My ISP, Comcast, uses my internet traffic to serve me more relevant ads. I know this because I had to go through my account and opt out of all of the bullshit [hopefully]. Despite this, I do not trust Comcast with my data. As sad as it is to say it, I honestly trust Google more than Comcast. Well, I have been using https://nextdns.io for my DNS service. It’s a nice service because they support DoH and DoT, adblocking with PiHole, and fairly fast Anycast DNS servers. I thought this was enough… until recently. Someone informed me that this doesn’t actually hide my internet traffic from my ISP, and that I’d need a VPN for this. So logically, I’ve been questioning my understanding of DNS and how it works, as well as DoH and DoT - because that is what I thought was protecting my internet traffic from being snooped on by my shitty ISP. If this is true, well I’d like to see if there’s an alternative to a VPN because VPNs are slow, and I want to get all the juice I can out of my overpriced internet service.
P.S. If there is a way to do what I want with PFSense, then I do use that on my router. TBH, I don’t know what I can do with PFSense, much less why I need it (I don’t really); but I also didn’t know what I was doing when I bought my first Raspberry Pi and now I manage a Linux server.
I prefer to use Protonmail and thus ProtonVPN. They offer free services in three regions of the world, the USA, Japan, and the Netherlands. ProtonVPN is Linux friendly too, and has an easy to follow setup guide. I use the free servers in these three regions and they serve me just fine. 
I would use a hardware Firewall as well, you mentioned PfSense. That firewall should go inline after your modem before your comptuers, wifi router. That way you have a few layers of protection. Your Modem will have a firewall likely, mine does and I use Xfinity - the free one they gave me. I have a Netgate 1100 next, and then from that I go to a managed switch which sends all my traffic to the various comptuers I have. I only use wired connections as well. So no Wifi Router for me to deal with. If you want fancy, check out NGFW and subscription services.
I would use the DNS you are using, make sure that is configured in your network interface card.
You should be using a secure browser and search engine as well, and in the browser, manage a few extentions such as, HTTPS Everywhere, Ublock Origin, Decentraleyes, Cookie Autodelete, Privacy Badger. Make sure you are enabling the cookie cleaner and https is foreced everywhere. Also helps to properly configure your browser and use Duckduckgo search engine. Use Strict policy on Firefox, for example with those extensions and you are doing more than most people.
If you’re willing to pay for it, you can hop your traffic through linode or some other VPS of your choosing if you’re not keen on VPNs.
you can create a free vpn in AWS
I also run a pfSense firewall and use policy based routing so that all of my traffic goes through PrivateInternetAccess by default, and I add rules as necessary for the few things that need to bypass PIA. As far as speed goes, I’ve seen downloads peak around 105MB/s. It should be noted that the hardware running pfSense can be a limiting factor on VPN speed. My firewall is running on a i5-4690K.
Whoa, I thought this practice “Ad Injection” stopped.
Comcast carries your traffic and knows what IPs you’re connecting to.
If you’re fine with that, then …
…all you need to take care of, probably is securing your DNS and making sure you use https everywhere.
There’s an EFF chrome extension with a very long list of domain names that can help.
You could make up rules on your router to log netflow data into some csv file on your Pi… you can later analyze this data and see how much of what you’re visiting / talking to is not hitting TCP or UDP port 443.
Easy to do if you use openwrt or pfsense or route at least one half of your traffic through your Pi.
DNS is one other thing that can be used by your ISP to get your browsing habits. dnsprivacy.org has a small opensource DNS server called stubby that you could use in conjunction with Google or Cloudflare DNS servers. There’s also “Adguard Home”, or even if you used pihole, you could then additionally install cloudflared or unbound to have pihole use DNS over TLS or DNS over https. (Personally I use Adguard Home with Google and Cloudflare running in parallel as DNS-over-TLS backends… ).
You could also build your own VPN to somewhere, and you could say ignore port 443 and port 853 from going through it to avoid latency. ideally somewhere close to where you live… I wouldn’t recommend a VPN service, because that just gives your netflow data to a random company that’s not your ISP and their datacenter provider on top of it. Might as well go and rent a VM at the datacenter provider directly.
