Most active commenters
  • nickburns(4)
  • ignoramous(3)

←back to thread

Everyone knows your location: tracking myself down through in-app ads

(timsh.org)
1957 points apokryptein | 14 comments | 02 Feb 25 17:07 UTC | HN request time: 1.912s | source | bottom
1. anurag ◴[02 Feb 25 20:04 UTC] No.42911300[source]
I'm a very happy paying customer of NextDNS (https://nextdns.io) which blocks known adware and tracking hosts across all mobile and desktop platforms.
replies(2): >>42911516 #>>42911631 #
2. nickburns ◴[02 Feb 25 20:32 UTC] No.42911516[source]
Which does absolutely nothing if your device or the app in question is permitted or otherwise not prevented from making DNS-over-HTTPS (or, less commonly because of its discrete port, DNS-over-TLS) queries.
replies(1): >>42912721 #
3. Argonaut998 ◴[02 Feb 25 20:45 UTC] No.42911631[source]
Facebook hard-code IP addresses when their domains are blocked. I found this out while using NextDNS alongside that logging functionality that iPhones have. It’s insane the lengths that they go to.
replies(3): >>42911745 #>>42911925 #>>42914216 #
4. ssklash ◴[02 Feb 25 20:56 UTC] No.42911745[source]
It's not insane at all. It is the entirety of their business model, so it makes sense that they will do everything possible to keep that sweet surveillance cash flowing.
5. ornornor ◴[02 Feb 25 21:17 UTC] No.42911925[source]
One more reason I don’t use Facebook and will never install their app on my phone.
6. madeofpalk ◴[02 Feb 25 22:53 UTC] No.42912721[source]
Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.
replies(1): >>42912817 #
7. nickburns ◴[02 Feb 25 23:05 UTC] No.42912817{3}[source]
I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.

Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.

The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and NAT all outbound 53 (and 853) traffic to a desired resolver (like a local Pi-hole instance, for example).

replies(1): >>42914205 #
8. ignoramous ◴[03 Feb 25 02:15 UTC] No.42914205{4}[source]
> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...

A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.

This is something I implemented for an Android firewall app I co-develop; it works nicely enough.

replies(2): >>42914721 #>>42914859 #
9. ignoramous ◴[03 Feb 25 02:16 UTC] No.42914216[source]
> Facebook hard-code IP addresses when their domains are blocked

Sounds like an anti-censorship or a generic connectivity robustness feature [0]? WhatsApp and Instagram do this, too.

[0] https://news.ycombinator.com/item?id=41959945

10. nickburns ◴[03 Feb 25 03:46 UTC] No.42914721{5}[source]

  A firewall (which must also host a resolver)
Is that true? Per what spec are you referring to?
replies(1): >>42923621 #
11. sriacha ◴[03 Feb 25 04:07 UTC] No.42914859{5}[source]
what app?
replies(1): >>42918119 #
12. ignoramous ◴[03 Feb 25 13:42 UTC] No.42918119{6}[source]
https://github.com/celzero/rethink-app
13. Zak ◴[03 Feb 25 21:43 UTC] No.42923621{6}[source]
ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.
replies(1): >>42925094 #
14. nickburns ◴[03 Feb 25 23:49 UTC] No.42925094{7}[source]
Ah, I definitely misread. Thanks!