• miss_brainfart@lemmy.ml
    link
    fedilink
    arrow-up
    46
    ·
    edit-2
    1 year ago

    Ideally you'd use both. Something like a pihole to serve as a first wall of defense for the entire network, and then additional things like uBlock Origin for any device with a browser that supports it, for some more granular control.

    I'm the kind of person who also uses the hosts file from DivestOS on my PC, because why not. Always fun to see how the pihole doesn't have to block anything on that device because of this.

    On that note, Safings' Portmaster is a nice app if you want to have a graphical overview of what's going on on a device.

    • FrostyTrichs@lemmy.world
      link
      fedilink
      arrow-up
      8
      ·
      1 year ago

      Ideally you'd use both. Something like a pihole to serve as a first wall of defense for the entire network, and then additional things like uBlock Origin for any device with a browser that supports it, for some more granular control.

      This is how I keep my home setup.

      The pihole has a fairly loose blocking setup because some people in the house need access to things that would normally get blocked and I'm not spending weeks unblocking specific things until everyone is happy.

      Behind the pihole everyone has their own suite of browser extensions and software to block what they would like at a much more personal level.

      • stifle867@programming.dev
        link
        fedilink
        arrow-up
        8
        ·
        1 year ago

        Funny (to me) story when I ran pi-hole in a house with housemates (all friends): I bought an rpi zero and installed pi-hole on it. I notified all housemates that I would be installing an adblocker on the network so if anyone has any problems with sites not working to just let me know.

        Years go by and finally the rpi zero dies which makes the internet inaccessible as the router was pointing to it. I reconfigure the network back to default in the meantime. I didn't have time to update everyone before one of my housemates made a funny comment.

        He mentions that the internet is working again! And something else, he's now able to click on Google search result ads!

        Because I don't use Google search I never realised Google ads links were being blocked, and even if I did I wouldn't have realised how common it is for people to rely on the ads!

        After some discussion with this housemate he confessed he actually likes seeing ads as it could show him stuff he wants to buy. Needless to say I didn't bother putting pi-hole back on the network.

      • miss_brainfart@lemmy.ml
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        I'm not too annoyed by whitelisting certain things, doesn't happen all too often for our household. So my pihole is fairly strict already, with over one million domains blocked.

        Because honestly, I love my familiy, but I can't trust them to block the right things, and I want them to be as safe and unbothered by ads as possible.

  • A10@kerala.party@kerala.party
    link
    fedilink
    arrow-up
    16
    ·
    1 year ago

    Well DNS based blocking has its problems mainly devices bypassing your network defined DNS with some encrypted DNS(DoT,DoH) or using hardcoded custom DNS servers.

    • kylian0087@lemmy.world
      link
      fedilink
      arrow-up
      11
      arrow-down
      1
      ·
      1 year ago

      You are able to force devices to use a specified DNS. even when they have hard coded DNS in them. Your router/firewall must be able to support redirection of network traffic though.

        • Vexz@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          Yes but I think only very few applications use a hard coded DNS server. And under all those applications who use a hard coded DNS server is probably a very low percentage that uses encrypted DNS.

          • Vexz@kbin.social
            link
            fedilink
            arrow-up
            5
            ·
            1 year ago

            A hard coded IP would mean it's unencrypted DNS which can be force-redirected to your router with NAT rules.

              • Vexz@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                My computer uses unencrypted DNS and sends the queries to my router. My router does the encryption for forwarded DNS queries sent to the internet. There's no need to encrypt DNS traffic in a LAN unless you don't trust this LAN. The WAN (internet) is where evil people try to snoop on you.

    • Gresham's Law@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      A. Device part of a business infrastructure:
      Just don't change anything; those policy are there for a reason!

      B. Consumer device:
      1/ If we're talking about proprietary hardware/software forcing your network to use a specific DNS, then you need to provide more details because you should be able to change it.

      2/ There is also the case for a malware:
      A fresh start is preferable.
      Disinfect the system while offline, then back up the needed files.
      Reinstall the system on a new/old formatted drive.
      With the exception of taking your privacy/security seriously this time.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Sounds like you shouldn't use those devices. I go for custom software personally so I can control the device itself

  • corey389@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    1 year ago

    Firefox with Ublock Origin, Router forwarded DNS over TLS to NextDNS. Plus firewall rules to forward all DNS from LAN to the router, on mobile same browser and using Android native DNS over TLS forward to NextDNS

    • Rooki@lemmy.world
      link
      fedilink
      arrow-up
      8
      arrow-down
      3
      ·
      1 year ago

      NextDNS is in the cloud, the cloud is just someone elses computer. You have to trust it really hard.

      • Vexz@kbin.social
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Well, you will always need an upstream DNS server to surf the internet. Even your DNS server in your LAN needs an upstream DNS server or it can't resolve domain names. This means whatever upstream DNS server you use you need trust it. Imo NextDNS is a good choice here.

