undefined | Better HN

0 pointsTrueDuality5y ago0 comments

You're definitely right that it is an issue that the traffic is plaintext but there are trade off costs that are not addressed by these standards, mostly in user control and fall back behaviour.

You've started using a pi-hole, and presumably are getting value from it. These protocols can potentially make it so you can't use that pi-hole at all.

Traffic that is local to a network being unencrypted is not a huge privacy problem. If this protocol was adopted by local resolvers, your pi-hole or network router could use it for any requests it makes while still preserving its ability to filter the traffic. It's basically all win under this scenario.

The problem comes back to applications implementing this in ways that can't be managed taking the option away from end users and administrators. Without the protocols specifying control and fall-back behaviours on networks that don't need or want this, it's more harmful than useful.

0 comments

stevepike5y ago

Can you explain (or share a link) to some proposal for how to enable my pihole to securely talk to upstream resolvers but force all embedded devices on my network to go through the pihole? Anything that lets my pihole sidestep my ISP seems like it'd also work for my xbox.

judge20205y ago

> force all embedded devices on my network to go through the pihole

You can only do this for the devices that respect your DHCP-provided DNS config. Even if you redirect all port 53 traffic on your network to your pihole, a device can make its own (DoH or non-DoH) https connection and gets DNS responses via that, bypassing your pi-hole.

This was discussed extensively a few days ago on a thread about "72% of smart TVs and 46% of game consoles hardcode DNS settings":

https://news.ycombinator.com/item?id=25315172

quicksilver035y ago

If you control DHCP and know the MAC address of those embedded devices, you can serve them a non-existing gateway so that they simply won't have a path outside of your home network.

Of course, that assumes IPv4, whereas with IPv6 and SLAAC I believe the only way is to firewall them out.

1 more reply

RossM5y ago

Using Cloudflare with DoH is documented here: https://docs.pi-hole.net/guides/dns-over-https/

You essentially run a little proxy server on your pihole setup, and configure pihole to use it as your upstream dns resolver.

E.g., a proxy server running at 127.0.0.1:5053 which uses the Cloudflare ipv4/ipv6 DNS over HTTPS endpoints. This can also use other DoH endpoints as desired:

    /usr/local/bin/cloudflared proxy-dns \
      --port 5053 \
      --upstream https://1.1.1.1/dns-query \
      --upstream https://1.0.0.1/dns-query \
      --upstream https://2606:4700:4700::1111/dns-query \
      --upstream https://2606:4700:4700::1001/dns-query

cassianoleal5y ago

That only does the part where the PiHole uses DoH. It doesn't stop individual devices from using it, and it doesn't force them to go via the PiHole.

topranks5y ago

DNScurve never got far in the IETF but I like it:

https://tools.ietf.org/html/draft-dempsky-dnscurve-01

It’s being worked on again. The “client side” (from client to resolver) got all the attention in recent years. Even though it’s arguably less important than encrypting resolver to Auth traffic (as the resolver can often be close.).

Cynics say this is because there was money behind DoH which pushed it through standardisation, as the big providers are hungry for the data.

arguably the less important part of the equation

1vuio0pswjnm75y ago

I have used CurveDNS forwarders at home as an experiment for many years now. I have never had any problems. I cannot see why authoritative DNS providers would resist offering DNSCurve as an option. It is relatively easy to set up and does not require replacing or modifying any DNS software.

TrueDualityOP5y ago

I don't have any resources handily available for that. I would be truly surprised if pi-hole's don't support DoH though so I'd just try searching for something like "enabling DoH on a pihole" or similar.

Basically sounds like you've already done the hardest parts. Your router is redirecting all DNS traffic to your pi-hole, this will prevent any normal unencrypted DNS traffic from leaving your local network. You pi-hole will be in turn making all the DNS requests. If you turn on DoH for the pi-hole all the DNS requests on your network will be encrypted.

hrez5y ago

Nothing would prevent DOH to use <randomIP>:<randomPORT> as a resolver. Be it an application or a device. Pi-hole will never see it.

j / k navigate · click thread line to collapse