Encrypt all the things!

Posted on
of 108
  • But surely we don't all need our own ones? Can we not share?

  • I had thought that the /recommended/ way of doing it (as you don't want to end up as a DNS resolver for the world, see time signal provider fun and games) was that you run a vpn back to the pihole and use that, thus seeming to the world to be connecting from your home internet.

  • so that my phone and other devices will always have protection against adverts and malware.

    Thought you ran NetGuard to default block?

  • I do run NetGuard... but I want a single config across every device of mine even when they're outside the home.

    I also want to get to the point where I can write firewall rules like "block UDP port 53 that isn't from Pi-Hole".

    And the biggest problem with running Pi-Hole out on the web appears to be that you really want to be running DNS-over-TLS and/or DNS-over-HTTPS and having your devices call those. This is possible (though a pain in the arse), but the risk of not doing it is that your public UDP port 53 DNS server would be used as part of a DDoS reflection attack very quickly.


    1. One base config for malware/tracking/advertising protection everywhere (anything like NetGuard is additive on top)


    1. Must be able to run DNS-over-TLS and DNS-over-HTTPS... which Pi-Hole doesn't do yet (as dnsmasq doesn't support it and they're not using knot or kresd).
    2. Must be OK to block inbound UDP port 53

    So at the moment Pi-Hole looks like it won't work... it's close, but looks like I'd need to do it myself still.

  • Must be able to run DNS-over-TLS and DNS-over-HTTPS... which Pi-Hole doesn't do yet (as dnsmasq doesn't support it and they're not using knot or kresd).




  • Yeah, but they don't yet do DNS-over-TLS which is what Android 9+ considers "Private DNS" and allows you to define DNS servers without needing a VPN app.

    DNS-over-HTTPS takes care of "how will I get my home Pi-Hole replicating my internet Pi-Hole without UDP port 53", and DNS-over-TLS takes care of "how will I get my internet devices securely getting DNS from my internet Pi-Hole".

    So what I'm seeking to achieve is that the internet one is my primary Pi-Hole, and my home one is a secondary (reading from the primary but also cloning config should the primary be down).

  • Yeah, I kinda glazed over when it came to that stuff.

    What we need is our own ISP...

  • I'll admit I gave up with that idea and just use OpenDNS... but then again i work there and have the android client already... (iOS is already public)

  • So can one set up warp as a permanent setting on a router?

  • I don't yet know how to do that but the public announcements are that there will be a desktop version so that will likely work on a router.

    But what are you trying to do here? DNS over HTTPS is already going to buy you ample privacy from your ISP, and warp at home isn't going to add significantly to that.

    Wouldn't you rather have pi hole and adblocking at home than privacy of a connection but intrusive tracking over that connection?

  • I will look into that.

    Mostly cause I understand vpns and routers mostly. Program has variables that you plug in and bam, you have a vpn...

    I do 'puters like a ludite.

  • I think there's a scale of threat that people should protect against... and at the top of that is intrusive tracking for which people should fight with ad-blocking, DNS-blocking, etc. Lower down is the passive tracking from ISPs and those can be fought with encryption.

    But when you make the passive tracking the biggest threat in your risk assessment, you will encrypt everything first and that will reduce your own ability to create a mitigation for the intrusive tracking.

    So... adblock and pi-hole first, worry about encrypting your internet second. Of course both, but never compromise the ability to block adverts and malware, and focusing on the second as a priority may reduce your ability to do the first.

  • Even with secure DNS and HTTPS, ISPs can still glean a fair amount of information from just the IP addresses you're connecting to.

    In Australia, ISPs are required to store this metadata, and then any number of government agencies can request it at any point. A strong case for using an always-on VPN

  • Normally update my pia app on Android using apk rather than playstore.
    Just updated but checkey app is saying the 256 hash is different to the one on the pia website. What do I do?

  • NordVPN has been hacked!

  • LOL so good

  • At @velocio and @hippy surely running 2 vpns would protect your identity from a data breach of one of the vpns? Or at least the second vpn?

  • Depends on the nature of the breach, what each of the VPN services are storing, how long the hackers had access and what they got out, etc.
    I don't see why it wouldn't work to obscure your IP a little further but there's a risk reward factor here - how paranoid are you about being found out that you need to pay for 2 VPNs?

  • Ah! Good point... I worry about impersonation type online crimes. Pilfering of credit card and private details about me. So it shouldn't cause me that much concern. Wood from the trees... Cheers for the perspective dude.

  • CC details are more likely to be stolen from a retailer with poorly secure infra or vulnerable websites than from you running eleventy VPNs

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview

Encrypt all the things!

Posted by Avatar for Velocio @Velocio