Hacker News new | past | comments | ask | show | jobs | submit login

In my case, I couldn't imagine configuring LittleSnitch to only allow certain hostnames from my browser. It has a "allow all traffic to 53/80/443" rule, otherwise most websites would flood me with hundreds of new LittleSnitch popups.



You'd think so, but the way I've set it up Little Snitch throws up a dialog box when a browser makes errant requests but otherwise remains silent. Most recently this caught Firefox trying to force DNS over HTTPS despite me having disabled it when it first became generally available. I suppose leaking DNS requests to Cloudflare isn't the worst thing in the world, but it would circumvent the ad blocking I've set up locally.


How _do_ you have it set up? What does errant request mean in this case? A request to a domain that you haven't allowed before?


Ah so I just dug into the rules. What happened was a plugin made a DNS request to mozilla.cloudflare-dns.com. I've nothing special set up for Firefox, but basically no rules for plugin-container, so when a plugin tries to make a DNS request Little Snitch pops up an alert.

Not great I suppose, but better than nothing. Generally what I'll see for Firefox itself are requests for non 80/443 ports.


Better cloudflare than your ISP that's already explicitly intercepting your dns queries to sell your data/profile.


False dichotomy. Not only am I pretty sure Sonic isn't selling my DNS queries, I've already opted out of DNS over HTTPS. Refusing to respect the choices I've made is worse than not.

Besides, unencrypted SNI means that if my ISP wanted to get the hosts I was looking at, they could.


Unencrypted SNI is fairly rare now.


Is it? The best I could find was a bit from 2021 that showed 92 of the Alexa Top 1000 site supporting ESNI. If adoption has skyrocketed since then that's great… meanwhile Firefox is showing HN negotiated a TLS 1.2 connection with no ESNI support.


Yeah. I noticed even server-side software is using it less too. Kind of annoying if you use SNI inspection as part of your egress security.


Can you elaborate on why you'd want to opt-out of DNS over HTTPS? I was under the impression that it was useful and good for privacy, but I may be misinformed.


It breaks DNS based blocking if you have it setup. Some people setup ad-blocking so that it encompasses their entire network and the way this works is that it silently drops DNS requests to ad domains on the edge of your local network.


I have a local DNS server to access servers and other resources on my network. DNS over HTTPS breaks this.


It doesn't actually break this but it does leak all of your local DNS queries to Cloudflare.


I trust my ISP a lot more than cloudflare, in part because there's actual competition and I picked one with a strong privacy focus.


And in some/many jurisdictions, your ISP is more regulated by your local government (also in regards to data protection) than cloudflare who has no obligation to you.


Picked...an ISP? What is this fantastical idea?

- An American


Granting monopolies by deafult even if geographically contained might not end up being the best way to go about competition and free markets




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: