|
The Iron Rose posted:I use unbound for my upstream DNS. You can run pihole in one container and unbound on another to make it really easy if you want. I wish i could run docker on my systems. vmware/vbox fuggin hates docker running at the same time and vice versa. Getting hypervisor running then comes in and shits on everything
|
#
?
Nov 10, 2019 19:29
|
|
|
|
| # ? May 27, 2024 12:00 |
|
|
EVIL Gibson posted:I wish i could run docker on my systems. vmware/vbox fuggin hates docker running at the same time and vice versa. Just toss it on an EC2 or digital ocean droplet - or heck, run it in ECS! It doesn't need much resources so it should cost you like $5/mo. Latency is a little worse than if you had it on your local network of course, but it's actually not much of a problem once dns records are cached; it's not really noticeable. you need to limit access to just your public IP address range to secure it but you should be doing that with cloud resources anyways.
|
|
#
?
Nov 10, 2019 19:46
|
|
Cat Army 
|
Combat Pretzel posted:What I want is PiHole on my VPN polling stuff via DoH from a trustworthy provider? https://docs.pi-hole.net/guides/dns-over-https/
|
|
#
?
Nov 10, 2019 19:54
|
|
|
Combat Pretzel posted:Oh wow, didn't know that this DNS-over-HTTPS stuff funnels everything to Cloudflare by default for Firefox and I suppose Google for Chrome. And that it creates an additional mean to identify you, at least for the case where you're behind a NAT, like most end users nowadays (HTTPS connections versus random traffic from the same UDP port). Chrome does opportunistic upgrade (i.e., if your DNS provider is on the list of those support DoH it'll use DoH), it doesn't send DNS to Google unless you set your DNS to be Google. Android by default does opportunistic upgrade to DoT or you can specify a DoT server that will always be used regardless of the network provided DNS.
|
|
#
?
Nov 10, 2019 20:15
|
|
|
Hmm, Google must have loving with my poo poo. I has polling their servers from within Pi Hole, and some sites seemed to have issues reaching their CDNs. That poo poo is gone since I've installed unbound to my Pi Hole.
|
|
#
?
Nov 10, 2019 21:44
|
|
|
Combat Pretzel posted:Oh wow, didn't know that this DNS-over-HTTPS stuff funnels everything to Buttflare by default for Firefox and I suppose Google for Chrome. And that it creates an additional mean to identify you, at least for the case where you're behind a NAT, like most end users nowadays (HTTPS connections versus random traffic from the same UDP port). Firefox was planning on funneling everything through Cloudflare, unless you had some flags set. Chrome on the other hand is handling it differently.. It will use DNSoHTTPS only if your system resolver is already set to a DNS service that is known to support DNSoHTTPS. If it is, it will talk to that service over HTTPS. Otherwise it will continue to use your system resolver as always.
|
|
#
?
Nov 11, 2019 15:08
|
|
|
Encrypted DNS won’t help with your privacy until encrypted SNI is also a thing, since your browser will transmit the domain name in cleartext as part of the initial TLS handshake.
|
|
#
?
Nov 11, 2019 16:10
|
|
|
yeah sni is lovely like that, i honestly couldn't believe how it worked when i first encountered it in the wild i get why it exists (because ipv4 just won't die), but it's stupid.
|
|
#
?
Nov 11, 2019 16:50
|
|
|
Double Punctuation posted:Encrypted DNS won’t help with your privacy until encrypted SNI is also a thing, since your browser will transmit the domain name in cleartext as part of the initial TLS handshake. The whataboutism between esni and encrypted DNS has succeeded in doing nothing but delaying both.
|
|
#
?
Nov 11, 2019 17:34
|
|
|
Unbound was rather easy to set up, surprisingly. Pi Hole has some instructions too, that also harden the whole thing.
|
|
#
?
