Privacy

39123 readers

515 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

DNS Black-holing w/ DNS over TLS - Personal Privacy Part 1 (lemmy.ml)

submitted 18 hours ago by relic4322@lemmy.ml to c/privacy@lemmy.ml

10 comments fedilink hide all child comments

So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably... and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.

Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.

Happy to share my config if there is interest.

you are viewing a single comment's thread
view the rest of the comments

[–] Album@lemmy.ca 2 points 8 hours ago* (last edited 8 hours ago)

Wrt lan deny all for the fam, it's mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.

Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That's gonna get most ppl what they need.

I do ASN based allows for certain applications like Google, Facebook, etc.

For consoles they're pretty locked down so just give them full allow to the Internet. I don't do that actually but it's probably the better way.

IOT devices get only the ports they need to the IPs they need.

when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right?

No I mean my unbound resolves DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.

Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT'd to the unbound server. You can't redirect TLS attempts so those get hard blocked.

Curious to your IDS solution

Securicata is what opnsense uses. Pretty easy to set up.