undefined | Better HN

0 pointstablespoon3y ago0 comments

> PiHole arguably is getting less effective with each passing year as alternate DNS resolution methods like DNS over HTTPS etc gain traction, and defeating DNS over HTTPS is s a whack-a-mole game today, all you can really do is try to blacklist known DNS over HTTPS server IPs, which is a running battle.

Aren't blocking ads another whack-a-mole? So it seems like more of the same.

Also, aren't there proxies that you can setup that can inspect HTTPS connections (so long as you install the proxy's cert on your machine). I suppose the whack-a-mole might be more practical if a few people used those regularly along with some kind of automated scanning for DNS over HTTPS.

0 comments

giobox3y ago

The key difference is the point of control:

For PiHole today, most everything comes over port 53, and thus easy to track, monitor and block as required.

Tomorrow, DNS requests can be on any port, to any server, on any protocol. This makes trying to use a single point of control like the PiHole so much harder than it was in the past. Who is to say next week its HTTPS as the encrypted transport for DNS? Use whatever bizarre encryption scheme you like. It's your app... The app can just ignore whatever DNS server you suggested via DHCP or whatever and go back to its homebrew domain name resolution system.

saurik3y ago

> Who is to say next week its HTTPS as the encrypted transport for DNS?

That ship has already set sail, my friend :(.

novok3y ago

Eventually ads, tracking, etc are just going to be proxied by the app server, along with normal app server traffic, to one IP and you can't do much effective filtering in the end.

addingnumbers3y ago

> Also, aren't there proxies that you can setup that can inspect HTTPS connections (so long as you install the proxy's cert on your machine).

It's common for apps to prevent this with certificate pinning. They'll ignore the certs you've installed manually and will only connect to servers with certs signed by their in-house certificate authority.

mindslight3y ago

> Aren't blocking ads another whack-a-mole?

Yes, but the mole-whacker is whoever controls the software doing the rendering. So on a personal computer, the ads are the moles. But on a locked down "phone", the user is the mole.

j / k navigate · click thread line to collapse