VPN and DNS Nonsense

Forum rules
Share your brain ;)
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Wed May 18, 2022 4:38 pm

^ Thanks. Although I see already a systray icon for the Mullvad application, but maybe it's something Ubuntu did. And to be fair, is not very informative.

mv.png
mv.png (9.98 KiB) Viewed 39260 times

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Thu May 19, 2022 9:24 am

https://www.oilandfish.com/ (edit: Jan 2023 - Site dead)
Useful knowledge in case you get on the wrong flight and end up in China or Iran or something.

User avatar
ivanovnegro
Minister of Truth
Posts: 5448
Joined: Wed Oct 17, 2012 11:12 pm

Re: /dev/null

Unread post by ivanovnegro » Fri May 20, 2022 10:55 pm

^ Not bad.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Tue Jun 07, 2022 3:34 pm

Been testing this out over the last few weeks. Good DoH provider with customizable filterlists;
https://blitz-setup.ahadns.com/

No DoT though, so for system-wide filtering on Android you'll need an app for it. If just for browsing you can set the generated DoH url string in your browser's Private/Secure DNS settings. Also able to generate .mobileconfig profiles for Apple devices.

Blocking is decent (if you know your filterlists) and it passes all the DNSSEC tests;
dnscheck.tools site showing Mullvad+AhaDNS
d3ward ad blocker test result

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Tue Jun 07, 2022 4:52 pm

^ Nice one, I'll give it a try thanks.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Wed Jun 08, 2022 5:18 pm

I also forgot to update here. I did give NextDNS a try, directly setting on my router to check how things like my TV behaves. I found out I blocked 15 bloody things just by turning it on. Damn.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Wed Jun 08, 2022 8:47 pm

^ If you take the time to go through your router logs (or use something like Wireshark), and cross-ref the connections with timestamps (helps if your router supports VLANs and you segregate your devices with them) and NextDNS logs, you'll likely notice some connections not picked up by NextDNS.

Some apps call home straight to IP addresses, meaning no DNS resolution required so they bypass the usual UDP or HTTPS queries made to DNS resolvers. Streaming apps for AndroidTV and other IoT devices are notorious for this.

Sure, you could block any suspicious IP addresses you find, but that's a never ending battle since half the time you'd break the related application, and the other half of the time will be spent tracking new IP addresses that get added each time the application gets updated. Depressing.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Thu Jun 09, 2022 10:56 am

Nice one, yes. I've been meaning to put some effort into learning Wireshark for a while now and it's about time.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Thu Jun 09, 2022 12:29 pm

Seems like the dnscheck.tools dev added more DNSSEC tests. Even checks for ED25519 now, the supposed "future recommended default" or whatever. Big guns like Cloudflare, NextDNS or Quad9 support it already obviously, but I'm surprised AhaDNS supports it as well. Colour me impressed.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat Jun 11, 2022 8:59 am

GekkoP wrote:
Wed Jun 08, 2022 5:18 pm
I also forgot to update here. I did give NextDNS a try, directly setting on my router to check how things like my TV behaves. I found out I blocked 15 bloody things just by turning it on. Damn.
Apple devices are doing something fishy as well:

Code: Select all

app.adjust.world
Are you kidding me?

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sat Jun 11, 2022 1:53 pm

^ Cannot find that particular domain on any of the Apple-specific filterlists I know of*, but app.adjust.world/com/io/net/etc variations are blocked by most of the stricter filterlists** like OISD-full and 1Hosts(Pro), so it's more of a general-purpose domain not exclusive to the Fruit Company. I don't think you need to put the domain in your NextDNS Denylist if you have a decent set of filters selected already, though.

Is your Apple device an iPhone/iPad or Mac? For the former, you've got an "App Privacy Report" section in Settings > Privacy which you can use to find out what domains are contacted by specific apps.

Could literally be anything. The app.adjust.xxx domains have been employed in everything from legitimate (though still tracking related) endpoints for MS Office and music streaming apps, to redirect links in emails (usually from shopping/travel services), but are also famous for pop-up malware type ads in years past.

