Pi hole is an amazing tool and gives a lot of insight on what is being queried and blocked against the block lists. Also, makes completely transparent on the entire network to have nasty things blocked. One thing I will mention to make the setup better: make sure on the firewall level you can have a rule that makes every request for a DNS to go through pi hole. Some devices will use a hard coded DNS instead of respecting the one on the network
this post was submitted on 18 Apr 2024
116 points (97.5% liked)
Privacy
29820 readers
804 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 4 years ago
MODERATORS
Dns over https is immune to that firewall method, right?
Yes but I think OP is referring to plain DNS requests to a preferred server.
You can hijack port 53 and redirect them to your preferred server. Also acts as a method of hardening DNS for devices and apps that do not support encrypted DNS.
Forgot to mention the port but that's it. Notorious devices like smart TVs and consoles like to use the hard coded DNS method
Some devices will use a hard coded DNS instead of respecting the one on the network
Right, and I am pointing out that non-cooperative devices still won't be blocked by pihole if they so desire.
Only if they do encrypted DNS, and you can still block them, you just can't force them to use the DNS you want. Embedded devices tend to avoid encryption to cut down on hardware requirements, they typically even pull their updates over unencrypted connections. IoT is a crazy world. 😃
And may I point out that if you have embedded devices freely connecting to the Internet you have a lot bigger problems than the fact they use encrypted DNS. Hell you should be so lucky for them to use encrypted DNS, at least it would be secure.
What would be an example of an embedded device?
Media players, TVs, IP cameras, lightbulbs... anything with wifi capability really.
Is there a safe way to use these devices? I’m moderately tech savvy at best, and I do worry a lot about my tv. I also use some smart plugs to manage equipment on my aquarium, but that’s it. I’ve considered the implications of these devices, but didn’t know if there was anything I could do about it.
Who do you think developed DoH? Google has it's paws on everything. It may be private, but as soon as I see Google, I'm out of there.
I was making a quick check, and yes, the DoH situation is a bit more dicey. From how I see it, the best way to make this work is to, at the firewall level, either block as much as possible any requests that look like DoH (and hope whatever was using that falls back to regular DNS calls) or setup a local DoH server to resolve those queries (although I am not sure if it is possible to fully redirect those). In that sense, pihole can't really do much against DoH on its own
EDIT: decided to look a bit further on the router level, and for pfsense at least this is one way to do this recipe for DNS block and redirect
Right, so flowing that link there are three ways for DNS:
Classic on port 53,
Dns over TLS on port 853
Dns over https.
The first two can be blocked, because they have specific ports exclusively assigned to them. DoH can't be blocked reliably, because it is encrypted and on a common port. Though blocking 443 on common DNS resolvers can force some clients to fall back to one of the variants that can be blocked/redirected
With most firewalls, there is an option to download ip lists for blocking. There are several list I don't recall right now, that aggregate DoH services. It's not perfect, but better than nothing.
What does something like this look like? I have an Orbi pro but have never really messed with firewall settings
Hm.... I am not familiar with that device myself, and since I use opnsense for a while I forget most people do not use routers outside of the provided one.
But in a theoretical sense, this firewall rule should look something like this:
- origin of traffic is any IP that goes into port 53
- outgoing traffic has to go to pi hole on port 53
Perfect thank you. My brain gets that. Had a long day of work working on IP centrex phones remotely with dumb end users.
Oh man glad you have learned about the favicons issue it's insane that we just accept such an easily fingerprintable method of getting TINY IMAGES. Is there a way to cache all of it? I just disable everything lol
After removing the sponsored shortcuts in Firefox...
with each Firefox start up, it would query these sites.
I don't like that. Sponsored sites get a free ping from FF?! I thought those icons would be preloaded.
It's for the thumbnail/logo
Yeah. I thought about that. When you add an icon to your rows of shortcuts in Firefox and it fails to fetch the correct icon and gives it a generic letter instead and you want to add an icon yourself you cannot just upload or insert an icon to your Firefox, you will need to point it to some web link where the remote icon is. I can imagine Firefox wants to check at each startup whether the remote icon has changed or not (Not completely unreasonable. Think about Twitter changing to X).
Come on, who are we kidding. 😄 It's done for pings. The privacy implication is so in-your-face there's no way they missed it. 🙂
Favicons are from 99. The technology and handling of them wasn’t developed to invade your privacy.
We're talking about images on your homepage, which phone home every time you open the browser, and even each time you open a new tab.
You can't possibly believe that an organization that has been making a browser for a living for decades missed the implications of that.
on my firefox those are all favicons. when you say that "they" phone home, what's happening is that the browser is requesting the favicon for the sponsored links so it shows the right mini logo above the name of the website. if you want to disable this behavior, you can simply disable sponsored links with the gear menu in the top right corner.
if you want to disable all favicons, disable browser.chrome.favicons (old?) and/or browser.chrome.site_icons and browser.shell.shortcutFavicons in about:config, clear your cache and restart.
i'm pretty sure that firefox pulls favicons from cache for favorites or recents or whatever, but i haven't checked.
The icon thing can be worked around with something like heimdall. I host my own docker container of it and just set that as my startup page in my browser. Looks much nicer than a blank page and everything happens in my own network.
How does pi-hole help with Tor Browser? Does DNS not go through the Tor network?
You're right. My point was that Pi-hole made me appreciate the Firefox forks more because the plain Firefox is FULL of GOOGLE!
That's what 500 million dollars of google money per year does to a "private" browser :)
It does. Probably op meant something different
Ever since using comouters I wonder why it is not built in to monitor your queries.
I haven't used it in quite a long time but not because it was bad but just because it only worked on my wifi and I didn't want to try to set up a VPN to get it to work on mobile but I found that Control D has a free ad block and malware block DNS that can be done with DNS over HTTPS and so that is what I use
I am more interested in Technitium
Looks overly complicated ~~and needing Winblows commands is a huge no for me.~~ Using anything Winblows is a huge nope.
Edit: I was mistaken. Technitium DNS server does not have anything to do with windows, but their Get HTTPS product does.
It doesn't need Windows. Its a docker container and a full fledged DNS server unlike Pi hole.
You are correct, I mixed it with their Free Get HTTPS product. I apologize, my mistake. Still hate windows.
So how do you feel about Windows?
