Question Which is better for personal security, DNS-level protection (such as Pi-hole) or a reliable VPN?

[bretbernhoft]

I'm in the middle of a conversation with other technically-minded folks, about whether Pi-hole or a (truly trustworthy) VPN provider is a better option for overall personal network security. I thought I would propose this question here, to see what the experts think.

 

[bill001g]

You can't really compare them are used for different purposes. I guess it is depends on what you are calling personal security.

You don't really need either in most cases and you are still very secure. Almost all traffic is encrypted end to end with HTTPS. This was widely adopted after the governments got caught intercepting internet traffic. If it is good enough to prevent the government from seeing exactly what you are doing it tends to be good enough for most things. The other somewhat more recent thing is the inclusion of the ability to encrypt DNS in the browsers and even now in OS itself. This now even prevents seeing the names of the sites and possibly blocking sites by intercepting DNS. I don't know of any traffic that is not encrypted in some way, even say online game data is encrypted but that is more to prevent cheaters.

VPN is mostly used to bypass restrictions and make it appear your traffic is coming from someplace else. It does not actually secure the traffic since it is only using the VPN between your house and the vpn data center. The vpn encryption is then removed and your traffic is now subject to inception between the VPN data center and the final location. This would only matter if you were say worried about your ISP seeing the IP addresses you go to....remember the data and the dns are encrypted already. Most times vpn is used to get past say netflix country restrictions or maybe for people doing illegal things and don't want the IP traced back to their real IP.

Pihole is kinda a firewall that prevents you internal machines from accessing certain sites. It is not as good as a firewall because it only blocks them via name it does not block the actual IP. It is mostly used to say put in a list of sites that do advertising and not allow access to them. It can also be used to a small extent to override some things such as dns servers giving different IP based on your location. Many sites do this so you say go to a server in your country rather that to one central server. You can force it to use certain servers if you want.

Again neither of these tools are really used for true security anymore. They are in some ways now hackers tools used to bypass the security and restrictions of web sites you are attempting to visit.

 

[kanewolf]

I'm in the middle of a conversation with other technically-minded folks, about whether Pi-hole or a (truly trustworthy) VPN provider is a better option for overall personal network security. I thought I would propose this question here, to see what the experts think.

What are you trying to "secure"? Are you trying to avoid malicious websites? VPN may do nothing for that. Are you trying to securely access your local devices from a remote location? PI-Hole does nothing for that...
This is why @bill001g said you can't compare them.

 

[USAFRet]

"security", against what threat?

 

[bill001g]

For some reason, I always thought that VPN is for security. Thanks for turning my world around

Kinda used to be. Many years ago when coffee shops used non encrypted wifi and most web sites were unencrypted you used to see so called hackers stealing people facebook and other accounts. VPN was then extremely useful to prevent that....of course it didn't stop the profession hacker or the government who could intercept the data after it left the VPN provider.

 

[bretbernhoft]

"security", against what threat?

Potential hacking attempts, using DNS redirects.

 

[bill001g]

So as mentioned encrypted DNS solved that but it already was not so much a problem.

You could redirect DNS but only really block traffic you can not actually redirect it to another server. Again HTTPS fixes that problem also. Part of establishing the encrypted connection is to verify that you are talking to who you think you are talking to.
That is done via a certificate server. So you might be able to spoof the DNS but it then will not match the certificate and you will get warning in the browser.