
Ask HN: How to make home network secured - mraza007
How can I make my home network more secured and block adtrackers and few websites and social media apps for the kids.
What services I can use
======
slovette
Honestly, as a network engineer with 4 kids, we’re kinda just screwed.

The popular responses here are going to be about Pi-Hole and NextDNS (which I
use today), but overall it’s a losing battle and all of it is easily
circumvented.

With DNS-over-HTTPS becoming more and more prevalent in all things end-user
devices, I suspect by this time next year using any kind of traditional DNS
controls will be worthless.

We could go super heavy handed and deploy some home version of enterprise
packet inspection, but that’s a whole bag of worms.

As for kiddos, I’ve gotten to the point where I combine good communication
over obscurantism, device level traffic logging/monitoring, all mixed with a
hard off switch for communications at and after certain times to be the
winning ticket.

As far as tracking and ads... we’re all going to lose that battle fairly soon.
The same tech we all praise as good for privacy is also great for data
collection and advertising.

~~~
Maha-pudma
>As far as tracking and ads... we’re all going to lose that battle fairly
soon. The same tech we all praise as good for privacy is also great for data
collection and advertising.

Can you elaborate on this? I'd be interested to know more about how this could
happen.

~~~
slovette
Well, traditional DNS is all unencrypted traffic over port 80 on a network
firewall/router. Typically, what some people are doing is setting up their own
DNS servers on the internal LAN that recognizes lookups that are unfavorable
and just refuses to allow the resolve.

An example is a tracker DNS lookup might be something like:
tracker.ad.amazon.com. My self controlled DNS sees that url lookup, compares
it to a list of known tracking or advertising urls, finds it in that list and
instead of responding with the server IP, it just says “not found”. I then
block devices on my local LAN from circumventing my internal DNS (I.e manually
changing device DNS servers that would typically be my internal server, to
something public like google’s 8.8.8.8), by only allowing traffic out of port
80 that originates from my Self-made local dns server.

Client device -> local dns -> public server = ok. Client device -> public dns
-> = blocked.

So this same method is also used by almost every major ISP out there to track
your browsing and usage history. Along with other security problems this
poses, the tech community has been developing and pushing things like DNS-
over-TLS and DNS-over-HTTPS. What this does is takes a DNS request and
packages it into an HTTPS packet that acts and looks like any other encrypted
web traffic over port 443. The server on the other end then unpacks it back to
a DNS query and responds in the same way.

That effectively obscures DNS traffic as any ole web traffic that I can no
longer detect and manipulate. An example is that your Alexas will eventually
(I think they may already do it in some cases, I know my Samsung TV does) use
that kind of DNS tech to pass tracking and ad data back to their home servers.
I can no long really stop that and preserve the function intent of the device
(I.e I could place them on a gapped VLAN, but it would render all connectivity
inoperable and thereby make the device useless).

So fundamentally, the same stuff we’re putting together to maintain personal
privacy and security, is also going to be used to maintain the same features
for Amazon’s, Google’s, any other data house’s data that it collects about
you.

Further, as this become normal protocol in browsers, things like content
blocking and parental controls become very difficult to do without end device
sudo rights or the manufacturer building parental controls into the OS (like
Apple is keen to do).

A little elementary explaining there, but hopefully you get the idea.

~~~
slovette
I can’t fix this apparently, but I meant port 53, not 80. Long days...

------
mikebos
It are somewhat seperate problems. But let's begin with ad's, tracking and
malware/bots/whatever uses a domainname. You have two different options SaaS
and selfhosted. It's a matter of opinion but I would say PiHole (selfhosted)
or NextDNS (SaaS) a no cost SaaS would be using the AdGuard DNS servers in
your router instead of the ones of your ISP. Personally I use NextDNS, it's
robust and thanks to the options I can tweak it to my needs without having to
upgrade / update stuff. The second part, keeping my network secure is a bit
more involved, it can mean anything from simply having different wireless
networks for different purposes (IOT, video surveillance and guests are
common) to packet inspection and intrusion detection. Mostly, use the seperate
wireless network strategy and forget about the rest, the maintenance is too
high and the gain too low for personal networks.

~~~
mraza007
Just curious how can you have separate connections

------
jonpalmisc
Regarding blocking ads, etc. - you might want to check out Pi-hole. It can run
on a Raspberry Pi (hence the name) or just about anything. It’s pretty easy to
set up. Works for blocking ads and trackers, and you can set up additional
blocks as well (for Instagram, for example).

------
runjake
Pi-hole along with any custom blacklists you want (eg. for social media, porn,
etc).

[https://pi-hole.net/](https://pi-hole.net/)

Blocklists are all over the place, do some googling. I like
[https://firebog.net](https://firebog.net) as a jump off point.

~~~
mraza007
How can i setup pihole Do i have to get a raspberry pi or can i rent a server
and host it there

~~~
sloaken
This might help you decide: [https://help.nextdns.io/en/articles/3941241-what-
is-the-adva...](https://help.nextdns.io/en/articles/3941241-what-is-the-
advantage-of-using-nextdns-over-pi-hole)

The instructions on setting up PiHole are pretty straight forward. Myself I
have a few Pis so it was not an issue.

Although I must say the nextdns people might be worth going towards, given the
ability to use anywhere, not just at home. Yeah I can install it in the cloud
but then you have to pay to maintain that.

------
S1lv3rsurf3r
Does it really matter how private & secure your network is when the nsa can
capture all traffic in the upstream? They can't spy on any US citizens they
say, that's the rule, & they have many oversight committees such as
Congressional oversight committees to watchdog them.

Tricky nsa moved the Upstream & Downstreams to South Africa. So a US citizen's
data is no longer in the USA_technically...& they can collect it. Bulk
collection, encryption breaking, data mining with algorithms & keywords....
_but_ they only keep it all for 72 hours then it gets securely deleted. That's
the way it is boys. And I'm not a hacker, at all & I found this. I believe the
thing to do is fly stealth under the radar at all times, as minimally as
possible, and count the hours (72) between transmissions.

~~~
mraza007
72 hours is alot of time How can be really secure then and keep your identity
hidden

~~~
sloaken
I like
[https://www.privateinternetaccess.com/](https://www.privateinternetaccess.com/)

But I suspect NSA can decyrpt their stuff.

I suspect the question breaks down to: 1) are you important or rich enough for
someone to target? 2) Who are you protecting against?

------
giantg2
You can use ethernet connections whenever possible so you aren't broadcasting
as much info.

Not very helpful, but you can also reduce your wifi power and/or place to in
the basement (if you have one) to limit the range (physical attack surface).
You can also schedule the wifi to turn off during hours that you don't need it
(11pm-6am?). This will reduce the amount of time someone could monitor/attack
via wifi. It also reduces your exposure to RF, if you're into that.

------
mixmastamyk
\- Make sure you're on a NAT.

\- Use privacy-respecting mobile devices, such as Apple.

\- Use an anti-tracking measures as mentioned like pi-hole and/or hostfile
service.

\- Forbid social media _apps,_ they are a scourge.

\- Use privacy-respecting browsers like Firefox and Safari. Set protection
higher than standard.

\- Consider browser extensions like ghostery, etc.

~~~
user99099
Apple isn't the end all for privacy at all. Use Linux devices in which you
have 100% control over every aspect, not proprietary black boxes which still
track you.

~~~
mixmastamyk
Sorry, there are no viable linux mobile devices for regular folks. When one
arrives I'll purchase.

------
avenger123
I just bought a firewalla blue device that handles this. It's a bit expensive
but it really is a no hassle solution. So far I don't regret the purchase.

