Transcript of Your ISP Is Watching Everything - Fix It With DNS Filtering!

If your Smart TV is spying on you,  your phone is narcing, and your ISP   is selling your secrets… this video is for you.” I’ve made a few videos lately, including one about   VPN services, and two about Smart TV surveillance  and tracking – linked in the video description   below. In them, I briefly touched on DNS. DNS filtering sounds boring, but it can   kill 70-90% of the junk hitting your devices.  Less tracking. Fewer ads. More privacy - across   almost every device you own. And it’s easier than you think. Intro Welcome back to Dad Explains Everything.  Today I’m covering DNS filtering. This quality  of life hack will change your online experience   in all the right ways. Sound technical? Well, it  can be, but I’ve made sure that there’s something   in here for everyone. After all, I think this  stuff is fun, and I’ve been doing it for decades.  But if that’s not you, don’t worry -  there are solutions in this video for   people of every level of technological  curiosity and capability. Better still,   the easiest of these solutions  only takes a few minutes to enable. So, what DNS Is, How does it work,  and How does it Leak Your Life Story  DNS, or the Domain Name System, is  basically the internet’s phone book.  But instead of finding tow  trucks, it finds servers.  You see, internet communication works with IP  addresses that look like this (8.8.8.8), or   this (fe80::8f58:946d:9294:1fdb%18). But  normal people don’t remember IP addresses,   so DNS was created to allow structured names  like www.youtube.com to be translated to   something like this (173.194.219.91). When you type “youtube.com,” your   device asks a DNS server: “Hey, where’s YouTube?”  And here’s the journey – simplified  a bit for non-networking people:  1. Your device asks your DNS  resolver about Youtube.com  2. That resolver asks the root DNS servers 3. They point to the TLD server (.com)  4. That server points to  YouTube’s authoritative DNS server  5. You get back an IP address 6. Your browser connects to that IP  This loop happens hundreds or thousands  of times, per hour, per device.  Your phone does it. Your laptop does it.  Your apps do it. Your Smart TV does it.  And your IoT dishwasher probably does it too,   because apparently someone needs  to know if you enabled StormWash. The Privacy Problem So, if DNS requests are basically   cross-reference lookups, what’s the problem? After all, DNS requests are basically:  • A timestamp • Your IP address   (generally your router’s WAN IP, when at home) • The host and/or domain you’re trying to access  • The device that asked That still doesn’t really seem   like a big deal, until you realize that these  requests reveal a ridiculous amount of data:  • When you wake up • When you go to sleep  • What apps you open • What sites you visit  • What streaming services you’re  watching on your TV or other devices  • When you’re home, away, or on vacation • What devices you own  • And your entire behavioral  pattern mapped second by second  ISPs love this data. Because they sell it.  They build profiles from it. They use it for ad targeting.  DNS is one of the largest unregulated  privacy leaks in your digital life.  Which makes it the perfect thing to fix. And there are multiple ways to do   that - encrypted DNS, third-party filtering  services, or hosting your own DNS server.   I’ll cover all of those. But first, let me show  you the DNS trick that gives you instant privacy   improvements.________________________________________ How DNS Filtering Blocks Ads, Trackers,   Telemetry & Smart TV Spying A simple but powerful trick is   to have a DNS server respond to hostnames you  don’t want your devices talking to by either:  • failing to resolve the host or domain, or • returning a bogus IP  It’s essentially like adding  fake entries to a HOSTS file.  Put another way: It’s like me ripping out the   pages of the phone book belonging to scammers,  stalkers, telemarketers, and people trying   to sell you magic supplements on TikTok. If a domain is blocked at the DNS level:  • The ad server can’t load, and won’t show ads • The tracking pixel never fires, so there’s   less tracking of your activites • The telemetry server never   receives your device analytics • ACR requests from Smart TVs   never reach their corporate mothership So here’s an incomplete list of what DNS   filtering CAN block: • Banner ads  • Mobile app tracking • Smart TV tracking  • Background telemetry • Analytics beacons  • Direct data exfiltration to data brokers • Hidden scripts in mobile apps  • Botnet callbacks • Malware domains  • Phishing sites 🎭 And here’s a partial list   of what DNS filtering CANNOT block: • YouTube ads that are in the   same domain as the video • In-stream TikTok/Instagram ads  • Netflix/Hulu ads in ad-supported plans As you can see from the exceptions,   DNS filtering isn’t a magical ad-killer. It’s a network-level bouncer who kicks out 70–90%   of the trash before it reaches your devices. Your browser doesn’t have to do the work.  Your devices don’t have to do the work. The network takes care of it before   anything loads. And your Smart TV?  It gets the digital equivalent  of its mouth duct-taped shut.  If you haven’t watched Part 1 and Part  2 of my Smart TV surveillance videos,   I highly recommend them as they show you how  to turn off this tracking at the source. DNS   filtering is good as a backup, in case you  don’t trust the manufacturers to honor your   settings.