←back to thread

Everyone knows your location: tracking myself down through in-app ads

(timsh.org)
1957 points apokryptein | 3 comments | 02 Feb 25 17:07 UTC | HN request time: 0.629s | source
Show context
anurag ◴[02 Feb 25 20:04 UTC] No.42911300[source]
I'm a very happy paying customer of NextDNS (https://nextdns.io) which blocks known adware and tracking hosts across all mobile and desktop platforms.
replies(2): >>42911516 #>>42911631 #
nickburns ◴[02 Feb 25 20:32 UTC] No.42911516[source]
Which does absolutely nothing if your device or the app in question is permitted or otherwise not prevented from making DNS-over-HTTPS (or, less commonly because of its discrete port, DNS-over-TLS) queries.
replies(1): >>42912721 #
madeofpalk ◴[02 Feb 25 22:53 UTC] No.42912721[source]
Don't all the ad-blocking DNS providers also support DNS-over-HTTPS now as well? I use it with AdGuard Home, and I saw PiHole supports it as well.
replies(1): >>42912817 #
nickburns ◴[02 Feb 25 23:05 UTC] No.42912817[source]
I'm referring to devices and apps that are 'hard-coded' to query specific DoH servers/providers, therefore bypassing and regardless of any user-configured DNS server/s. And because DoH operates on outbound TCP/443, the lookups are indistinguishable from any other 'web' traffic.

Even some of the most popular desktop web browsers are configured to utilize DoH by default nowadays.

The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers and NAT all outbound 53 (and 853) traffic to a desired resolver (like a local Pi-hole instance, for example).

replies(1): >>42914205 #
ignoramous ◴[03 Feb 25 02:15 UTC] No.42914205[source]
> The most that a network administrator can do to prevent this is configure firewall IP blocklists of known DoH servers ...

A firewall (which must also host a resolver) can choose to block requests to IPs it hasn't resolved domain names for.

This is something I implemented for an Android firewall app I co-develop; it works nicely enough.

replies(2): >>42914721 #>>42914859 #
1. nickburns ◴[03 Feb 25 03:46 UTC] No.42914721[source]

  A firewall (which must also host a resolver)
Is that true? Per what spec are you referring to?
replies(1): >>42923621 #
2. Zak ◴[03 Feb 25 21:43 UTC] No.42923621[source]
ignoramous probably meant that in order to block access to all IP addresses that it has not recently resolved, the firewall must also host or communicate closely with a resolver. This is a tautology, not a spec.
replies(1): >>42925094 #
3. nickburns ◴[03 Feb 25 23:49 UTC] No.42925094[source]
Ah, I definitely misread. Thanks!