If you run your VPN with AWS, Amazon gets your DNS requests and other metadata stuff so you really will not get any meaningful privacy there. This is true for every VPS service out there. The ideal solution would be to use a proper VPN provider so that you can lump all your data and metadata together with other users.
then the vpn provider gets your DNS, what’s your point?
With AWS at least your instance is your own OS you control. With a VPN provider you’re trusting them with the OS handling your traffic.
And if you think lumping your traffic with everyone else adds security, then TOR is what you are looking for. I think you’re a bit confused on what your end goal is.
And if you’re that paranoid, you can set rules to change the default ports inound for DNS
The VPN provider does that, but they tout features such as no logging policy, operating in a country that isnt going to just respond to a foreign government inquiry and the like. It helps that the VPN provider is also audited by a credible auditing company to confirm it does what it says it does. Whereas if you run your VPN on the same country as you are, a simple subpoena can defeat your VPN protection
I am pretty sure AWS is in control of the OS and not you. You just have some control. Do anything that Amazon doesnt like and they boot you off their servers.
A country can ask a foriegn country to subpoena a VPN company to start logging a suspect in a criminal case. this happened recently with a common VPN company.
The takeaway is, do you trust a VPN company with everything or would you rather have your own. and sure AWS will have net logs, but if you’re at that point of paranoia, you would have extra safeguards in place. Your OP is only about your ISP, not the feds.
It all depends who is more trustworthy. Do you trust an audited VPN company more or any VPS hosting company (AWS, Linode, Digital Ocean, etc)? Can you even trust your own IT skills to make sure you are not leaking information on the side of the VPS?
1- Self host as much as you can.
2- https://www.privacytools.io
3- Proton is controversial. Get a VPN provider that doesn’t doxx you like Mullvad. You can create anonymous throwaway accounts and even pay by mailing cash. They are no-nonsense-pay-for-2-years-here-is-my-referral-code-bullshit.
And don’t use Microsoft Bonzi Buddy OS 10 or 11.
They’ve rebranded as privacyguides.org because they will soon lose control of the privacytools.io domain as it is set to expire soon. The original owner of the domain doesnt seem to be responding to communications.
What happened to Proton is very unfortunate. They had no choice but to comply to start logging. No responsible company is immune to court orders. Anyone, including Mullvad could be told to comply next.
Mullvad accounts don’t require personal information like name, address or e-mail.
Network Chuck is great. I love learning from this guy. I got a Netgate 1100 after watching one of his VPN videos and am still waiting on shipping. Its my first hardware firewall and I am excited to learn pfsense. Though I think they have changed recently, I didn’t want to go to a subscription based NGFW as they are very expensive, also I do not have a need for a 1000$ firewall and a 250$ a year monitoring service. Maybe if I was running my own website, servers, etc…
The proper solution is to use TOR . . .
I am glad someone else purchased a Netgate Firewall appliance; I bought and installed it last December. I forgot to mention the model number of my Pfsense device; I bought the Netgate 5800. If you have any trouble getting your modem connected to your Netgate 1100, give me a shout-out.
@CodeDragon57 The best you can do to increase your privacy is to use a mail service like Proton Mail, Don’t allow a website to store your credit card information; only use Tor to surf the web. And use individual passwords for all your logins.
I don’t think people really answered to what OP asked.
There are ways in which an ISP can gather data about you and multiple types of buyers, depending on the data.
- Unencrypted traffic (DNS and HTTP)
Here an ISP or any middleman can see what you are browsing or downloading and can inject whatever junk in your webpages. Not much you can do to protect against it other than to block JavaScript and do a deny by default policy of connections to domains. And forget about protecting data, because even if you don’t get ads served, the ISP still knowns exactly what you like and build a profile on you.
- Encrypted traffic (HTTPS) with unencrypted DNS
Here the ISP can see what domains you are visiting (e.g. google.com, or subdomains like videos.google.com), but cannot see what resources you are accessing (they can’t see that you are visiting google.com/your-search-query). But they can see what domains you are querying in DNS, so they can still build a profile on you depending on what websites you visit (e.g. if you visit level1 forum, arstechnica, servethehome, anandtech and gamersnexus, they can accurately guess you are into tech and serve you ads for PCs, monitors and TVs, or can sell the data to Google or ad networks who will serve those ads to you on the internet; if they see lots of connections to a power tools websites, you might get served ads for power tools and so on).