________________________________________ The Full Menu of DNS Solutions  So, I promised that there would be  a gradient of options, and there is!  Generally, you can pick from solutions that are: • Free  • Free* • A subscription that’s relatively inexpensive  Some of the solutions are “easy  enough for your grandparents”,   while others stray into “Dad has opened a terminal  window and things are about to get serious.”  As always, I’m happy to engage with all of  you in the comments section. If I missed   one of your favorite solutions, or if you  have questions, feel free to write me below.  With that, I’m going to start with the  beginner tier. These are on-device solutions,   which are the easiest to implement. ________________________________________  ⭐ Beginner Tier: On-Device Solutions If you don’t want any new hardware,   you want immediate results, and you don’t  want to have to change router settings,   the beginner tier is for you. The huge upside is that this   protection follows you everywhere -  your phone, your laptop, your tablet.  The downside is that you need to set  it up on each device individually,   and not every device exposes DNS settings. In this tier, I’m partial to solutions that don’t   require you to install another app, so I prefer: NextDNS  • Cloud DNS filtering • Giant blocklist library  • Analytics dashboard • Per-device profiles  • Parental controls • Excellent interface  AdGuard DNS • Prebuilt filtering  • Simple setup If you do want an app,   you can go with a solution like: AdGuard in device mode  • Simple • Effective  • Works on phones, tablets, laptops • Blocks ads + tracking at DNS level  • Doesn’t have any operating  system-level configuration These options are not the only ones in the tier,   but they are probably the most popular and  effective. Competitors include Control D,   CleanBrowsing, Quad9, SafeDNS, DNSFilter,  WebTitan, Cloudflare One, and OpenDNS Home.  The thing you need to know is that there are  free, but limited, tiers for several of these   options. They can have usage or device  limits. Some providers have free trials.  Generally, most people will benefit from  selecting a paid tier, but these solutions   tend to be inexpensive, with the Pro tier  of NextDNS coming in at under $20 a year,   and the “Personal” tier of the Adguard app at  around $31 a year. Those prices are in US dollars.  But remember: Using a third-party DNS provider does not   solve the “ISP spying” problem unless the provider  supports encrypted DNS (DoH, DoT, or DoQ).  And if the site you’re visiting supports ECH –  which is encrypted Client Hello, the ISP won’t   even see the SNI - the part of the handshake that  normally reveals which site you’re connecting to.  Difficulty level? Android, iOS, macOS, Windows,   Linux/BSD, ChromeOS, and many browsers can all be  configured in under 5 minutes. Anyone can do this.  ________________________________________ ⭐ Intermediate Tier: “Easy” Network-Wide Solution  The next tier is the intermediate tier,  and this is for people who want all devices   protected — including Smart TVs, streaming boxes,  consoles, smart speakers, and random IoT nonsense.  The same DNS filtering you used on your  devices can be configured on your router,   instantly covering your entire home network.  The massive benefit is that ALL of your devices   receive the benefits of the ad and tracker  blocking, along with the DNS encryption of DoH,   DoT, or DoQ - assuming it’s supported. There are two notable downsides.  First, you’ll still want on-device config for  portable devices to protect them off-networ.  Second, you have to log into your router to  set the DNS settings. If you’ve done this,   to forward a port, to set a wifi password, or  whatever else – this won’t be a big deal. For   everyone else, this can be kind of difficult. The first thing to do, is to identify the   address of your router. It differs  depending on the device you’re using.  From Windows: 1. you open a command prompt  2. you type ipconfig 3. you look for the Default Gateway   (usually a 10.x.x.x or 192.168.x.x address) 4. you open a web browser and use the IP address   from #3 as the site address 5. you log in using   your router username and password 6. you go to the WAN or Internet settings   and change your DNS server settings the problems are that:  • You forgot the router password (you may have set  up months or years ago and forgotten it, or it may   be printed on a sticker on the router itself). • You can’t find the DNS settings (ask in the   comments - I can help). • You realize your router   is ancient and should be replaced – or you  should load WRT on it (see my video on that). ⭐ Expert Tier: “Hard” Network-Wide Solution The next tier is the expert tier, and this is   also made up of network-wide solutions. The  main difference in this tier is that you’re   hosting the solution yourself. This can be  done in a container, a minimal computer (like   a Raspberry Pi), or even as an app with some  router ecosystems (like pfSense or OPNsense).  The software is free. The hardware is cheap. Also, these solutions are generally more powerful,   flexible, and extensible. The main players are:  Pi-hole The legendary Linux-based ad blocker.  • Runs on Linux and on minimal  hardware, like a Raspberry Pi  • Can run in a container • Uses blocklists  • Protects EVERY device on your network • Highly customizable  • Geek-cred certified AdGuard Home  Like Pi-hole, but: • Easier setup  • Cleaner interface • More built-in features  • Great for beginners While I’d probably say that AdGuard Home is  objectively better, I personally prefer Pi-Hole,   but that’s mostly because I’ve been using  it longer. Generally speaking, though,   there’s not much daylight between  the two, in terms of capabilities.  In terms of setup, both are fairly  straightforward. The most difficult step for   most will probably be setting their router to use  the local blocker as their router’s DNS server.  ________________________________________ ⭐ S-Tier: Self-Hosted Blockers   with Recursive Resolvers This tier takes “trust no one” to the next level.  Pi-hole and AdGuard Home normally act as  DNS forwarders, relying on a third-party   resolver. But what if you don’t want to  trust any public DNS provider at all?  You can run your own recursive  DNS resolver locally:  Your options: • Unbound  • Bind9 • Knot Resolver  They perform the entire DNS  lookup themselves, directly from:  • The Root servers • The TLD servers  • The authoritative servers No Cloudflare.  No Google. No ISP.  No third-party. No logging.  No selling. No profiles.  And it’s relatively easy to combine  Unbound with with Pi-hole or AdGuard Home.  That’s the DNS equivalent of wrapping your entire  house in privacy armor, because it removes every   middleman between you and the DNS system. But why do this at all?  ________________________________________ 🧱 1. No third-party DNS logging  Public DNS providers have… histories. Google logs for analytics.  Cloudflare says they don’t —  but you have to trust them.  Quad9 says they don’t — but also have partners. OpenDNS logs for parental filtering.  When YOU run the resolver: • No logs  • No analytics • No selling  • No subpoena targets Unless you enable   logs… there's nothing to collect. ________________________________________  🕵️ 2. Your ISP sees nothing Your ISP normally sees all DNS requests.  Self-hosted recursion stops this. All your ISP sees is:  • Encrypted traffic • To random IPs  • That they can’t correlate Your browsing behavior becomes invisible*.  SNI still leaks for sites that don’t support  TLS1.3 and ECH, but more sites are supporting it   every month – so, the situation is improving. ________________________________________  🚀 3. Speed - DNS on your own LAN Public DNS is fast.  Local DNS is faster. Caching means:  • First lookup: goes out for resolution • After that: instant  Your entire home feels faster. ________________________________________  🛡️ 4. Almost immune to DNS  poisoning, hijacking, and MITM  Your local resolver can: • Validate DNSSEC  • Avoid ISP-level tampering • Block captive-portal hijacks  • Stop DNS injection used by some ad networks This is real security - not vibes.  ________________________________________ So, Pi-hole / AdGuard Home + Unbound  This gives you: • Filtering  • Local caching • Local recursion  • Zero trust in third parties • Total control  It is the best mixture of convenience, privacy,  and protection available to normal humans.  ________________________________________ Special note  Some devices try to bypass  your DNS settings altogether.  Chromecast, Android TV, and lots of IoT gadgets  ignore DNS servers advertised by DHCP and use   hard-coded resolvers like: • 8.8.8.8  • 1.1.1.1 To stop this, you can:  • Redirect all outbound DNS  traffic to your resolver, or  • Block port 53 and 853 entirely  and force all DNS through your setup  If you’re really into home network  engineering, put all these untrusted devices   on their own VLAN with dedicated firewall rules. You’ll also want to make sure to disable anything   that looks like “DNS relay” or “DNS proxy”. ________________________________________  Request Time! Now that you know what your options are,   it’s time to choose your own adventure.  Do you want an easy tutorial on Pi-Hole,   with or without Unbound, or do you want  one on AdGuard Home, with or without   Unbound? Let me know in the comments below.  If it’s pretty evenly split, I can do both. Conclusion For a “normal” user, DNS is one of   the least-understood pieces of the internet — and  one of the biggest privacy liabilities you have.  Fixing it is like installing a  deadbolt on your digital front door.  Whether you: • Configure NextDNS  • Use AdGuard on your phone • Set up Pi-hole or   AdGuard Home on a Raspberry Pi • Or run your own recursive resolver with Unbound  you are reducing your data trail,  blocking ads, and shutting down   surveillance systems across your entire home. Your DNS provider sees everything you do.  It’s time to make sure that provider is you. And this is as simple as I can make it:   if You Only Do ONE Thing: • If you just want privacy on your   phone/laptop -> Use NextDNS or AdGuard DNS. • If you’re willing to plug in a Raspberry   Pi -> Run Pi-hole or AdGuard  Home and point your router to it.  Everything else in this video is just making  those ideas faster, stronger, and more private. If you got something out of this video, hit  like, subscribe, and tell me in the comments   what setup you’re running, and what you’d  like your setup to look like in the near   future. If you really liked it, please  share this video with people you know.  If you want to support my work, please hype  the video and consider becoming a member.   I’m not a big deal, so it’s REALLY cheap. And speaking of members, I want to thank   new members Linda M., Bryan M.,  and James R. for their support.  Thanks for watching, and  have a great and private day.