Privacy

39084 readers

411 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

DNS Black-holing w/ DNS over TLS - Personal Privacy Part 1 (lemmy.ml)

submitted 8 hours ago by relic4322@lemmy.ml to c/privacy@lemmy.ml

7 comments fedilink hide all child comments

So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably... and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.

Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.

Happy to share my config if there is interest.

top 7 comments

sorted by: hot top controversial new old

[–] upstroke4448@lemmy.dbzer0.com 2 points 2 hours ago

Out of curiosity, why did you decide on DoT instead of DoH (DNS over HTTPS)?

[–] irotsoma@lemmy.blahaj.zone 2 points 6 hours ago* (last edited 6 hours ago) (1 children)

Unbound on the router which connects upstream with DNS over TLS. Ports 53 and 853 are NATed to the piole and several other DNS servers like Google's are blocked so devices can't bypass the pinhole very easily. This is only on my primary VLAN. Other VLANs are given the Unbound DNS by default but are allowed to bypass if they insist. I have one VLAN for guests and one for trusted devices in addition to the primary one.

[–] relic4322@lemmy.ml 1 points 6 hours ago

In my particular setup, I have an additional constraint and that is that my network has to be designed for portability and travel. Not that it affects your design per say. Thank you for the response. Just something that occurred to me that I hadnt mentioned.

I am living a transient life at the moment. So lots of virtualization and lack of control concerning the WAP and such.

I do like your set up btw.

[–] Album@lemmy.ca 3 points 7 hours ago (1 children)

I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I'm leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.

Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.

All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.

[–] relic4322@lemmy.ml 0 points 7 hours ago

"Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet." 100%, I decided to break up my posts into sub components of the total stack, but to your point currently im enforcing a deny all inbound and outbound at the host level, as the network is shared with the fam and they are not ready for that level of learning (pain, lol)

I just learned about unbound, didnt realize it had a blocklist capability so thats great to know. Gotta dig into it.

I like that last bit, blocking DoT except for the one approved path. Much like TLS 1.3 it offers insider threat protection against inspection. So with that in mind when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right? Thats what I am doing now as well, though I am not actively blocking it yet. Just currently enabling and testing feasibility on a single host to see the performance and operational impacts of privacy/security implementations.

Curious to your IDS solution, I gotta dig into opnsense. I know about it, its been around a long time, but havent touched it in so long I cant remember its capabilities.

[–] Darkassassin07@lemmy.ca 2 points 7 hours ago (1 children)

I use cloudflared to translate DNS into DNS over TLS instead of Unbound to make it into recursive DNS. Just never really seen the need to switch it. I'm happy with nextDNS + Cloudflare resolving DNS upstream.

The main thing I wanted to note is port 53 outbound is blocked at the router to prevent devices from using external/unencrypted DNS. If a LAN device wants DNS resolution they MUST use the LAN DNS servers they were given via DHCP, or use their own DoT config, as plain DNS won't make it out of the network.

It's because of this block/enforcement that I run two local DNS servers: pihole on an RPI and a mirror on my main server tower, with Galaxy-Sync keeping them identical. If I tinker with/update one, the other picks up the slack so connectivity/resolution isn't disrupted.

[–] relic4322@lemmy.ml 1 points 7 hours ago

Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.

Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.