← Back to context

Comment by TechDebtDevin

1 month ago

Use and Configure Pi-Hole[0]

[0]:https://jeffmorhous.com/block-ads-for-your-entire-network-wi...

Also a video for those more YT inclined: https://www.youtube.com/watch?v=eCA24qJBG8Q

20 comments

TechDebtDevin

Reply
nickburns  1 month ago

This does nothing for a mobile device that either concurrently maintains its cellular 'data' connection together with its Wi-Fi connection (and whose apps are permitted to access both)—or leaves the LAN without connecting remotely via a force-tunneled VPN. And even with such a VPN, the cellular NIC continues to maintain baked-in alternate routes on both Android and iOS. All that's before we even get into specific Pi-Hole and LAN config, not to mention DoH.

Krebs and everyone else he cites is right—it's time for Apple and Google to eliminate MAID altogether.

ETA: Do not downvote this parent! Use trustworthy ad blockers anywhere and everywhere you can!

autoexec  1 month ago

DoH/DoT along with hardcoded IPs make DNS ad blocking impossible.

  • ndriscoll  1 month ago

    Not completely impossible. You could have a default deny firewall, have your DNS resolver trigger an update to allow outgoing connections to the resolved IPs, and possibly also require connections pass though an SNI-sniffing proxy that only allows domains that your DNS resolver has allowed. Essentially by default you'd be blocking all custom protocols, and you'd only allow what looks like well-behaved TLS web traffic to allowed domains to flow.

    Bad traffic could flow to a "good" domain, and then you need to decide whether that domain is actually "good".

    • JohnMakin  1 month ago

      couldn't they just hide their ad endpoints behind the proxy that serves their site? I can think of multiple ways to do this that aren't very difficult. I have had to implement something in my work to get past certain adblocking behavior that was going by domain

      4 replies →

  • OptionOfT  1 month ago

    Not sure why you're downvoted.

    You create a server and host it on IP x. You create a cert for it. You add the public key to your app.

    Your app can now communicate with that IP over port 443 with that certificate. Remember that the idea that the domain must match the one in the certificate is a setting, enforced by the browsers. If you run your own code you can perfectly override that.

    Now you can do whatever you like on that connection.

    In fact, you don't HAVE to go that far. Many applications these days do private key pinning and use that connection to load the ads. IMDb does that on the iPhone.

    MyQ and myBMW use the same to 'protect' the connection. MyQ's implementation of this, and subsequent implementation of CloudFlare's bot protection completely broke home-assistant's connection. All because they want you to use their app (and get bombarded with ads).

    Doh/DoT was supposed to bring in MORE privacy for users, as it allowed users to resolve addresses without the system servicing the connection (ISP / StarBucks / McDonald's) from being able to see or modify the responses (think captive pages).

    But all it brought was more spying. I am a firm believer that I should be able to inspect all traffic that an application sends out over my internet connection.

  • TechDebtDevin  1 month ago

    Do you know of any blogs/articles I can read more on this?

  • switch007  1 month ago

    And TLS. Sure it stops lots of other bad things, but it is quite the blocker to doing content filtering of the page contents.