I find that a whitelist is easier to manage than a blacklist. I am not surfing the entire web every day. Why should every URL in existence be accessible by default. Instead, I prefer every URL is blocked by default. No different from any other firewall configuration. With logging of blocked HTTP requests and DNS lookups, it is easy to discover telemetry.
I think that GUIs are a huge pain. I prefer config files. Also, Little Snitch is not portable across platforms. Mac-only.
Most firewalls are set up as whitelists for incoming connections. Similarly, I set up DNS and HTTP "firewalls" as whitelists for outgoing connections. Zonefiles define the RRs that applications are able to query and lists/maps/tables define the hostnames/URLs that are accepted by the proxy.
I don't understand why you would use MacOs if you care about privacy. Why do you use it? (Just to be clear, this isn't "boo macos sucks", I'm genuinely curious why so many people use it (especially in it inclined communities))
This was started 11 days ago. I would also start out with all domains in beta. If you add the list to pi-hole you will eventually get the domains once they are "stable" either way.
Some devices started to use hardcoded IPs to phone home, so purely domain name based blocklists won't work with them. Is there a similar project with upgradable IP lists to deal with them too? That would be technically a firewall, but then ideally it should also implement DNS based blocking since we're protecting also from the inside.
It would be a nice product to build around any of those ARM small boards with dual Ethernet and WiFi such as the NanoPi R1 and similar ones.
Not exactly what you’re asking but dnscrypt-proxy has IP based block lists. You list IPs and then any domain that resolves to one of those IPs is blocked. Works when companies setup domains that actually resolve to some 3rd party data tracker.
Actually blocking IPs as you’ve said is a harder problem sadly.
Why? If the devices use hardcoded IPs, then those should be fairly static so fairly easy to maintain in some list.
I'd think that the best workaround for doing these kinds of shenanigans will be using some form of DoH, in which case the countermeasure would be to set up an HTTP proxy which wouldn't allow http connections to "naked" IP addresses.
DNS based block lists are incredibly easy to implement and maintain and require very little resources. All of the complaints from corporate IT admins about DoH demonstrate this. (I believe Chrome still won't default to DoH for corporate managed browsers)
Any normal home users can setup dnscrypt-proxy or PiHole and have it 'protect' their whole home network, but actually filtering your whole network's traffic based on IP is out of reach for most.
Blocking the IP means having something in the traffic flow. This would likely be a firewall if your aim is to block any "weird" connection from your network. But both firewalls and proxies are substantially more challenging than your run of the mill RaspberryPi Zero and PiHole.
That would be the goal. Malicious actors aren't going away anytime soon, so I would expect more and more devices in the future to use either encrypted or off standard DNS queries to different ports, if not downloading ads and uploading telemetry disguised as system upgrades. We'll likely get to a point in which we'll need to block connections address by address, in the hope they won't set up their malware on addresses and ports we can't block to keep the device functionality.
You can DNAT outbound port 53 connections to an internal server. Any router/firewall with configurable NAT can do this. This is a must with some smart TVs for example.
My Mikrotik router does this easily. You can tell it (with a Firewall NAT rule) "any outbound connection to port 53 is to be redirected to this internal IP and port" -- and this internal IP and port is where my PiHole is.
Yup, with the Adblock package on openwrt this was a one click option in the GUI. Doesn’t help with DoH unfortunately, but it definitely helps in general.
Those JSONs all link to the real source. This metadata is probably NextDNS specific. If you open the JSON, copy the link and add it to your pi-hole/AdGuard Home setup and you're set.
I recently found that my mesh wifi was logging all outgoing traffic. In a 4 person household where we are all online, the two Android devices absolutely dominate the logs with Telemetry. Samsung Smart TVs are pretty chatty too.
Why... not add these to the default tracking lists used in pihole and call it a day ?
Been using pihole on 1. Zero w and 2. 3b+ for over a year now at two places. Around 2 mil domains in the list and 70%-80% domains blocked like always.
Wouldn't it be more efficient to send imaginary data instead of completely blocking telemetry? Blocking your own telemetry data results in Google collecting just a bit less info about you. They can still make decent profile about you from data they collect from other user devices.
On the other hand if you poison the well you compromise other user data as well. Detecting and filtering out invalid data takes time and effort and by the time it is detected the bogus data has already been replicated and used to drive decisions. BTW would it be legal to inject bogus telemetry?
There was a chrome plug in maybe a year or two ago that did something similar. It automatically clicked every ad on the page. It ended up impacting revenue / billing enough that Google removed it.
I find Microsoft is absolutely crazy. I have a Win 10 PC I mainly use for Prime Video and some idle browsing when I can't be bothered to turn on my main PC (which runs Linux).
All my browsers have some form of adblock extension. uBlock for Firefox/Linux and Edge/Win10, and AdGuard on Safari/MacOS.
According to the stats of my pi-hole over the last 24 hours, more than 50% of the queries originating from my Win 10 PC were blocked (6277 blocked out of 11930 total).
For comparison, my Mac, which is the computer I've used the most for actual browsing since last Friday afternoon, only had 1292 blocked queries out of 7100.
The Linux PC usually has extremely low numbers of blocked queries. It's probably thanks to the combination of uBlock and uMatrix and it running Arch, so practically nothing even tries to phone home.
Of course the PiHole default ‘Steven Black’ list is also a combination of many well maintained lists and so even if you don’t add lists, his project is regularly adding new sources.
I have found https://firebog.net/ to be a good source for generally non-disruptive lists, which you can pick and choose from based on your needs. Hope this helps.
There was a discussion here a few days ago that showed how misleading this statistic can be, by pointing out that Apple is sending home geolocation while Android isn't. The conversation needs more nuance than who sends the most bytes.
There is nothing you can do about devices/apps that really want to use their own servers (DNS over HTTPS, pinned certificate), short of keeping them offline.
Is forcing all port 53 traffic to your pi-hole something that’s can be done on the pi itself? Are their any websites you could link to that would go into more detail?
You have to do this on your router, so it's model-specific. Searching "<your router model> Pi-hole redirect" will likely turn up something of assistance.
It is crazy that people have to resort to such solutions. Why telemetry isn't illegal? If you were going to track someone in real life, you'd end up in jail in no time, but on the internet it is fine?
You can sell someone a physical device that makes a lot of noise and then sit outside their home and write down each time they use it. Nobody would be able to stop you.
This is bogus circular logic and you know it. People want to use thing X and will blindly press "I agree" because they simply see it as a door handle before entering somewhere.
Having such long ToS-es that "protect" the company against any eventuality should be by itself illegal.
It's a rigged system is what this whole thing is. Let's not pretend otherwise, please.
Life by design is rigged and there is little we can do to change it. Natural selection may help with some problems, but it is also cruel in its nature. Knowing it does not mean we should not try to make the world a better place, we should. But there are fundamental limitations like IQ, free will, laws of physics etc that we should not forget about. Going back to the ToS problem, they could probably offer a more expensive version with a ToS aimed at more demanding customers, so that they could opt out by paying more. I think it would be fair.
Would people read ToS, if they were more "attractive"? Well, maybe some, but then again, it would be a chore anyway. I do not see a way to make people spend a substantial amount of time on it, if they are not absolutely forced to do it (for example if the stakes are high). However, I do not have any papers to back it up, it is just my hunch.
For sure, because it's empty.