←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 3 comments | 20 Oct 20 15:51 UTC | HN request time: 0.001s | source
Show context
paranorman ◴[20 Oct 20 16:02 UTC] No.24838948[source]
That’s annoying yet pretty predictable, at least we’ve still got https://pi-hole.net/ as an option until DNS encryption becomes widespread :/
replies(4): >>24839196 #>>24839381 #>>24840498 #>>24842893 #
buzzerbetrayed ◴[20 Oct 20 16:21 UTC] No.24839196[source]
Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
replies(7): >>24839311 #>>24839340 #>>24839349 #>>24839493 #>>24839565 #>>24840121 #>>24841388 #
blacksmith_tb ◴[20 Oct 20 16:28 UTC] No.24839311[source]
Couldn't you host pi-hole on a cheap VM and set it to be your DNS-over-TLS / DNS-over-HTTPS endpoint?
replies(1): >>24839365 #
Skunkleton ◴[20 Oct 20 16:31 UTC] No.24839365{3}[source]
This assumes that your software is doing what you asked it to do, not what some bigco or malware wanted it to do.
replies(2): >>24839572 #>>24839696 #
1. goatinaboat ◴[20 Oct 20 16:56 UTC] No.24839696{4}[source]
If I remember correctly Chrome already ignores your DNS and does it’s own over HTTPS.
replies(1): >>24840378 #
2. Xylakant ◴[20 Oct 20 17:53 UTC] No.24840378[source]
I think you're misremembering. This is the most official documentation of the rollout plan for DoH that I can quickly ddg: https://www.chromium.org/developers/dns-over-https - in a gist: If the systems resolver is known to support DoH, the DNS query will get upgraded to DoH. That means chrome will still be using the configured systems resolver, but the connection will be encrypted.

I think you're remembering what firefox is rolling out: Firefox will by default, if DoH is enabled for your country by default use a specific provider that subjects to additional privacy controls. However, firefox respects network level settings (for example a specific canary domain that should resolve) and will disable DoH, even if the default is enabled - unless again, the user has overwritten that in a setting. That means that the network owner is still in full control of the network-wide default and PiHole supports this approach. So a stock firefox in a network that uses pi-hole will not use DoH.

replies(1): >>24841319 #
3. goatinaboat ◴[20 Oct 20 19:19 UTC] No.24841319[source]
Thanks for clarifying that!