Most active commenters
  • EvanAnderson(4)

←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 11 comments | 18 Oct 24 06:10 UTC | HN request time: 0.82s | source | bottom
Show context
bluGill ◴[22 Oct 24 12:51 UTC] No.41913725[source]
Looks good, but I want to MitM my network. I want youtube.com to redirect to my internal server that only has a few approved videos. My kids do some nice piano lessons from youtube, but every time I let them they wait until I'm out of the room and then switch to something else. There are lots of other great educational videos on youtube, but also plenty to waste their time on. (I want this myself as well since I won't have ads on my internal youtube server - plus it will add an extra step and thus keep me from getting distracted to something that isn't a good use of my time to watch))
replies(3): >>41914060 #>>41914606 #>>41916523 #
1. EvanAnderson ◴[22 Oct 24 13:29 UTC] No.41914060[source]
> Looks good, but I want to MitM my network.

Increasingly that kind of requirement puts you in the same camp as oppressive nation states. Being a network operator and wanting to MitM your DNS makes you a political actor. Devices you paid for, but don't actually own, will end-run your efforts by using their own hard-coded DNS servers. (See https://pc.nanog.org/static/published/meetings/NANOG77/2033/...)

replies(4): >>41914284 #>>41915594 #>>41916597 #>>41919020 #
2. bluGill ◴[22 Oct 24 13:53 UTC] No.41914284[source]
Fortunately I own my firewall. Though mostly I'm talking about linux machines that I own and control the software on.

Though I fully understand I'm in the same camp as oppressive nation states. But until my kids get older I'm in charge, I need to set them up for success in life, which is a complex balance of letting them have freedom without allowing them to make too many bad decisions. Not getting their homework done because they are watching videos is on bad decisions I'm trying to prevent.

replies(2): >>41915926 #>>41916070 #
3. tredre3 ◴[22 Oct 24 15:56 UTC] No.41915594[source]
> Devices you paid for, but don't actually own, will end-run your efforts by using their own hard-coded DNS servers.

Not just devices, Jetbrains software has hardcoded DNS too. I've had to resort to blocking its traffic entirely because of the sheer number of servers and ports it tries in order to work around my DNS blocking, now I allow traffic only during license/update checks. I'm sure other large vendors do something similar.

https://intellij-support.jetbrains.com/hc/en-us/community/po...

4. throwway120385 ◴[22 Oct 24 16:24 UTC] No.41915926[source]
Importantly, this is a reasonable thing to do because sites like Youtube are designed to draw their attention away from whatever important thing they're doing so that Youtube can serve them advertisements. So anyone thinking a parent trying to control what their kid watches is oppressive somehow is pretty deeply in the wrong. As a parent myself I would consider doing this to keep my son from falling into the traps that are set by giant multinational internet companies like Google to get him to form habits around Google instead of habits around what he wants or needs out of life.

So really instead of thinking about this like "parents are acting like nation states" I think it's much better to think of it like "parents are countering corporate nation states."

replies(1): >>41916006 #
5. EvanAnderson ◴[22 Oct 24 16:31 UTC] No.41916006{3}[source]
It's totally reasonable. My position is that I think network operators and owners should be able to do that they want. I was just pointing out that virtually any time a network operator or owner wants to control the traffic in their network a certain crowd comes out of the woodwork and decries abuse by bad actors.
replies(1): >>41920425 #
6. EvanAnderson ◴[22 Oct 24 16:38 UTC] No.41916070[source]
> Fortunately I own my firewall.

I was thinking more about embedded devices that people buy but don't own (Chromecast devices, "Smart" home doodads, etc). You can stick them in a VLAN and filter their access to the Internet but they're inscrutable inside and have opaque, encrypted communication with their "mother ship".

I think your goal with your kids is laudable. I do the same thing. It limits the ability to use off-the-shelf devices and software, and I'll get more flak about it as my daughter gets older and is excluded from the "social" applications that I can't allow her to use because they're closed-source and not able to be effectively filtered. I'll burn that bridge when I get there, I suppose...

7. recursive ◴[22 Oct 24 17:32 UTC] No.41916597[source]
Parents are the oppressive nation-states of their families.
8. mannyv ◴[22 Oct 24 21:40 UTC] No.41919020[source]
With mikrotik and presumably other vendors you can force dns to your dns. I do this so i can pi-hole everything and see what sneaky things devices are doing.
replies(1): >>41919816 #
9. EvanAnderson ◴[22 Oct 24 23:25 UTC] No.41919816[source]
Sort of. That doesn't help if they're doing DoH and you're unwilling to MitM all the SSL (and, if you are, then you have to worry they've pinned certs).
replies(1): >>41920310 #
10. mannyv ◴[23 Oct 24 00:37 UTC] No.41920310{3}[source]
Luckily DoH doesn't seem to be implemented by devices yet. And I could do MtM, because most devices don't really seem to verify their tls certs.

One day they will do both, but that day is probably far away.

And they are on my network, so if they don't function without their own DNS that's OK by me.

11. int_19h ◴[23 Oct 24 00:51 UTC] No.41920425{4}[source]
Size and scope matters. Large network operators that have a de facto monopoly on Internet access in many places should absolutely not be able to do what they want, but this is a function of their market power, not something inherent to any network operator.