undefined | Better HN

0 pointstimbit423y ago0 comments

We will need to keep a list of DNS IPs to block access through ports 80 and 443.

0 comments

And what happens when they start changing the port? It's a battle no one ultimately can win, in short term. The technical options available to get DNS by so many different means are so easy to implement, relatively speaking. Even a really junior engineer can likely invent their own DNS resolution protocol, its one of the simplest APIs to reinvent if all you care about is returning IP address for a given name.

80 and 443 are only used by convention for HTTP/HTTPS - you can use whatever the hell you like. There's also the option to not use HTTP(S) or DNS at all to obtain addresses, the list of ways you can avoid traditional methods is endless. Finally, you can just serve your DNS on same IP as back end of the app - block the IP and the app dies completely, meaning a simple IP block will not work etc etc. It's super easy to write some code that combines tens of methods, ensuring you get that DNS record no matter how hard the user tried to stop you.

FWIW people (including me) already do this, but its a blunt tool and not all that effective in many cases: https://gist.github.com/ckuethe/f71185f604be9cde370e702aa179...

timbit42OP3y ago

Fine. Block that IP on every port.

giobox3y ago

I don't think you really appreciate the scale of the problem, when any protocol can be used. Port/IP blocks simply are too blunt now, and once again you are screwed if app provider uses the same IP for illegitimate DNS as legitimate services - you might not be able to block the IP at all and still access the services you need on that device or application. To give one example - imagine if netflix shared video on same IP as their private DNS service. They could even use the same port. Can't block the DNS without blocking the service.

Heaven forbid they use dynamic IP/port allocations too...

j / k navigate · click thread line to collapse

0 comments

giobox3y ago

FWIW people (including me) already do this, but its a blunt tool and not all that effective in many cases: https://gist.github.com/ckuethe/f71185f604be9cde370e702aa179...

timbit42OP3y ago

Fine. Block that IP on every port.

giobox3y ago

Heaven forbid they use dynamic IP/port allocations too...

j / k navigate · click thread line to collapse