undefined | Better HN

story

0 points9dl6y ago0 comments

* Connected to wifi with installed dnsmasq

* * If device do not use public (like 1.1.1.1) or custom DNS

0 comments

You can also redirect those public dns servers on you router to your local Dnsmasq server with iptables.

Assuming no use of DoH. I worry that increasingly devices on your home network will ignore the LAN recommendations for DNS server and be MUCH harder to block.

I log all attempts by devices on my network to port 53. Android apps, roku, google home devices, and various others are quite aggressive about going directly to various DNS servers if they don't get what they want from the local DNS server.

Using wireshark to track what's going on it's not unusual to see 7,000 DNS requests for a domain I'm blocking in just a few seconds. The android client for youtube seems to be particularly persistent.

9dlOP6y ago

Nope

You should not

Or you completely compromise DNS chain and as result you can not trust results of dns resolve

sliken6y ago

Could you explain? I don't use dnsmasq, but I do use unbound. I do block outgoing port 53 (UDP and TCP) and force the use of my unbound server.

Quite a few apps and devices ignore the DNS recommendations provided by radvd (for ipv6) and dhcp (for IPv4).

That way I can block youtube, instagram, netflix, imgur, reddit, and similar services that my kids are addicted to if they are avoiding homework and the like.

How exactly does that "compromise DNS chain"? Unbound is DNSSEC aware, and talks to the same root servers that the ISP, google, opendns, or similar services would talk to.

Sadly DoH will make this much more difficult.

j / k navigate · click thread line to collapse

0 comments

rndomsrmn6y ago

You can also redirect those public dns servers on you router to your local Dnsmasq server with iptables.

sliken6y ago

Assuming no use of DoH. I worry that increasingly devices on your home network will ignore the LAN recommendations for DNS server and be MUCH harder to block.

9dlOP6y ago

Nope

You should not

Or you completely compromise DNS chain and as result you can not trust results of dns resolve

sliken6y ago

Could you explain? I don't use dnsmasq, but I do use unbound. I do block outgoing port 53 (UDP and TCP) and force the use of my unbound server.

Quite a few apps and devices ignore the DNS recommendations provided by radvd (for ipv6) and dhcp (for IPv4).

That way I can block youtube, instagram, netflix, imgur, reddit, and similar services that my kids are addicted to if they are avoiding homework and the like.

How exactly does that "compromise DNS chain"? Unbound is DNSSEC aware, and talks to the same root servers that the ISP, google, opendns, or similar services would talk to.

Sadly DoH will make this much more difficult.

j / k navigate · click thread line to collapse