        • Rooki@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          But tbh NextDNS is the least good one. I use pihole with 1.1.1.1 upstream. I mean Nextdns could literally remove a "sponsor" from ur blacklist without ur knowledge. On local blocker not

          • Vexz@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Yes, but they don't. That's where I have to criticize NextDNS. It feels like the devs just let it run but stopped development. They still even offer a block list called "Energized" which is dead with all entries removed since I think 2021. They just don't care about updating anything. Don't get me wrong because I still like NextDNS very much. It's working completely fine as it is right now but it's just not getting updates (anymore).

            My problem with a Pi-hole is that it only works in your LAN. You can't make use of it on your phone when you're not at home. This is where NextDNS is better. You might wanna use NextDNS only on your mobile devices. 300,000 queries per month are free anyway. Or just use RethinkDNS which is completely free right now but you need their app to have a white- and blacklist.

              • Vexz@kbin.social
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                True but a VPN connection drains your phone's battery quite well. That's why I never liked that option and prefer just using a DNS server with adblocking feature since it has 0 impact on your phone's bettery life.

                • Amju Wolf@pawb.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Not really as long as you use some VPN that's not braindead stupid like OpenVPN. Wireguard is the perfect protocol, there's almost no overhead since it doesn't need keepalive packets or anything and there's no handshake beyond the initial connection either.

        • Swarfega@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          A DNS server can use root hints to resolve addresses rather than needing an upstream DNS server.

          • Vexz@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            Root hints are DNS data stored in a DNS server. The root hints provide a list of preliminary resource records that can be used by the DNS service to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree.

            Source

            This just means that your local DNS server doesn't need to use the root DNS servers to resolve domain names but instead uses other authorative DNS servers in the internet to resolve your queries. So anyway you have to trust an upstream DNS server owned by someone else in the internet. There's no way around it unless you use hyperlocal.

        • Rooki@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          It means they can snoop ur dns queries. ( and they will do or how they pay their bills? ) It means a lot. Tbh i dont understand people like you. "It doesnt mean as much…" inderect saying "I dont have to hide something" Oh can i watch you on the toilet? Because you dont have anything to hide :)

          • zwekihoyy@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            1 year ago

            I said nothing about not having anything to hide. I said it doesn't mean much. dns resolvers were intended to be cloud based. the only difference between nextdns and standard dns resolvers is the control over function nextdns hands the user.

            using cloud services also allows home devices to stay secured via keeping ports closed. the whole "the cloud is someone else's computer" is just another way of saying "I don't know how to practice good opsec".

            your isp/vpn provider also can log all your data, or are you going to suggest running everything over tor now?

            a dns query does not send that much info since all the contained data from site to user is encrypted and takes network routes separate from the DNS query.

            • Rooki@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              using cloud services to keep ports closed. U know what the dns server needs to go through ports.

              I never told u that i am not overly dramatic over privacy but nextdns is just a bad choice.

              VPNs are just honeypots change my mind

  • Leraje@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    1 year ago

    For me its a moot point - my ISP doesn't allow altering DNS on my router so I just installed Mullvad on all my devices and use their DNS.

    • CatsGoMOW@lemmy.world
      link
      fedilink
      English
      arrow-up
      14
      ·
      1 year ago

      There shouldn’t be any reason you can’t change the DNS setting on your devices though, right? You’re not required to use your router for DNS.

        • wizardbeard@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          6
          ·
          1 year ago

          You don't need to use Mullvad to change your local machine's DNS, and as long as you can do that, you can set up a pihole on your network to handle DNSad blocking still.

          • Leraje@lemmy.blahaj.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            No I know in don't need to use Mullvad to change my local machines DNS, but I'm using it anyway so may as well.

            But I am curious about I could get other networked devices to use DNS on my local machine. Do you mean set up a hotspot and point everything to that?

            • mea_rah@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              I think they might be talking about manual configuration. Some systems let you configure DNS separately from IP configuration. (So you could set up custom DNS while using DHCP) With some you'd have to set static IP as well, which might not be convenient but also possible.

    • kindenough@kbin.social
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      I disabled DHCP on the ISP router and my rsspberry pi with Pihole is the DHCP server now, serving it's own IP address as DNS for all devices.

  • Blizzard@lemmy.zip
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    I'm trying to find the article but it looks like just a question?

    Local lets you customize what you want to block, which lists to subscribe to and quickly change settings or disable blocking which is useful for troubleshooting when something doesn't load. However local apps (I'm talking smartphone apps) can be blocked or routing https traffic through those apps can be refused by the apps you are filtering.

    DNS filtering will let you filter all your devices at once but I don't think you have much control over what's exactly being blocked and it's less convenient to pause filtering (switch DNS).

    If you're talking about tracker blocking on PC rather than mobile then it's a no brainer - use uBlock Origin addon your browser and you're golden.

  • PuppyOSAndCoffee@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    open source proxy / DNS blocker don't (or shouldn't) have commercial agendas & obligations that commercial OS & Browsers may impose.

  • Dioxide3667@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Do I need a DNS-based blocker with ProtonVPN? From what I gather, ProtonVPN has its own adblocking DNS servers.

    • Vexz@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Depends on your needs. The problems with DNS servers from ProtonVPN, Mullvad and so on is that they use their own filter rules and you can't castumize them to your needs. You can probably go much stricter with what you want to block if you use a DNS based adblocker where you can manage your own filter rules.