←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0.001s | source
Show context
paranorman ◴[20 Oct 20 16:02 UTC] No.24838948[source]
That’s annoying yet pretty predictable, at least we’ve still got https://pi-hole.net/ as an option until DNS encryption becomes widespread :/
replies(4): >>24839196 #>>24839381 #>>24840498 #>>24842893 #
buzzerbetrayed ◴[20 Oct 20 16:21 UTC] No.24839196[source]
Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
replies(7): >>24839311 #>>24839340 #>>24839349 #>>24839493 #>>24839565 #>>24840121 #>>24841388 #
dwrodri ◴[20 Oct 20 16:41 UTC] No.24839493[source]
The pi-hole software turns the Raspberry Pi into a DNS server, so you can point your own DNS server (i.e. the raspberry pi) at the DNS provider of your choosing so that it can resolve uncached queries.

I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).

replies(1): >>24841180 #
novok ◴[20 Oct 20 19:05 UTC] No.24841180[source]
He is referring to the fact that apps will start ignoring local network DNS config and directly talk to their own hard coded DNS IPs.

I'm guessing the solution to that is to firewall various DNS IPs to force the app to use your local DNS. I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.

replies(1): >>24841532 #
toast0 ◴[20 Oct 20 19:37 UTC] No.24841532[source]
> I could forsee apps going to random IPs for DNS and making it look like https, which will be hard to deal with.

DoH isn't really going to look like https, the requests and responses are going to be too small.

If you're serious about it, you don't allow any random IP connections, only allow connections to IPs that were received by DNS, and only return proxy addresses that you NAT to the real thing. It's more work, but it's still trivial.

replies(1): >>24841703 #
1. ignoramous ◴[20 Oct 20 19:54 UTC] No.24841703{3}[source]
> ...only allow connections to IPs that were received by DNS

Works for a home / office setup. I think the main use of DoH is circumventing government enforced censorships, to an extent that it can.

For ISPs to use "packet sizes" they'd need to run stateful firewalls at scale, which is unheard of, and possibly very expensive to run at that scale.