29 comments

[ 3.3 ms ] story [ 58.2 ms ] thread
this kills my caching, but I'd love to integrate this in dnsmasq. right now I'm running a patched dnsmasq¹ that can handle blocking urls based on regex (e.g. kill anything with unicode in addition to whatever I have in my SteveBlack's /etc/hosts blocklist²). So having noise generation in dnsmasq which is ignored by caching would be an ideal solution for me.

__

¹https://github.com/lixingcong/dnsmasq-regex

²https://github.com/StevenBlack/hosts

> right now I'm running a patched dnsmasq¹

Are you the author of this? I've been wanting something like this for a long time! Hopefully the patch has been submitted upstream for inclusion in dnsmasq..

I'm not the author and I too would like to see it too. But I wouldn't hold my breath on it ever making it into upstream considering that DNS based filtering gets some bad rep (rightfully so): https://www.afnic.fr/medias/documents/conseilscientifique/SC...

But for my anti-phishing specific use-case it perfectly prevents unicode domains from resolving. It will discriminate against other languages where unicode is popular but I don't speak these languages so it is exactly what I want. And for those couple of sites that have legitimate reason for unicode domains I never encountered a site that I felt was interesting to me.

Nothing ever good -or even interesting- will come from Unicode domains.

When I took my first networking class a billion years ago (the 1990s) the kindly professor who had written most of the networking textbooks in use at the time started the first week off by teaching us how to use the ping command.

But first he warned us: make sure you always use the -c flag if you're pinging something on the internet. This is to specify the count of pings sent out. If you didn't it would ping forever and generate too much traffic, and this useless noise would make you a "bad netizen". He explained this and everything to us so kindly and with such sincerity it was like watching Fred Rodgers speak.

Now we have to randomly barf noise onto the network to maybe have a better chance at some privacy. And that's on top of the half dozen browser extensions and the vpn and whatever other tools you need to have a moderately good experience on the network.

How did we let the internet become this awful?

> How did we let the internet become this awful?

The innocence of anything is always lost when the MBAs show up.

> How did we let the internet become this awful?

It's not a "we let" situation. To assume something sufficiently large can remain trusted via gentlemen agreements is naive. This is the fate of everything open/large enough that's shared and/or leverages third party resources.

Is this intended to be a solution for people who are unable to do DNS-over-TLS (which seems like a much better solution to this problem).
Maybe a better solution to DNS lookups, but doesn't change the fact that your ISP may be profiling you based on the IPs you connect to for web traffic. VPN could be argued as a solution there, but even volume sans target is a profiling tool.
If you're worried about getting in trouble for some HTTPS or DNS traffic then why would you trust this? Someone snooping on your traffic could see you generating traffic that looks incriminating.

If you're not worried about getting in trouble for some HTTPS or DNS traffic then why would you use this?

In short I don't understand the use case for this script. Anyone analyzing your traffic looking for specific DNS requests or specific SNIs will still see them.

As the author mentions in the readme, one use case is to obfuscate your online advertising profile by flooding it with random data.
Without using a real headless browser running JavaScript AND accessing a browser cookie store to distribute the fake traffic on the event tracking of all gazillion tracking cookies you‘re already identified with, this approach is utterly useless for the purpose intended. Even for trackers using IP+Fingerprint (which nobody I know is seriously using these days anymore), you‘d have to spoof the user agent of the regular browser.

Sorry to say, but you‘ll be much better off with an adblocker.

I think this is intended to screw with tracking being done by your ISP.
Your ISP has more options to identify you than a random 3rd party advertisement/tracking partner...
Read up on China and VPNs. A lot of providers and individual are now using obfuscation techniques to circumvent the Great Firewall.
+1 they do protocol detection as well. If blocking is all they want,fingerprintig is cheaper than DPI.
A good way to be blacklisted.
From what? I think a better noise generator would do better than random, e.g. headless chrome, human-esque mouse movements, reasonable link traversal, etc. I also wonder how many of the big sites will blacklist by IP knowing many ISPs reassign and many botnets run on their customers' computers.
While I appreciate the intent of this and other "chaff" tools, I can't help but think ten years from now I'll be seated under a single 200W light bulb hanging from a string while some federal official with 100,000 printed out pages of logs sneers at me saying "and then on December 10th of 2023 you visited www.elderlydogswhosquirt.com. You disgust me." And then I try to explain how it was the bots in my computer, not me. The bots I tell ya!
(comment deleted)
Really ought to just use coreDNS as a local stub resolver and point it at cloudfare's TLS enabled DNS resolvers. That's what I do.
Security^W Privacy through obscurity. Not bulletproof but better than nothing.

Can't fail to remember the same trick used by megacorps outside Internet. Once Coca-Cola wanted to be certified as kosher. It of course did not want to uncover its secret recipe. They knew though that a mix of plant-based components is normally considered kosher is each component is also kosher. So they presented a huge list of such components and claimed that all components of Coca-Cola are listed there, among other, unrelated components. The list was considered kosher, and thus Coca-Cola the drink, too.

The difference is that they only had to do it once to keep their secret. This software needs to do it many times per real request.

Keep in mind that the data is still there, and motivated people will figure out the noise from the signal.

Use dnscrypt: https://dnscrypt.info/ which has an easy macOS integration too.