privacy at the forefront of everyone’s minds these days, DNS and VPN providers are something everyone should consider.

Cheers!

F

The .local domain name is reserved for use by multicast DNS services (see also RFC 6762). It should never be used as an actual DNS domain.

Apple equipment (and other computers running mDNS software) will redirect all requests for .local names to the mDNS software and will never attempt to resolve the name with DNS.

I wrote a series of articles on my personal blog for setting up a Raspberry Pi to act as a DHCP and DNS server for a small LAN. I hadn’t shared the links here because they’re not really Apple related, but since there’s been a lot of discussion, here they are:

The setup and installation procedures are really only going to be applicable to a Debian Linux device (like a Raspberry Pi), but the concepts discussed are universal and should be applicable to just about anything. (And an experienced administrator can install these packages on macOS. Sadly, Apple no longer provides them as a part of macOS Server.)

We covered this topic a few years ago, before Warp was available.

I’d be open for an article about Warp, if you or @glennf were interested in writing it.

Thank you, @Shamino and @frederico. I regret the career path that took me away from computer administration 25 years ago and recognize that most of the information you provided is now beyond my ken and above my pay grade. In case it isn’t obvious, I do not run my own DNS server, and we don’t even share folders on the home network.

I see you listed the IPv6 servers ahead of the IPv4 servers. Is this better in some way?

Another interesting read, and another lesson in how much I don’t know.

And this is why I’m not able to work much anymore; I used to know that about ten years ago. Thanks for the correction; much appreciated. I’ll try to find some time to correct it above. If you want to suggest the edit, it would be most welcome.

Happy Saturday

Again, from top to bottom, it will fallback (down) from you most preferred server; if it’s not available, it will keep trying until it runs out of options.

In short, IPv6 is faster and more secure; it has universal implementation of end-to-end encryption, amongst many other features that are good for both the individual and the internet and LANs alike.

Here’s a decent quick read

https://www.sophos.com/en-us/security-news-trends/security-trends/why-switch-to-ipv6.aspx

Happy Saturday

1 Like