<div dir="ltr">It may be worth mentioning that on a linux machine, you can "block" DNS requests locally by putting them in your /etc/hosts file so they get redirected to localhost. In fact, someone put together a file here containing all the "suggested" redirects: <a href="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts">https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts</a><div>It's not network wide, but if you want it to work for your laptop regardless of what access point you're connected to, it is an option.</div><div>No fancy metrics dashboard though....</div><div><br></div><div><br></div><div>G</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 22, 2019 at 1:17 AM Volker Kuhlmann <<a href="mailto:list57@top.geek.nz">list57@top.geek.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon 19 Aug 2019 23:59:07 NZST +1200, Peter Ellens wrote:<br>
<br>
> As you may know DNS requests are world readable, anyone in a<br>
> position to monitor your network traffic can see what sites your<br>
> going to from your DNS requests. To address this issue some cleaver<br>
> people developed DNS over HTTPS, its secure and can't be monitored<br>
> by third parties. You can setup Pi-hole to use this service.<br>
<br>
I regard DNS over HTTPS as very dangerous. Currently my ISP does my<br>
resolving on my behalf, so I have to trust my ISP; I pretty much have to<br>
anyway. That's more or less a local company. With DNS over HTTPS I have<br>
to trust the DNS provider - and there is no chance in hell I'll be<br>
trusting google, microsoft, faceplant, mozilla, cloudflare, or any other<br>
American company. What a great way to sucker everyone into vendor<br>
lock-in in the name of making things secure HAHAHAAHAHAAAAA.....<br>
<br>
The diddling with resolver information to blackhole certain domain names<br>
will always work (except for software that actively goes out of its way<br>
to detect this - you might not want to be running that in the first<br>
place). If you set your firewall rules to block direct DNS request to<br>
external resolvers you can enforce local lookup for the whole of your<br>
network. You still need to get your blacklist for your resolver diddling<br>
from somewhere, and your safety depends on the quality of that<br>
blacklist.<br>
<br>
Alternatively, or additionally, you really want umatrix in your browser.<br>
It has built-in blacklists, or you can set global defaults. It has one<br>
of the best UIs I've ever seen and works perfectly. But only in<br>
the browser you install it in.<br>
<br>
Securing mobile phones against information leakage to the shitvertisers,<br>
especially google, is really difficult, but would be the most important<br>
thing to do. Securing your PC isn't so bad.<br>
<br>
Who said VPN? Good luck finding a trustworthy VPN provider first... I<br>
reckon I'll be safer with my ISP.<br>
<br>
Volker<br>
<br>
-- <br>
Volker Kuhlmann<br>
<a href="http://volker.top.geek.nz/" rel="noreferrer" target="_blank">http://volker.top.geek.nz/</a> Please do not CC list postings to me.<br>
<br>
<br>
_______________________________________________<br>
Chchrobotics mailing list <a href="mailto:Chchrobotics@lists.ourshack.com" target="_blank">Chchrobotics@lists.ourshack.com</a><br>
<a href="https://lists.ourshack.com/mailman/listinfo/chchrobotics" rel="noreferrer" target="_blank">https://lists.ourshack.com/mailman/listinfo/chchrobotics</a><br>
Mail Archives: <a href="http://lists.ourshack.com/pipermail/chchrobotics/" rel="noreferrer" target="_blank">http://lists.ourshack.com/pipermail/chchrobotics/</a><br>
Meetings usually 3rd Monday each month. See <a href="http://kiwibots.org" rel="noreferrer" target="_blank">http://kiwibots.org</a> for venue, directions and dates.<br>
When replying, please edit your Subject line to reflect new subjects.</blockquote></div>