Nov 11, 2019 18:47
|
|
|
Double Punctuation posted:Encrypted DNS won’t help with your privacy until encrypted SNI is also a thing, since your browser will transmit the domain name in cleartext as part of the initial TLS handshake. I wish you could get something in the address bar that could tell you what sites were encrypted SNI capable and which werent.
|
|
#
?
Nov 11, 2019 19:14
|
|
|
apseudonym posted:The whataboutism between esni and encrypted DNS has succeeded in doing nothing but delaying both. There is a point to encrypting DNS without ESNI. It just isn’t confidentiality. Even with DNSSEC, it’s still good to be assured you’re talking to the DNS server you selected.
|
|
#
?
Nov 12, 2019 11:23
|
|
|
Double Punctuation posted:There is a point to encrypting DNS without ESNI. It just isn’t confidentiality. Even with DNSSEC, it’s still good to be assured you’re talking to the DNS server you selected. The vast majority of clients will be pulling DNS from whatever local DNS daemon runs in their local network for the extra caching layer rather than passing through to google/cloudflare/whoever. The model you are proposing would require all these soho devices to properly handle validation of the DNS servers they are connecting to (either the ISP or whoever the ISP points them at) and then also find a way to gracefully fail safe while communicating to the downstream devices that there was an upstream DNS authentication problem. I'm not saying its impossible, but the failure mode is going to break a whole lot of things that are dependent on DNS "just working" and I am not holding my breath for the people who write router firmware to do this job well. DNS over HTTPS seems like a more viable route to protect the things being called by the browser while allowing all the other code to carry on as-is.
|
|
#
?
Nov 12, 2019 16:09
|
|
|
Question from an ignorant poster: Encrypted DNS is often talked about as a privacy benefit. ISPs push their own DNS servers to users as the default configuration, which means when I visit www.embarrassingporn.xxx I'm asking my ISP to show me where to find my embarrassing porn. By switching to DNSoverHTTPS or whatever other secure method, the only party to know my embarrassing porn secret is the DNS provider I trust (or who my webbrowser has chosen to trust for me). That's the basic story I've read in articles / blogs written for general users. But really, even if the DNS query was 100% secure, encrypted, and hidden from my ISP, they still know where my traffic is going. They're delivering my packets! If www.embarrassingporn.xxx resolves to 69.69.69.69 and I'm doing a lot of traffic to that site, then my ISP is still gonna see me visiting a porn website. They've got a DNS server, they know what url 69.69.69.69 is hosting. So I don't really get it. If I don't trust my ISP to collect data about my porn habits via DNS queries, I shouldn't trust them not to do general traffic analysis either.
|
|
#
?
Nov 12, 2019 17:28
|
|
|
Klyith posted:Question from an ignorant poster: CDNs make ip based tracking way lower quality than that, though nothing stops you from doing packet sizes and timings analysis to uniquely identify stuff except it's a lot harder and more error prone.
|
|
#
?
Nov 12, 2019 17:32
|
|
|
The vast majority of moderate-to-major sites are fronted by one of a small number of CDNs or clouds, so it's often hard to tell whether you were looking for umbrella vore or pictures of chandeliers or movie times or dead gay forums based just on the IP you connect to.
|
|
#
?
Nov 12, 2019 17:33
|
|
|
And most smaller sites are on shared hosting with lots of sites behind the same IP address. Was the person visit the site of a local restaurant or the local furry community?
|
|
#
?
Nov 12, 2019 17:43
|
|
|
We were just discussing SNI, or Server Name Identification. Those shared hosts need some way of knowing which site you want so they can pick the correct certificate and keys to encrypt the traffic. Right now, the only way to do that is to tell the host what site you want, in plaintext, meaning your ISP knows what site you are visiting without even looking at DNS. The solution being developed is to both encrypt DNS traffic and have servers put a public key in the DNS records for encrypting the SNI message. That effectively hides every bit of direct information about the connection except the IP address. That’s as good as you can do without the overhead of a VPN.
|
|
#
?
Nov 12, 2019 19:09
|
|
|
IPv6 adoption could also fix that since it becomes viable to give every single site its own public IP without having to share anything, so no need for SNI.
|
|
#
?
