Hacker News new | past | comments | ask | show | jobs | submit login

I took a look the domains being used for the consent and saw an interesting JavaScript name: 'messagingWithoutDetection.js'. Looking into it more, I found the documentation [1], there is this disgusting paragraph:

> The Dialogue Javascript communicates with the Sourcepoint messaging server on a subdomain of the site. The benefit of doing that is to allow messaging cookies to be “first party” and thus, circumventing Safari’s web browser Intelligent Tracking Prevention (ITP). This creates a discrete messaging channel between the publisher’s messaging subdomain and the Dialogue messaging server. Once you have created the subdomain, you should create a DNS CNAME record to direct traffic to the Sourcepoint messaging endpoint message<account id>.sp-prod.net where the account id refers to you account ID in the Sourcepoint user interface

Luckily uBlock Origin now supports blocking on CNAME records and PiHole is rolling support out for it as well. I maintain a blocklist that I use with the PiHole: https://www.github.developerdan.com/hosts/

[1] https://documentation.sourcepoint.com/web-implementation/sou...

dnscrypt-proxy is already supporting CNAME blocking and full domain based blocking (*.adhost.com), something that is still missing in Pi-Hole.

Pi-Hole does support regex and wildcard based blocking

regex is _extremely_ resource inefficient and should not be used with large sets of rules. Dnsmasqs domain redirecting feature (address=/adhost.com/#) is not supported by pihole.

Is there any other way to wildcard block full domains in Pi-Hole?

Look for example in your list: d41.co, admaster.com.cn, mixmarket.biz chances are extremely slim that all (current) hostnames of those type of domains are currently being blocked.

It is resource inefficient, which is why PiHole supports it, but does not allow you to subscribe to list containing regex, as that would quickly make it unusable. I'm not sure how Dnsmasqs would be accomplishing this feature without some sort of pattern matching logic - which would have the same inefficiencies. Basically O(N) where N is the number of domains/patterns that should be blocked. There could certainly be a cache to keep track of matched/unmatched queries, but I would imagine with the modern web the average case would still be very close to O(N). Just speculation.

Dnsmasq 'address=' function is just a substr() call, which is as fast as 'normal' hostname blocking (host == "adhost.com"). No regex magic is required there.

You are not able to block something like 'ads.%.adhost.com', but only (prepending wildcard) '%.ads.adhost.com', which in practice will cover almost all scenarios where random subdomains are used by adhosts.

Pihole uses a forked version of dnsmasq they named 'Pi-hole FTL engine'. I don't believe there are any features of dnsmasq that cannot be used with the PiHole - but how to configure it to work alongside of PiHole might not be as obvious.

It is possible to use this feature 'in' Pi-Hole, see: https://github.com/notracking/hosts-blocklists/wiki/Install-...

If the regex rules do not require backreferences, it should be possible to implement them in such a way that they run in constant time with respect to the number of rules.

<pedantry> Regex with backreferences isn't really regex at all, in that it no longer corresponds to the regular languages. </pedantry>

> regex is _extremely_ resource inefficient

No, it's not. Is there something wrong with their implementation?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact