What am I worried about is DNS based black-holing is trivial to workaround against (as an ad-provider, one could simply force use a custom DNS client and pin to a DNS resolver of choice) . What's next for pi-hole and solutions like AdGuard DNS short of re-writing packets going through UDP/53? Not sure how one would intercept the DoTLS / DoHTTPS connections, to rewrite those.
I'd like to hear if anyone has some thoughts on this, or if this has been discussed elsewhere.
 Firefox 64 for PC, by default, was configured to ignore OS/Network Interface provided DNS resolver and used CloudFlare's over HTTPS.
Regardless name resolution based ad blocking is relatively futile against even naive workarounds. For instance what is to stop someone from using a custom DoHTTPS format on any webpage to resolve the name directly in browser? What's to prevent them from obfuscating it in a way your MITM couldn't realistically detect?
In the end ad blocking is best done directly on the client through something like uBlock Origin. Not only does this allow you to create a network request block list (now with the added capability of reading/filtering on the whole URI) but it also allows for style based blocks where the ad content could even be blocked if it comes from the same server and resources serving the actual page.
Of course, a pihole will not be able to block someone who goes to the length of developing and using a custom DNS-over-TLS or DNS-over-HTTPS webpage.
Similarly uBlock origin is not available for anything else except browsers. There is nothing preventing native apps from using or pinning different nameservers. On a scale of hardness, using or pinning a specific DNS server is easy and is known to be used in wild. Custom DoT or DoH is still rare but I am aware that there will be a time when a significant chunk of internet will use it.
Name-resolution based ad-blocking is not futile yet. My pihole has alone blocked 5k+ queries in the past 24h.
That sounds horrifying.
Putting a DNS client in Chrome (I think they removed it but who knows), or Chromecast, or whatever is "evolutionary pressure".
It forces users to evolve the solution to work around it. This is good.
If users are forced to learn to use an RPi for DNS (and we can see they are doing that with Pi-Hole), and eventually another pocket-sized computer with open-source software for routing, that benefits the community of users who want to avoid ads.
If avoiding ads is the goal, then using a pocket-sized computer with a user-installed OS is better than a solution marketed by a commercial third-party, as almost always those third parties rely partially/wholly/directly/indirectly on the ad business.
I don't understand why he says you have to route and answer 126.96.36.199. You really don't.
If his point is you can't override the built in DNS without some sort of FW hackery though, then yea his point stands.
- Removes all DNS leak privacy issues, for all Firefox users, automatically
- Removes all possibility for a MitM to view or corrupt DNS queries or responses, for all Firefox users, automatically
And Cloudflare claims to delete all DNS-related logs of Firefox users within 24 hours: https://developers.cloudflare.com/188.8.131.52/commitment-to-priv...
Even if you distrust Cloudflare or think they're not secure against breaches, it's still a massive security and privacy upgrade over using your ISP's DNS servers, which will pretty much always leak sensitive information about your connection (potentially leading to deanonymization while using an anonymizing service) and send/receive everything in unauthenticated plaintext.
And in addition, your ISP likely is less trustworthy and less secure against breaches (even if you aren't using Comcast, Verizon, or AT&T) than Cloudflare. But again, even if you don't trust them, this would still be the best move for security.
Plus it's a big latency decrease and performance boost for most or all users.
My ISP is trustworthy and is in my own city/country. Today I've discovered that all my DNS queries now go to a foreign company that I know nothing about, and did not consent to communicate with.
I'm all for encrypted DNS, but I'm not for my DNS server choice being silently overridden.
Disclosure: I work at Mozilla but not on this.
Encrypted DNS and devices like the Pi-hole provide end users a means of bypassing this behavior by avoiding ISP DNS servers entirely so even where you're trying to go isn't known by them.
Another big concern is privacy from the other side: if you're using Tor or an anonymizing VPN while visiting a website looking to deanonymize users, and the website owners see a DNS query to their nameserver from a Comcast DNS server somewhere in a midwestern state timed perfectly before your HTTP request coming from a Tor exit node or anonymizing VPN, they can potentially infer your broad location and ISP, and potentially narrow your identity down from there (especially if you ever visited that site, or an affiliated site or site that shares data with them, in the past without using an anonymizer), negating the purpose of the anonymizer.
If all they see is a query from 184.108.40.206 or 220.127.116.11, you could be anywhere in the world, using any ISP.
And your ISP can do this in an even more precise way. Customer makes DNS query for siteispsdontlike.com and then immediately sends a lot of traffic to a server registered to an anonymizing VPN company. That tells the ISP "this customer is visiting this 'suspicious' website, and also covering it up by using this specific anonymizer".
We basically seem to both agree with the original GP. Things just got a little confused.
Even in Europe big telcos like Telenor have adtech holdings.
It doesn’t mean you can’t trust your ISP but certainly there are red flags.
But also somewhat common is the router handing out itself as the DNS server, which is really important if you want local domains to resolve correctly. Firefox skipping straight to 18.104.22.168 means it won't be able to resolve my local network servers via name, which is stupid.
1: Maybe not common/used in home use sure, but definitely common in anything run by an IT staff.
Seems like blocking Firefox and Chrome from usurping your DNS choices is going to be much harder going forward. :(
I think the main reason the browsers have added support is so they can get the data they need to make encrypted SNI work. They’re going to have to get operating system APIs to be able to do this from the OS’s resolver or else it will screw all sorts of things up.
So I guess in theory you can block that port outbound to all hosts to handle TLS's use case.
HTTPS is tougher, but just block all traffic to those hostnames with a DNS blacklist.
DoH does, in fact, use 443/TCP, just like regular HTTPS traffic.
Just got a RPi3B+ with all of that from Microcenter for 53 dollars