Nov 12, 2019 19:31
|
|
|
There's still a management aspect to things. I know we host dozens of branded portals based off the same common code base so we use SNI, not out of a lack of IP space (we have plenty we could use) but because it makes management in the F5 easier. One VIP vs dozens. It also reduces your footprint which means fewer IPs to security scan and fewer firewall rules to audit. So, IP space is part of it, but it's not the only reason why you would potentially want to use SNI.
|
|
#
?
Nov 12, 2019 19:45
|
|
|
Pablo Bluth posted:And most smaller sites are on shared hosting with lots of sites behind the same IP address. Was the person visit the site of a local restaurant or the local furry community? Local furry community meeting at the local restaurant?
|
|
#
?
Nov 12, 2019 20:24
|
|
|
Lambert posted:Local furry community meeting at the local restaurant? "The men's room is closed for a private event"
|
|
#
?
Nov 12, 2019 21:40
|
|
|
This might be a good time to link one of the talks Paul Vixie, one of the original people involved with DNS, gave on the subject of DNS-over-HTTPS: https://www.youtube.com/watch?v=8SJorQ9Ufm8 Also it's important to distinguish between SNI, because leaks the hostname that you're contacting, and ESNI which is currently being drafted.
|
|
#
?
Nov 12, 2019 22:13
|
|
|
People entering the USA just got back a tiny bit of personal infosec. Federal Court Rules Suspicionless Searches of Travelers’ Phones and Laptops Unconstitutional EFF posted:BOSTON—In a major victory for privacy rights at the border, a federal court in Boston ruled today that suspicionless searches of travelers’ electronic devices by federal agents at airports and other U.S. ports of entry are unconstitutional. https://www.eff.org/press/releases/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops 
|
|
#
?
Nov 14, 2019 03:23
|
|
|
That's excellent news, as a frequent traveler to the US I'm always pretty paranoid.
|
|
#
?
Nov 14, 2019 03:35
|
|
|
"And this is my going-to-America phone"
|
|
#
?
Nov 14, 2019 04:23
|
|
|
Powered Descent posted:People entering the USA just got back a tiny bit of personal infosec. We can’t keep the border people from stealing children, if they want your phone they are taking your phone.
|
|
#
?
Nov 14, 2019 05:51
|
|
|
klosterdev posted:"And this is my going-to-America phone" You laugh, but I have "going to China" hardware and it was pretty tragic I had to do the same travelling to or through the country I was born in. This is a fantastic ruling and a great day for privacy.
|
|
#
?
Nov 14, 2019 14:23
|
|
|
Sickening posted:We can’t keep the border people from stealing children, if they want your phone they are taking your phone. One of those few situations where modern tech and even to some extent "the cloud" has actually helped privacy. It's so easy these days to just factory reset a phone before going in to any situation where you might lose physical control over it and restore it after the fact.
|
|
#
?
Nov 14, 2019 15:50
|
|
|
klosterdev posted:"And this is my going-to-America phone" This is a real device I own. Glad to see it might be a lot less necessary now.
|
|
#
?
Nov 14, 2019 16:05
|
|
|
wolrah posted:One of those few situations where modern tech and even to some extent "the cloud" has actually helped privacy. It's so easy these days to just factory reset a phone before going in to any situation where you might lose physical control over it and restore it after the fact. It's a pretty hot take that storing the entire contents of your phone on the Internet where it's undoubtedly archived by the NSA and available to any government agency has helped privacy. Sure, you might be able to hand some CBP grunt an empty phone, but you have not meaningfully prevented anyone from accessing your private data.
|
|
#
?
Nov 14, 2019 16:07
|
|
|
The Iron Rose posted:You laugh, but I have "going to China" hardware and it was pretty tragic I had to do the same travelling to or through the country I was born in. This is a fantastic ruling and a great day for privacy. It'll be a great day for privacy if it actually changes CBP behaviour. I'm holding my confetti to see what happens there.
|
|
#
?
Nov 14, 2019 16:36
|
|
|
klosterdev posted:"And this is my going-to-America phone" yeah this is a real thing for a lot of people who travel often (or who have “suspicious occupations” like journalists or immigration lawyers), unfortunately  hopefully this ruling changes things, but like others have said, it’s not like CBP is well known for actually adhering to court rulings or, you know, laws.
|
|
#
?
Nov 14, 2019 16:55
|
|
|
Powered Descent posted:People entering the USA just got back a tiny bit of personal infosec. About a year from now posted:In a 5 to 4 decision, the supreme court reversed the former ruling, with Judge Kavenaugh in the majority opinion stating "lol get hosed nerds" At this point I can't get excited about any sort of court decision until the other side won't appeal.
|
|
#
?
Nov 14, 2019 16:55
|
|
|
I'm glad I'm not the only weirdo with a "Going to America" phone. Mine is an old LG v20 with "Nothing to Declare" on the second screen.
|
|
#
?
Nov 14, 2019 18:55
|
|
|
it's not weird, it's best practices for most corporate or legal entities with sensitive info on devices, given the unsurprisingly terrible data integrity and security track record CBP has when they let contractors insecurely hold warrantless device downloads that of course fail to get deleted and get leaked. still depressing that this is the reality, though.
|
|
#
?
Nov 14, 2019 19:18
|
|
|
Also, "suspicionless" is doing a lot of work there. I haven't read the decision, but I can hear the Ghost of Parallel Construction Past calling out to me.
|
|
#
?
Nov 14, 2019 19:34
|
|
|
Subjunctive posted:Also, "suspicionless" is doing a lot of work there. I haven't read the decision, but I can hear the Ghost of Parallel Construction Past calling out to me. But at least now they'll have to go to the trouble of doing that, instead of just having unchecked power to do whatever the hell they feel like without even pretending they have a reason. It's like when you get pulled over for speeding. If the cop decides they really want to search your car, then yes, they can manufacture probable cause for a warrant. (A time-honored way is to have a K9 come by and "signal" that it smelled something.) But that takes time and effort for them to go through, so 99% of the time they just won't bother. This situation is obviously still not the greatest, but it does result in a lot less abuse than if they had full authority to just casually search any and every car that came their way, for any reason or no reason. And that's exactly the power that the border agents used to have over your devices. The border situation is still a long long way from perfect. But this ruling made it at least a little bit better.
|
|
#
?
Nov 14, 2019 19:56
|
|
|
Cup Runneth Over posted:It's a pretty hot take that storing the entire contents of your phone on the Internet where it's undoubtedly archived by the NSA and available to any government agency has helped privacy. Sure, you might be able to hand some CBP grunt an empty phone, but you have not meaningfully prevented anyone from accessing your private data. If you're an average person whose largest concern in this scenario is whether some shithead Border Patrol agent can go through their vacation photos, then maybe Google, iCloud, Dropbox, etc. are just fine. If you're a businessperson whose concerns are largely based around proprietary information leaking out somehow then presumably you're either running it in house or have decided to trust whatever provider is running it. If you have reason to be ultra paranoid you could run your own IMAP/CalDAV server, an OwnCloud instance, etc. and connect to it over a VPN. The point is not the back end, the point is that the way modern phone platforms are designed is basically built around very little existing solely on the phone, making it easy to consider the phone's storage disposable. The same features designed to make it easy to upgrade year after year make it easy to reset and reload. If you're going after a "well <insert three-letter-agency here> can monitor everything anyways" angle I can't really argue that with evidence but if that's your take then a smartphone seems like a bad idea in general.
|
|
#
?
Nov 14, 2019 23:37
|
|
|
|
| # ? May 27, 2024 12:00 |
|
|
With 1password taking VC money, what are good alternatives? What versions of KeePass should one use for Windows and Android?
|
|
#
?
Nov 14, 2019 23:42
|
|