←back to thread

Apple's apps bypass firewalls like LittleSnitch and LuLu on macOS Big Sur

(twitter.com)
1183 points robenkleene | 1 comments | 20 Oct 20 15:51 UTC | HN request time: 0s | source
Show context
paranorman ◴[20 Oct 20 16:02 UTC] No.24838948[source]
That’s annoying yet pretty predictable, at least we’ve still got https://pi-hole.net/ as an option until DNS encryption becomes widespread :/
replies(4): >>24839196 #>>24839381 #>>24840498 #>>24842893 #
buzzerbetrayed ◴[20 Oct 20 16:21 UTC] No.24839196[source]
Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
replies(7): >>24839311 #>>24839340 #>>24839349 #>>24839493 #>>24839565 #>>24840121 #>>24841388 #
Skunkleton ◴[20 Oct 20 16:30 UTC] No.24839349[source]
DoT isn't a big problem for a pihole, but it doesn't look like things are going that way. DoH can only be blocked by a mitm proxy. You would have to take a pretty serious security hit to do something like that with a pihole.
replies(3): >>24839429 #>>24840326 #>>24840851 #
OJFord ◴[20 Oct 20 16:37 UTC] No.24839429[source]
Wouldn't pi-hole be the 'resolver' the other end of the request, the party it's encrypted for?

Sure, Apple (or whoever) could just bypass it and use something specific, but can already just use an IP, no DNS anyway?

replies(1): >>24839813 #
Macha ◴[20 Oct 20 17:06 UTC] No.24839813[source]
My understanding is the concern would be that closed source applications would use a hardcoded DoH resolver and pinned certs to bypass any unwanted blocks of ads/telemetry which could only be resolved with decompilation and patching with varying degrees of difficulty.
replies(3): >>24840560 #>>24842196 #>>24847143 #
1. OJFord ◴[21 Oct 20 12:35 UTC] No.24847143[source]
Sure, but if you're worried about them using a specific DNS, aren't you already worried about them not using DNS; resolving `phonehome.evil.co` once per release and shipping the baked-in IP? Stops working if it can't reach that IP, 'xx needs to update', gets new IP?