- Encrypted DNS with either encrypted or unencrypted trafic
If you aren’t using your ISP DNS, your ISP can still determine what sites you are visiting by the connections to internet IPs on ports 80 (http) and 443 (https) that you are establishing. If you do encrypted traffic, the same thing as point 2. applies, just that instead of looking directly at your DNS queries, they look at your connections and do a reverse DNS query on the IPs you are connected to determine what sites you are visiting. Some websites have the same IP for different subdomains. Say for example level1techs and forum.level1techs - haven’t checked if they do, it’s just an example, so ISPs can’t determine what sites you visit as accurately, but they can get the big picture and still build a profile on you.
If you use unencrypted traffic and encrypted DNS, then the same as above and point 1. applies.
So if you don’t trust your ISP, how can you protect your data? A VPN is probably the obvious choice for most. What a VPN does, either a VPN to your own server on the internet, a VPN to your company or a VPN Service Provider (things like Mullvad, I call them VSPs), is that they encrypt all your traffic (usually, unless you have a special “split tunnel,” we won’t talk about those, because they are rare). So all your ISP will see will be a DNS query (encrypted or unencrypted, doesn’t matter) to your VPN server of choice and an established connection to your VPN. All trafic goes through the VPN and consequentially, your connections to other websites will show as if the VPN server is connecting to them and what’s important in our case, the ISP won’t be able to tell what sites you are visiting, all it can see is your connection to the VPN server.
But your VPN becomes the next point of trust. If you use a VSP like Mullvad, they will be able to see exactly what you were hiding from your ISP. So you switch the point of trust to another party. Same for a company VPN (+all the traffic restrictions and agreements with them). If you go the DIY route, let’s say you build your VPN at a friend’s house, you have to trust his ISP now. If you use a VPS (virtual private server, Linode) or cloud server (virtual private cloud or VPC, AWS) for your VPN, now you have to trust the VPS / VPC provider. Everything from 1., 2. and 3. applies, but to another party.
Technically, a VSP and a VPS / VPC have more privacy, because they can’t serve you ads directly. But they can still data mine you and sell your data to third parties, just that they won’t be the same ad networks that your ISP was selling your data to.
One issue with using a VPN is that usually ISPs, being the dicks that they are (at least in the US), will throttle your traffic to anything that is not a connection to a port 80 or 443. The workaround is usually to make a tcp VPN and use port 443 for it. If you only visit websites, you should not see much of a performance difference, but if you also use UDP programs through it, you will notice considerable lag, while some programs might misbehave.
An alternative to VPNs is to use a darknet. Tor comes to mind first, because it’s the most popular. A darknet for our case with hiding data from an ISP is similar to how VPNs look to them: they will only see a connection to a darknet and that’s it. I won’t get into how darknets work. But Tor has what is called exit nodes. Exit nodes are used so you can access clearnet (the internet) websites from within Tor network. Websites will see traffic coming from the Tor node. The ISP, as is the case with VPNs, will only see that you are connecting to a Tor entry node, but won’t know what exit node you are using (or even if you are using one at all), because data is scrambled throughout the Tor network. But IMO exit nodes are dumb, people should stay inside the darkwebs. There are other discussions about Tor vs i2p and their inherent design, but I won’t get into it here, I think that’s pretty much the whole of it. Just note that due to all the traffic scrambling, redirecting, encrypting and what darknets do to fibrin, they will be from slow to dog slow. I don’t recommend darknets just to browse the clearnet.
I didn’t discuss what alternatives you have with ISPs. There are other ways, albeit not as convenient, to combat ISP surveillance. You can use big platforms only and get your news and videos only from there, but that means not visiting other websites. You can use a cloud PC, kinda like an Azure windows VM (or any VM with VNC on a VPS / VPC), but with added latency and it will work basically like a VPN. And the last, but not least, but part of the last resort options, switching ISPs (if you have more than 1 in your area). The nuclear option is cutting your internet cable and moving in a cabin in the woods 
Linode is garbage. On 21 September i finally signed up for Linode after watching a L1 news video. Put in all my info and they said wait for account to be activated. Today is over 2 weeks later and still not activated.
I deployed an OpenVPN instance on AWS with a permanent elastic IP and it was working in 15 minutes later.
I don’t know why L1Techs pimps Linode so much.