←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
paranorman ◴[20 Oct 20 16:02 UTC] No.24838948[source]
That’s annoying yet pretty predictable, at least we’ve still got https://pi-hole.net/ as an option until DNS encryption becomes widespread :/
replies(4): >>24839196 #>>24839381 #>>24840498 #>>24842893 #
buzzerbetrayed ◴[20 Oct 20 16:21 UTC] No.24839196[source]
Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
replies(7): >>24839311 #>>24839340 #>>24839349 #>>24839493 #>>24839565 #>>24840121 #>>24841388 #
Skunkleton ◴[20 Oct 20 16:30 UTC] No.24839349[source]
DoT isn't a big problem for a pihole, but it doesn't look like things are going that way. DoH can only be blocked by a mitm proxy. You would have to take a pretty serious security hit to do something like that with a pihole.
replies(3): >>24839429 #>>24840326 #>>24840851 #
OJFord ◴[20 Oct 20 16:37 UTC] No.24839429[source]
Wouldn't pi-hole be the 'resolver' the other end of the request, the party it's encrypted for?

Sure, Apple (or whoever) could just bypass it and use something specific, but can already just use an IP, no DNS anyway?

replies(1): >>24839813 #
Macha ◴[20 Oct 20 17:06 UTC] No.24839813{3}[source]
My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.
replies(3): >>24840560 #>>24842196 #>>24847143 #
1. ardy42 ◴[20 Oct 20 20:45 UTC] No.24842196{4}[source]
> My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.

IIRC, the vision with DoH is that eventually even browsers would do DNS as part of a bunch of pipelined HTTP requests. So you call up https://www.example.com/page.html and www.example.com resolves img.example.com for you since it's used on the page. The downside is www.example.com could also resolve tracker.adnetwork.com for you, too.

IIRC, DoH is there to defeat MITM attacks, but stuff like Pi-Hole is basically a MITM attack, so it's kinda collateral damage.

I bet network-level ad-blocking will eventually have to evolve into literal firewall rules on the gateway.