* Sources;
https://github.com/adversarialtools/app ... blacklist/ (possibly outdated)
https://teddit.net/r/blokada/comments/l ... justnetin/
https://reports.exodus-privacy.eu.org/en/trackers/52/

** Sources;
https://badmojr.gitlab.io/1hosts/Pro/domains.txt
https://oisd.nl/downloads

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat Jun 11, 2022 3:55 pm

I blamed Apple because I noticed it appeared when the missus turned on her laptop. It could very well be the TV again, though. I am using 1Hosts Pro on my laptop and my phone, so it should not be one of my devices at least.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sat Jun 11, 2022 5:01 pm

GekkoP wrote:
Sat Jun 11, 2022 3:55 pm
I blamed Apple because I noticed it appeared when the missus turned on her laptop.
Ah, it's a MacBook then. Well, it's a desktop OS so you're not as restricted as on mobile. Little Snitch is probably overkill (and too expensive) for her needs though.

I'm not up-to-date on macOS OpSec (work software is different), but you can check out LuLu; https://objective-see.org/tools.html

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat Jun 11, 2022 5:14 pm

^ Oh great, thanks.
I'll see if I can convince her with a nice dinner. ;)

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Tue Jun 14, 2022 8:09 am

I know I am a total newbie at this, but inspecting NextDNS analytics and logs is addictive and it's making me more paranoid day after day. Look at me testing block lists, split tunneling, and worrying about dit.whatsapp.net like a 2022 version of Dade Murphy. It's all your fault, gutterslob!

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Tue Jun 14, 2022 11:07 am

^ WhatsApp tracking is practically impossible to block via DNS. You can filter out dit.whatsapp.net without issue, but blocking some other domains might cause delayed notifications and whatnot. The main issue is that WhatsApp (and many other messenger apps) queries IP addresses directly for a lot of its functionality (tracking included), bypassing DNS resolution entirely. There's a list of IP pools somewhere in the WhatsApp developer site, which gets updated regularly.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Wed Jun 15, 2022 3:13 pm

^ Oh yes, you mentioned before that messenger apps are the devil.

For now I think I managed a good compromise:
- NextDNS is doing its magic on the router with some block lists beside the default one: basic apps like Plex client or RaiPlay are working as expected.
- Laptops, server, and phone are pretty much always behind Mullvad VPN. When I need to browse the web, LibreWolf and Mull with a stronger block list in uBlock (configured as recommended on LibreWolf FAQ) are ready to go

Still learning, of course, and I am sure I am far from good privacy measures or even a robust setup but if anything discussing concerns and tools here pushed me to do something about it.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Wed Jun 15, 2022 7:57 pm

^ You're already better than 99% of the population who don't even question why Candy Crush wants access to their call logs and contacts.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat Jun 25, 2022 8:06 am

@gslob

What's your opinion on Wireguard multi-hopping? I see Mullvad provides an option for it, but by reading on their website the average user (me) should be fine without enabling it.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sat Jun 25, 2022 9:27 am

^ Most wouldn't need it, but it's useful for a couple of things like;

1. Datacenter integrity
Even if a VPN doesn't log anything, the datacenters they rent from most likely log traffic at the hypervisor or router level. Let's say you use Mullvad's Milan servers. The provider knows there's incoming encrypted traffic from your IP. It won't know what your destinations are since you're being mixed in with other Mullvad users on that server instance before DNS queries are made, but correlation is still possible if someone bothers to analyse patterns and timestamps. You'd have to be a big-ass profile target if someone really gave a fuck about that though. Even most criminal cases don't involve that. Anyhooz, if you multi-hop, say with the first hop being Mullvad's owned server in Sweden or Norway, then the Italy datacenter only sees encrypted traffic coming from those datacenter IPs.

2. ISP peering/routing issues
Sometimes ISP peering with other ISPs is poor (they have more customers than their infrastructure is meant for), or compromised for whatever reason (undersea cable faults, conflict zones, etc) so multi-hopping can, on those occasions, mitigate issues like high packet loss or high latency/jitter. For example, here in SouthEast Asia there's the dreaded Ring of Fire where undersea quakes occur all the time across Indonesian waters, leading to undersea cable faults where the data "pipe" from SG to the HK/JP regions ends up compromised, making many ISPs seek temporary/backup peering partners and routes to compensate. Easy to know because a traceroute to Mullvad's SG server will show 14 hops instead of the usual 7, with one (or more) of the hops suffering >10% packet loss. In that instance, I make Sydney my first hop and Singapore my second, which regains stable packet flow and bearable latency levels.

Post Reply