← Back to context

Comment by anonymousiam

1 day ago

When applications don't respect system defaults, they are by definition "going rogue."

I run Pi-hole because I like having some control over the IoT garbage on my (separate IoT) home subnet. Much of the IoT garbage already pins their DNS server, which limits my control, or makes control more difficult to achieve.

If you're worried about IoT garbage spying on you, blocking DoH wouldn't even help. Presumably, there's something important on the Internet that they need to access (since otherwise you'd just air gap them outright), so they could exfiltrate your data through the same connection that they're using for their legitimate purpose.

  • But that's the game that most IoT stuff plays. They offer some utility that makes them worthwhile, but they exfiltrate your data to marketeers and even government entities (such as Ring's partnership with law enforcement).

    Maybe I'm old-school, but I like to have some control over what's going in and out of my network. DoH seems to exist mainly to circumvent that control.

    • > DoH seems to exist mainly to circumvent that control.

      Hate to break it to you, but if I control the client, then I'm not in any way obligated to use DNS or any other IETF-endorsed protocol to turn names into numbers when I'm running on your network.

      The idea of "controlling what's going in and out of the network" died in the 90s.

    • > But that's the game that most IoT stuff plays. They offer some utility that makes them worthwhile, but they exfiltrate your data to marketeers and even government entities (such as Ring's partnership with law enforcement).

      Sure. My point is that blocking DoH wouldn't stop that though.

      > Maybe I'm old-school, but I like to have some control over what's going in and out of my network.

      What if you were a public Wi-Fi operator? You definitely shouldn't have control or insight into the traffic to and from other people's computers and phones.

      > DoH seems to exist mainly to circumvent that control.

      No, DoH is purely a good thing, since the evil use cases like above can happen even without it.

      3 replies →

  • > they could exfiltrate your data through the same connection that they're using for their legitimate purpose.

    their traffic can be monitored. They can secretly exfiltrate if they hide it, use pin certs or use some custom encryption. This should be a red flag