this post was submitted on 18 Apr 2024
0 points (NaN% liked)

Privacy

31862 readers
241 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
0
My experiences with Pi-hole (scribe.disroot.org)
submitted 6 months ago* (last edited 6 months ago) by duikbrilletje@scribe.disroot.org to c/privacy@lemmy.ml
 

Pi-hole has helped improve my "relationship" with Firefox, or better phrased with Firefox forks like LibreWolf and Tor browser. Cool thing with Pi-hole is that you can watch the query log and see what happened in the background while you were surfing the Internet. I learned that :

  • After removing the sponsored shortcuts in Firefox and putting your own shortcuts there Firefox will make connections each time you start the browser. So, if you would have icons on your quick start page in Firefox for let's say EFF, Lemmy, Mastodon, HackerNews, with each Firefox start up, it would query these sites. which I didn't like so much. Since then I've gone back to a complete blank start page, removing search and all those quick start icons, using just toolbar folders with bookmarks.

  • Pi-hole defaults to blocking telemetry for Firefox and Thunderbird.

  • Signal uses Google servers I saw via Pi-hole. I thought that they were using Amazon servers, but looking at Wikipedia for the history of Signal hosting I learned that Signal went back to Google for hosting.

  • Firefox push notification services are hosted on Google servers. LibreWolf removes a lot of Google things that Firefox has by default, but not the push parts. With Pi-hole it is very easy to block that.

you are viewing a single comment's thread
view the rest of the comments
[–] Turun@feddit.de 0 points 6 months ago (3 children)

Dns over https is immune to that firewall method, right?

[–] Pete90@feddit.de 0 points 6 months ago

With most firewalls, there is an option to download ip lists for blocking. There are several list I don't recall right now, that aggregate DoH services. It's not perfect, but better than nothing.

[–] lemmyvore@feddit.nl 0 points 6 months ago (1 children)

Yes but I think OP is referring to plain DNS requests to a preferred server.

You can hijack port 53 and redirect them to your preferred server. Also acts as a method of hardening DNS for devices and apps that do not support encrypted DNS.

[–] Turun@feddit.de 0 points 6 months ago* (last edited 6 months ago)

Some devices will use a hard coded DNS instead of respecting the one on the network

Right, and I am pointing out that non-cooperative devices still won't be blocked by pihole if they so desire.

[–] ZeDoTelhado@lemmy.world 0 points 6 months ago* (last edited 6 months ago) (1 children)

I was making a quick check, and yes, the DoH situation is a bit more dicey. From how I see it, the best way to make this work is to, at the firewall level, either block as much as possible any requests that look like DoH (and hope whatever was using that falls back to regular DNS calls) or setup a local DoH server to resolve those queries (although I am not sure if it is possible to fully redirect those). In that sense, pihole can't really do much against DoH on its own

EDIT: decided to look a bit further on the router level, and for pfsense at least this is one way to do this recipe for DNS block and redirect

[–] Turun@feddit.de 0 points 6 months ago* (last edited 6 months ago)

Right, so flowing that link there are three ways for DNS:

Classic on port 53,

Dns over TLS on port 853

Dns over https.

The first two can be blocked, because they have specific ports exclusively assigned to them. DoH can't be blocked reliably, because it is encrypted and on a common port. Though blocking 443 on common DNS resolvers can force some clients to fall back to one of the variants that can be blocked/redirected