this post was submitted on 13 Jan 2024
492 points (93.8% liked)

Privacy

32111 readers
669 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] knobbysideup@sh.itjust.works 3 points 10 months ago (2 children)

To be truly effective you must also block DoH and DoT. The first can only be done with endpoint lists, since it is https.

[–] Darkassassin07@lemmy.ca 2 points 10 months ago

Maybe in comming years, but I've never encountered an ad served explicitly through DoH/DoT. It's certainly possible, just not actually in use yet.

You can also setup DoH front and back ends for pihole so traffic entering and leaving it is encrypted. When/if it becomes necessary I'll probably look into https packet inspection using custom Root certs to force clients to use my local DoH services and block other traffic, or look into inspecting the SNI to apply blocking there; but again its just not needed yet and may not be for a long time. We'll see. I'm sure the pihole/Adguard teams are also investigating solutions.

[–] N0x0n@lemmy.ml 1 points 10 months ago (1 children)

Hey, could you elaborate or send some lecture? I have the upstream quad9 DoH address in adguard. It's supposed to better encrypt my traffic right? Never saw any ads or strange DNS requests.

Never heard about ads being inject though DoH or DoT, or did I misunderstood your comment?

[–] Darkassassin07@lemmy.ca 4 points 10 months ago

Theoretically an app could use a custom DoH endpoint to retrieve ads instead of the standard dns provided by the system. As this uses purely https without a preceding dns request, pihole/adguard would fail to block it; but it's just not something currently employed.