Most active commenters
  • (3)

←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 37 comments | 20 Oct 20 15:51 UTC | HN request time: 1.273s | source | bottom
1. paranorman ◴[20 Oct 20 16:02 UTC] No.24838948[source]
That’s annoying yet pretty predictable, at least we’ve still got https://pi-hole.net/ as an option until DNS encryption becomes widespread :/
replies(4): >>24839196 #>>24839381 #>>24840498 #>>24842893 #
2. buzzerbetrayed ◴[20 Oct 20 16:21 UTC] No.24839196[source]
Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
replies(7): >>24839311 #>>24839340 #>>24839349 #>>24839493 #>>24839565 #>>24840121 #>>24841388 #
3. blacksmith_tb ◴[20 Oct 20 16:28 UTC] No.24839311[source]
Couldn't you host pi-hole on a cheap VM and set it to be your DNS-over-TLS / DNS-over-HTTPS endpoint?
replies(1): >>24839365 #
4. 0xCMP ◴[20 Oct 20 16:30 UTC] No.24839340[source]
You can always reconfigure your DNS. It's important feature so unlikely they'll get rid of that.
5. Skunkleton ◴[20 Oct 20 16:30 UTC] No.24839349[source]
DoT isn't a big problem for a pihole, but it doesn't look like things are going that way. DoH can only be blocked by a mitm proxy. You would have to take a pretty serious security hit to do something like that with a pihole.
replies(3): >>24839429 #>>24840326 #>>24840851 #
6. Skunkleton ◴[20 Oct 20 16:31 UTC] No.24839365{3}[source]
This assumes that your software is doing what you asked it to do, not what some bigco or malware wanted it to do.
replies(2): >>24839572 #>>24839696 #
7. anonymousisme ◴[20 Oct 20 16:33 UTC] No.24839381[source]
I don't see how pi-hole get affected by DNS via https, unless you are leaving out the part about computers, tablets, and phones using hard-coded DNS servers that use DNS via https. This is a trend, but a very small one right now.
replies(2): >>24839510 #>>24839529 #
8. OJFord ◴[20 Oct 20 16:37 UTC] No.24839429{3}[source]
Wouldn't pi-hole be the 'resolver' the other end of the request, the party it's encrypted for?

Sure, Apple (or whoever) could just bypass it and use something specific, but can already just use an IP, no DNS anyway?

replies(1): >>24839813 #
9. dwrodri ◴[20 Oct 20 16:41 UTC] No.24839493[source]
The pi-hole software turns the Raspberry Pi into a DNS server, so you can point your own DNS server (i.e. the raspberry pi) at the DNS provider of your choosing so that it can resolve uncached queries.

I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).

replies(1): >>24841180 #
10. throwaway2048 ◴[20 Oct 20 16:42 UTC] No.24839510[source]
You are confusing DNSSEC and DoT/DoH, DNSSEC is not encrypted.
11. fanf2 ◴[20 Oct 20 16:44 UTC] No.24839529[source]
DNSSEC does not do encryption: DNSSEC is about data origin authentication. Encrypted DNS is DoT or DoH, DNS-over-TLS or DNS-over-HTTPS (and maybe in the future DoQ, DNS-over-QUIC)
replies(1): >>24840240 #
12. skykooler ◴[20 Oct 20 16:47 UTC] No.24839565[source]
You could have it spoof the keys and add its keys to your OS's key store.
replies(1): >>24839886 #
13. silon42 ◴[20 Oct 20 16:48 UTC] No.24839572{4}[source]
firewall anything that doesn't go through your DNS server... at least thay way the malware will be obviously detectable.
replies(1): >>24840148 #
14. goatinaboat ◴[20 Oct 20 16:56 UTC] No.24839696{4}[source]
If I remember correctly Chrome already ignores your DNS and does it’s own over HTTPS.
replies(1): >>24840378 #
15. Macha ◴[20 Oct 20 17:06 UTC] No.24839813{4}[source]
My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.
replies(3): >>24840560 #>>24842196 #>>24847143 #
16. layoutIfNeeded ◴[20 Oct 20 17:12 UTC] No.24839886{3}[source]
>add its keys to your OS's key store

What key store? User-hostile apps (like Chrome) already use their own key store because they know better than the user :^)

17. Spivak ◴[20 Oct 20 17:31 UTC] No.24840121[source]
You use your pi-hole as your encrypted DNS provider?
replies(1): >>24844229 #
18. Spivak ◴[20 Oct 20 17:34 UTC] No.24840148{5}[source]
But DoH is just any other HTTP request. This is the downside of networks blocking everything except 80/443 outbound and browsers not supporting SRV records.
19. anonymousisme ◴[20 Oct 20 17:41 UTC] No.24840240{3}[source]
Of course. I knew what I meant, but used the wrong word.
20. MrMorden ◴[20 Oct 20 17:49 UTC] No.24840326{3}[source]
Whitelisting would make it much more difficult for wildcat DoH. On the gripping hand, whitelisting is extremely annoying and tends to block more work-related-and-useful than software that is actually malicious.
21. Xylakant ◴[20 Oct 20 17:53 UTC] No.24840378{5}[source]
I think you're misremembering. This is the most official documentation of the rollout plan for DoH that I can quickly ddg: https://www.chromium.org/developers/dns-over-https - in a gist: If the systems resolver is known to support DoH, the DNS query will get upgraded to DoH. That means chrome will still be using the configured systems resolver, but the connection will be encrypted.

