undefined | Better HN

0 pointsrsync5y ago0 comments

I run my own recursive resolver (DNS server) in a datacenter.

This DNS server gets its upstream resolution from nextdns.io which is configured with several blocklists - including one that is roughly analogous to ublock origin.

On my local network, my DHCP server hands out my DNS server to all clients.

This means that all clients on my network get fairly robust ad-blocking even if they do not have an adblocker installed. It also means that non-browser clients (Sonos, AppleTV, etc.) get ad/tracker blocking as well.

DoH sort of breaks all of this, unfortunately.

Individual devices or clients or browsers can now connect to trackers and ad-servers over HTTPS, bypassing my adblocking resolver.

I thought that perhaps there was a solution wherein you would pre-query every single new IP you connected to over HTTPS and send it a test DNS query .. and if it answered DNS, you would just refuse to talk to it. I think this falls apart, however, if (for instance) google just queries "google.com" ... now you're denying google.com because it answers DNS queries over HTTPS...

Look, back when 8.8.8.8 came online I could just smell it ... I knew there was a user-hostile arms race somewhere in there I just didn't know where. Now we know.

0 comments

1vuio0pswjnm75y ago

Google public DNS (8.8.8.8, 8.8.4.4) was created because OpenDNS was redirecting "Google queries" typed into the browser GUI (rather than typed into an HTML form on a website).

j / k navigate · click thread line to collapse