Comment by Dalewyn

Comment by Dalewyn 3 days ago

11 replies

View on Hacker News

Seeing this getting downvoted is fucking wild.

I remember 20+ years ago when one of the most commonly seen attacks was malware configuring a proxy server in Internet Explorer which by design overrode the operating system's configuration.

What a lot of software does today by ignoring the operating system in lieu of their own shit is just like the above. If your program doesn't (or can't) respect the operating system, your shit is malware and you should reconsider who you write code for.

nomel 2 days ago

> Seeing this getting downvoted is fucking wild.

If you consider the source of income of what's most likely a considerable portion of the HN community, I think this makes more sense. Apple is one of the only companies interested in preventing tracking, and it hurts, in the billions sort of way [1][2].

[1] https://www.forbes.com/sites/kateoflahertyuk/2022/10/08/appl...

[2] https://www.forbes.com/sites/timbajarin/2022/07/26/apples-do...

Reply View 0 replies
yndoendo 3 days ago

Those ideas are not isomorphic.

One malicious overrides universal network communication while the other just conducts DNS queries limited to a single application domain.

Reply View 9 replies
  • altruios 3 days ago

    You are describing something that violates system setting for it's own benefit instead of the end user.

    You are describing malware. Benign malware is still malicious, even if it does no active harm. Intent (of how the software operates) matters.

    Reply View 0 replies
  • Dalewyn 3 days ago

    >just conducts DNS queries

    Queries that will ignore configurations you set.

    If I see something ignoring/evading my configured DNS server, that shit is fucking malware.

    Reply View 7 replies
    • fmajid 3 days ago

      At some point in my copious spare time, I plan on writing software to allowlist in my firewall outbound connections only to IPs resolved using my DNS servers.

      Reply View 4 replies
      • TheNewsIsHere 2 days ago

        You could also configure your router to intercept rogue plaintext DNS lookups on your network with responses from a resolver you trust (for example a Pihole, Cloudflare or Google Public DNS, Quad9, PCH, etc). Adding something like Pihole would give you comprehensive blocking and custom internal DNS entries too.

        Reply View 1 reply
        • fmajid 2 days ago

          I already redirect DNS queries to my own DNS servers running unbound, and block UDP and TCP ports 25 from machines other than these from going out on the Internet.

          This will force machines misconfigured with 8.8.8.8 as default resolver (cough, systemd) from leaking my browsing history to Google, thank you very much, but won't stop DNS-over-HTTPS like Firefox, or more insidious devices like fallback IPs hardcoded in SmartTVs and other IoT devices (they are on their own VLAN with all traffic logged, but it's not as if I have time to inspect their traffic for suspicious behavior. There are blocklists of DoH, but at that point it becomes a whack-a-mole game, and it makes more sense to block anything that is not the result of a legitimate DNS query instead.

          This would only be enforced on untrusted machines like Macs, iPhones, Android devices, IoT devices and Ubuntu machines, as opposed to trustworthy OpenBSD and Alpine Linux servers.

          Reply View 0 replies
      • zbentley 2 days ago

        How would that work? Do you only access a really small/known set of IPs? Or would you program the firewall to only allow connections to an arbitrary IP if it had seen a DNS query to your preferred servers go out and return that IP within a few seconds prior?

        In the latter case, would you have to aggressively disable local DNS caching on devices to make the behavior work (is that even possible on some devices)? How would encrypted DNS fit into this scheme?

        Reply View 1 reply
        • fmajid 2 days ago

          The second. The only way untrusted devices connect is to IP addresses that were resolved by my DNS servers so I know what traffic is happening on my network. My DNS servers handle their own encryption via WireGuard to bypass ISP snooping, so I don't need Mozilla's DoH and Apple's and CloudFlare's I do not trust at all.

          To avoid race conditions, the trusted DNS servers would add the result IP to the firewall allowlist table before returning it to the client, so either implement it as a Caddy proxy module (I already wrote a DynDNS module for Caddy so I know how to make that work). Or alternatively use unbound's dnstap support. I just need to implement some reliable and secure protocol to send those requests from the DNS server to my OpenBSD firewall running pf.

          Reply View 0 replies
    • mrkstu 3 days ago

      Have fun troubleshooting Java apps w/their own cert stores...

      Reply View 1 reply
      • kergonath 2 days ago

        I am fine with the only Java application I have used in the lease decade not working. I did not even bother putting a JVM on any of the OS I installed in the last 5 years. So yeah, I’d rather have fewer security holes.

        Reply View 0 replies