I think you're remembering what firefox is rolling out: Firefox will by default, if DoH is enabled for your country by default use a specific provider that subjects to additional privacy controls. However, firefox respects network level settings (for example a specific canary domain that should resolve) and will disable DoH, even if the default is enabled - unless again, the user has overwritten that in a setting. That means that the network owner is still in full control of the network-wide default and PiHole supports this approach. So a stock firefox in a network that uses pi-hole will not use DoH.

replies(1): >>24841319 #
22. m463 ◴[20 Oct 20 18:04 UTC] No.24840498[source]
Easy to bypass. Apple will just talk directly to 17.x.y.z or akamai.
23. gsnedders ◴[20 Oct 20 18:09 UTC] No.24840560{5}[source]
Is this much more of a concern than closed source applications that use open DNS but use pinned certs to connect to the resolved host?
24. ◴[20 Oct 20 18:36 UTC] No.24840851{3}[source]
25. novok ◴[20 Oct 20 19:05 UTC] No.24841180{3}[source]
He is referring to the fact that apps will start ignoring local network DNS config and directly talk to their own hard coded DNS IPs.

I'm guessing the solution to that is to firewall various DNS IPs to force the app to use your local DNS. I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.

replies(1): >>24841532 #
26. goatinaboat ◴[20 Oct 20 19:19 UTC] No.24841319{6}[source]
Thanks for clarifying that!
27. rsync ◴[20 Oct 20 19:25 UTC] No.24841388[source]
Here is what I did ...

First, I created my own recursive resolver in the cloud using 'unbound'. You can do this quickly and easily with an EC2 instance or whatever (mine is a FreeBSD jail on my own server).

Second, I got a paid nextdns.io account and enabled the basic blocklists which are, essentially, the same as ublock origin would have locally.

Third, I set my recursive resolver to use the nextdns.io endpoint as its upstream source of DNS.

Finally, I set all of my networks to assign my personal DNS server (and no others) for all DHCP requests and I hardcoded it into my own machines.

So now I control my own dns, globally, and my upstream source of name resolution is "sanitized". Theoretically, I could just remove ublock origin from my browsers now ...

Then I

replies(1): >>24841634 #
28. toast0 ◴[20 Oct 20 19:37 UTC] No.24841532{4}[source]
> I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.

DoH isn't really going to look like https, the requests and responses are going to be too small.

If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.

replies(1): >>24841703 #
29. ignoramous ◴[20 Oct 20 19:47 UTC] No.24841634{3}[source]
> Third, I set my recursive resolver to use the nextdns.io endpoint as its upstream source of DNS.

Doesn't that relegate your recursive resolver to a stub?

You could run pi-hole on fly.io for free if DoT/DoH is all you need: https://fly.io/blog/stuff-your-pi-hole-from-anywhere/

I run a public DoH resolver with 170+ blocklists on Cloudflare Workers. Might open source it soon.

replies(1): >>24842239 #
30. ignoramous ◴[20 Oct 20 19:54 UTC] No.24841703{5}[source]
> ...only allow connections to IPs that were received by DNS

Works for a home / office setup. I think the main use of DoH is circumventing government enforced censorships, to an extent that it can.

For ISPs to use "packet sizes" they'd need to run stateful firewalls at scale, which is unheard of, and possibly very expensive to run at that scale.

31. ardy42 ◴[20 Oct 20 20:45 UTC] No.24842196{5}[source]
> My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.

IIRC, the vision with DoH is that eventually even browsers would do DNS as part of a bunch of pipelined HTTP requests. So you call up https://www.example.com/page.html and www.example.com resolves img.example.com for you since it's used on the page. The downside is www.example.com could also resolve tracker.adnetwork.com for you, too.

IIRC, DoH is there to defeat MITM attacks, but stuff like Pi-Hole is basically a MITM attack, so it's kinda collateral damage.

I bet network-level ad-blocking will eventually have to evolve into literal firewall rules on the gateway.

32. dhaavi ◴[20 Oct 20 20:49 UTC] No.24842239{4}[source]
Nice. Do you have any more info on that resolver of yours?
replies(2): >>24845026 #>>24847283 #
33. heavyset_go ◴[20 Oct 20 22:17 UTC] No.24842893[source]
I've been using network-level ad blocking with software like Pi Hole for a while now.

According to the stats, about a year ago, I used to block around ~40% of traffic via DNS. Recently, it's only about ~10% of traffic that gets blocked.

Despite disabling application-level DoH in favor of network-level DoH on every device and app I could, I suspect streaming devices and various Android apps are using DoH at the application-level and are bypassing my DNS entirely.

34. buzzerbetrayed ◴[21 Oct 20 02:16 UTC] No.24844229{3}[source]
> Not a pi-hole user
35. ◴[21 Oct 20 05:33 UTC] No.24845026{5}[source]
36. OJFord ◴[21 Oct 20 12:35 UTC] No.24847143{5}[source]
Sure, but if you're worried about them using a specific DNS, aren't you already worried about them not using DNS; resolving `phonehome.evil.co` once per release and shipping the baked-in IP? Stops working if it can't reach that IP, 'xx needs to update', gets new IP?
37. ◴[21 Oct 20 12:49 UTC] No.24847283{5}[source]