Not completely impossible. You could have a default deny firewall, have your DNS resolver trigger an update to allow outgoing connections to the resolved IPs, and possibly also require connections pass though an SNI-sniffing proxy that only allows domains that your DNS resolver has allowed. Essentially by default you'd be blocking all custom protocols, and you'd only allow what looks like well-behaved TLS web traffic to allowed domains to flow.
Bad traffic could flow to a "good" domain, and then you need to decide whether that domain is actually "good".
couldn't they just hide their ad endpoints behind the proxy that serves their site? I can think of multiple ways to do this that aren't very difficult. I have had to implement something in my work to get past certain adblocking behavior that was going by domain
Sure, but now you've at least made them use a more expensive L7 proxy to do it, and you can decide to block malicious actors like that entirely (blocking the "good" domain).
You create a server and host it on IP x. You create a cert for it. You add the public key to your app.
Your app can now communicate with that IP over port 443 with that certificate. Remember that the idea that the domain must match the one in the certificate is a setting, enforced by the browsers. If you run your own code you can perfectly override that.
Now you can do whatever you like on that connection.
In fact, you don't HAVE to go that far. Many applications these days do private key pinning and use that connection to load the ads. IMDb does that on the iPhone.
MyQ and myBMW use the same to 'protect' the connection. MyQ's implementation of this, and subsequent implementation of CloudFlare's bot protection completely broke home-assistant's connection. All because they want you to use their app (and get bombarded with ads).
Doh/DoT was supposed to bring in MORE privacy for users, as it allowed users to resolve addresses without the system servicing the connection (ISP / StarBucks / McDonald's) from being able to see or modify the responses (think captive pages).
But all it brought was more spying. I am a firm believer that I should be able to inspect all traffic that an application sends out over my internet connection.
Some browsers, apps, or devices might let you disable DoS/DoT or might let you configure it to use your own DNS server, but none of them have to let you and even when they give you that option they can still do whatever want (https://discourse.pi-hole.net/t/chromium-bypasses-pi-hole-by...)
Not completely impossible. You could have a default deny firewall, have your DNS resolver trigger an update to allow outgoing connections to the resolved IPs, and possibly also require connections pass though an SNI-sniffing proxy that only allows domains that your DNS resolver has allowed. Essentially by default you'd be blocking all custom protocols, and you'd only allow what looks like well-behaved TLS web traffic to allowed domains to flow.
Bad traffic could flow to a "good" domain, and then you need to decide whether that domain is actually "good".
couldn't they just hide their ad endpoints behind the proxy that serves their site? I can think of multiple ways to do this that aren't very difficult. I have had to implement something in my work to get past certain adblocking behavior that was going by domain
Sure, but now you've at least made them use a more expensive L7 proxy to do it, and you can decide to block malicious actors like that entirely (blocking the "good" domain).
2 replies →
That works for your home network. What about if you're on cellular data?
I use wireguard to tunnel back home, but personally only extremely rarely use mobile data anyway. I normally have it disabled.
Not sure why you're downvoted.
You create a server and host it on IP x. You create a cert for it. You add the public key to your app.
Your app can now communicate with that IP over port 443 with that certificate. Remember that the idea that the domain must match the one in the certificate is a setting, enforced by the browsers. If you run your own code you can perfectly override that.
Now you can do whatever you like on that connection.
In fact, you don't HAVE to go that far. Many applications these days do private key pinning and use that connection to load the ads. IMDb does that on the iPhone.
MyQ and myBMW use the same to 'protect' the connection. MyQ's implementation of this, and subsequent implementation of CloudFlare's bot protection completely broke home-assistant's connection. All because they want you to use their app (and get bombarded with ads).
Doh/DoT was supposed to bring in MORE privacy for users, as it allowed users to resolve addresses without the system servicing the connection (ISP / StarBucks / McDonald's) from being able to see or modify the responses (think captive pages).
But all it brought was more spying. I am a firm believer that I should be able to inspect all traffic that an application sends out over my internet connection.
Do you know of any blogs/articles I can read more on this?
https://ericlathrop.com/2021/03/dns-over-tls-lets-google-ser...
It isn't just people using DNS filtering for ads that have this problem. Network admins at companies face the same problem (see for example https://cleanbrowsing.org/help/docs/block-dns-filtering-evas...)
Some browsers, apps, or devices might let you disable DoS/DoT or might let you configure it to use your own DNS server, but none of them have to let you and even when they give you that option they can still do whatever want (https://discourse.pi-hole.net/t/chromium-bypasses-pi-hole-by...)
Obviously any application or device using a hardcoded IP address will bypass DNS entirely so DNS filtering isn't going to work. See https://old.reddit.com/r/pihole/comments/djacup/im_starting_...
Just because it doesn’t work all the time doesn’t mean it never does. Defense in depth.
One aspect is to use trustworthy software, not written by an advertising company.
https://9to5mac.com/2022/08/18/ios-vpn-apps/
https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php
And TLS. Sure it stops lots of other bad things, but it is quite the blocker to doing content filtering of the page contents.