Comment by leipert
2 days ago
> Chromecasts ignore local DNS... grrr
Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?
2 days ago
> Chromecasts ignore local DNS... grrr
Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?
Its a trick one. Traditional DNS runs over port 53/udp and fails over to 53/tcp for large queries/results. That's easy to deal with on a packet filter firewall.
Then in the name of ... something, something, security ... DNS over http(s) was invented. Now you can balkanize DNS by requiring certain SSL certificates be involved. To my knowledge this hasn't been abused large scale yet but it could.
Let's go easy on the tinfoil and simply redirect outbound traffic to 53/udp and tcp to a PiHole or other DNS server under your control.
If you insist on the tin foil, you will probably need to look into a MitM proxy such as Squid - look into "bump" and "spice".
This falls apart when you realize DoH can (and does) just go out to 443/TCP.
It looks like a web request, which was literally the point of the specification.
"DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port."
Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
I know exactly (within reason) how TLS works. However that enforceable guarantee may not be in the end user's best interests.
Your browser could require via TLS certain CA only signed responses and even covertly do that and flatly refuse to use the system configured DNS and fib and lie. At least DNS over UDP/TCP can be easily manipulated locally through a packet filter and via NAT n that and it can be inspected by the end user easily.
No, I am not suggesting you break any security model - a MitM run by yourself is yours and yours alone. If you consider your browser might be hostile <tin foil crackling sound effect here> then you really have to look quite deeply into what security model you are dealing with and how it really works.
Proxies and so on are just tools for a job as are DNS servers (I have one just for my customer's Let's Encrypt challenges) and all the rest.
I like to forget the usual trite networking bollocks and think quite clearly about how it all really hangs together. I start with what I would like to be the source of "truth" with regards the thing I type into the browser and the IP address that is returned and connected to.
> Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
You may be breaking things altogether, actually, since many of the devices for which this song and dance needs to exist don't actually offer a way to alter certificates. I don't know that my smart tv actually uses DoH (it's not physically connected to the network), but I have no idea how I'd add a trusted certificate to its chain, even for other purposes.
My older Kindle Fire HD 10 flips over to DNS over HTTPS if it can't see Google on port 53.
I've tried to add a couple of rules in iptables on my Ubiquiti Dream Machine (UDM), but the out-of-box configuration on the UDM is pages and pages to iptables rules. I can modify that config via a shell interface (a shell script with four iptables command lines), but it doesn't play with the web based GUI, and I have yet to figure out how the UDM handles such traffic.
Yes, I've simply blocked all traffic for 8.8.8.8 and 8.8.4.4, via the UDM GUI, the rules are there. The Kindle still shows me ads.
It may be possible to delete the entries for Google DNS on the Kindle via adb commands during boot, but I haven't gotten that far.
Someday I will get around to setting up a homelab network enough to learn iptables etc without blacking out my home network. As any network outage bring immediate screams from the house, I have to treat the firewall configuration as critical infrastructure: brittle. Don't touch.
With the UDM you can do DNS masquarade to redirect traffic destined for 8.8.8.8:53 to your local pihole / AdGuard instance.
Hagezi and others provide reasonable DoH block lists.
I think you can just block Google's servers and it'll use the DHCP-configured DNS server.
Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don't know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP's of all the common resolvers (or at least the ones it will try)
Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:
(nftables syntax)
ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment "Force all DNS traffic to go through local DNS servers"
of course. ads are the life blood of google.
It's the same reason why they reverted silently the options to disable referrer (the default since chrome took over is now to send full url even on xdomain, which was unthinkable during mozilla vs ie)
anything that impacts delivery of ads (dns on android/chromecast) or attribution (referrer) will be fought against by google.
On my LAN I send all DNS traffic to pi.hole with iptables. Won’t help if they DoH tunnel it though.