- cross-posted to:
- technology@lemmy.ml
- cross-posted to:
- technology@lemmy.ml
cross-posted from: https://programming.dev/post/37646129
Source: Reddit post— Private front-end.
Samsung Statement to Android Authority:
Samsung is committed to innovation and enhancing every day value for our home appliance customers. As part of our ongoing efforts to strengthen that value, we are conducting a pilot program to offer promotions and curated advertisements on certain Samsung Family Hub refrigerator models in the U.S. market.
As a part of this pilot program, Family Hub refrigerators in the U.S. will receive an over-the-network (OTN) software update with Terms of Service (T&C) and Privacy Notice (PN). Advertising will appear on certain Family Hub refrigerator Cover Screens. The Cover Screen appears when a Family Hub screen is idle. Ad design format may change depending on Family Hub personalization options for the Cover Screen, and advertising will not appear when Cover Screen displays Art Mode or picture albums.
Advertisements can be dismissed on the Cover Screens where ads are shown, meaning that specific ads will not appear again during the campaign period.
I wonder how much longer that will work. DNS over HTTPS is now a thing and totally defeats the mechanism of a pihole.
I’m speculating, but it wouldn’t change a thing. You would still need to request domain addresses from a server somewhere, but traffic between your device and server would be encrypted in transit. The DNS server would also be verifiable to prevent imitators.
So, the request would go to the PiHole and if it was not being filtered the PiHole would make the request of whatever upstream server is configured same as before.
the difference is that it’s very hard to block doh connections because it looks like web/API traffic. and if you don’t block it, it will work around your pihole without you noticing. pihole only works if your devices actually use it without evading it, or if you can firce them to do so. doh is not used for connecting to pihole, it does not even support it.
Maybe block the DoH endpoint and in theory the device might fall back to normal DNS, dunno if that would work.
and also block outgoing connections to port 53 when it’s not the pihole device’s allowed IP
VPN running on a WRT router? I know very little about this stuff I just know the buzzwords for street cred.
Pihole’s act as a DNS or “Dynamic Name Server”. All internet traffic is IP based once it leaves your home because routers dont know how to forward traffic for “https://samsung-ad-hell.com/”, so there is a dedicated kind of packet for “Where is https://samsung-ad-hell.com/ located?” and that is a DNS Lookup. The Pihole pretends to know because it maintains a list of bad urls that host websites that only support privacy exploitation and advertisements and tells them “oh you want to go to 0.0.0.0, that’s where you’ll find your stuff” as it snickers.
But DNS Lookups were always plain text. When your laptop says “Where is https://big-booties.com/” your ISP knows you want porn. Now there is a new variant called “Secure DNS Lookup” which encrypts the url you’re asking about. The ISP knows you’re asking for a domain’s IP, but it can’t know which one and it no longer cares. Neat.
The trouble is that the Pi-Hole can no longer protect us from all the stupid fucking smart devices that want to earn a fraction of a penny per device by spying on us because THEY use the new Secure DNS Lookup.
It’s not a huge issue, you need a DoH resolver now (e.g. your browser which has a secure connection to a secure DNS server) which cannot block <script> from requesting the ad, but can definitely block <script> from displaying it once the domain resolves.
Extra overhead though, agreed
Wow really? I was under the impression that the SSL part would prevent the pihole from being able to spoof itself as a legitimate DNS
Not to be pedantic, but a pihole is legitimate DNS. Being able to do your own DNS has always been a fundamental part of the Internet Protocol, and is used a lot in enterprise to handle name resolution for internal subnets and stuff like that.
Being pedantic is totally OK here - we’re talking about SSL’s spoof protection. I’ll have to look up how any rando can host a DNS that supports DNS/HTTPS when a system would be expecting a valid SSL cert that declares who it was issued to and by whom and the requester is expecting a particular whom.
unbound, bind, or if you want a gui then technitium DNS.
but this thread is so, so full of misinfo. you don’t need a local doh capable DNS server at home. having one won’t solve anything either, because your advertising fridge won’t be using it. that’s the actual problem. you need to block any doh servers that the fridge might access (and regular DNS servers too), so that it doesn’t have a choice but respect your pihole, but that is very difficult because doh traffic looks like regular web traffic (because it is). yeah the fridge does not need to load websites, but it does all its questionably useful functions through HTTPS APIs too, so if you want to give it internet, you can’t just block web traffic for it.
SSL operates after name resolution. It’s one way that information about your browsing habits is not protected by application-layer encryption; the domains you’re visiting are available to your DNS server.
Unless you’re using DNS over TLS!
Or DNS over https, but that’s kind of gross.
No, you misunderstood the parent comment. Your connection to the DNS server being encrypted doesn’t change the fact that the DNS server knows the domains you are resolving
Interesting… Well, this prompted me to search what Pi-Hole has done for this, and they seem to have a way to continue blocking even DoH, using “cloudfared”, which is another daemon that needs to run with Pi-Hole… They can’t possibly think their enshittification will continue to work.
Me yelling “enhance” at my router so it blocks ads better
I can tell you didn’t read the manual because it obviously states that you have to be staring over the top of sunglasses for that configuration option to work.