this kills my caching, but I'd love to integrate this in dnsmasq. right now I'm running a patched dnsmasq¹ that can handle blocking urls based on regex (e.g. kill anything with unicode in addition to whatever I have in my SteveBlack's /etc/hosts blocklist²). So having noise generation in dnsmasq which is ignored by caching would be an ideal solution for me.
Are you the author of this? I've been wanting something like this for a long time! Hopefully the patch has been submitted upstream for inclusion in dnsmasq..
I'm not the author and I too would like to see it too. But I wouldn't hold my breath on it ever making it into upstream considering that DNS based filtering gets some bad rep (rightfully so): https://www.afnic.fr/medias/documents/conseilscientifique/SC...
But for my anti-phishing specific use-case it perfectly prevents unicode domains from resolving. It will discriminate against other languages where unicode is popular but I don't speak these languages so it is exactly what I want. And for those couple of sites that have legitimate reason for unicode domains I never encountered a site that I felt was interesting to me.
Nothing ever good -or even interesting- will come from Unicode domains.
dnscrypt-proxy supports regex-based rules, can block responses including specific IP addresses, can provide nice logs, does caching, supports time-based rules, and more: https://github.com/jedisct1/dnscrypt-proxy/wiki/Filters
When I took my first networking class a billion years ago (the 1990s) the kindly professor who had written most of the networking textbooks in use at the time started the first week off by teaching us how to use the ping command.
But first he warned us: make sure you always use the -c flag if you're pinging something on the internet. This is to specify the count of pings sent out. If you didn't it would ping forever and generate too much traffic, and this useless noise would make you a "bad netizen". He explained this and everything to us so kindly and with such sincerity it was like watching Fred Rodgers speak.
Now we have to randomly barf noise onto the network to maybe have a better chance at some privacy. And that's on top of the half dozen browser extensions and the vpn and whatever other tools you need to have a moderately good experience on the network.
It's not a "we let" situation. To assume something sufficiently large can remain trusted via gentlemen agreements is naive. This is the fate of everything open/large enough that's shared and/or leverages third party resources.
Oh man, I had similar instructor that preached the same thing. He made us watch a movie called Warriors of the Net which talked about the ping.... OF DEATH!
Maybe a better solution to DNS lookups, but doesn't change the fact that your ISP may be profiling you based on the IPs you connect to for web traffic. VPN could be argued as a solution there, but even volume sans target is a profiling tool.
If you're worried about getting in trouble for some HTTPS or DNS traffic then why would you trust this? Someone snooping on your traffic could see you generating traffic that looks incriminating.
If you're not worried about getting in trouble for some HTTPS or DNS traffic then why would you use this?
In short I don't understand the use case for this script. Anyone analyzing your traffic looking for specific DNS requests or specific SNIs will still see them.
Without using a real headless browser running JavaScript AND accessing a browser cookie store to distribute the fake traffic on the event tracking of all gazillion tracking cookies you‘re already identified with, this approach is utterly useless for the purpose intended. Even for trackers using IP+Fingerprint (which nobody I know is seriously using these days anymore), you‘d have to spoof the user agent of the regular browser.
Sorry to say, but you‘ll be much better off with an adblocker.
there are interesting application scenarios for noise-generation¹ and can be a valid OpSec strategy depending on the purpose of the operation. It isn't a catch-all or even substitute for any other mechanism (adblockers, pi-hole etc) and can have side-effects.
From what? I think a better noise generator would do better than random, e.g. headless chrome, human-esque mouse movements, reasonable link traversal, etc. I also wonder how many of the big sites will blacklist by IP knowing many ISPs reassign and many botnets run on their customers' computers.
While I appreciate the intent of this and other "chaff" tools, I can't help but think ten years from now I'll be seated under a single 200W light bulb hanging from a string while some federal official with 100,000 printed out pages of logs sneers at me saying "and then on December 10th of 2023 you visited www.elderlydogswhosquirt.com. You disgust me." And then I try to explain how it was the bots in my computer, not me. The bots I tell ya!
Security^W Privacy through obscurity. Not bulletproof but better than nothing.
Can't fail to remember the same trick used by megacorps outside Internet. Once Coca-Cola wanted to be certified as kosher. It of course did not want to uncover its secret recipe. They knew though that a mix of plant-based components is normally considered kosher is each component is also kosher. So they presented a huge list of such components and claimed that all components of Coca-Cola are listed there, among other, unrelated components. The list was considered kosher, and thus Coca-Cola the drink, too.
The difference is that they only had to do it once to keep their secret. This software needs to do it many times per real request.
29 comments
[ 3.3 ms ] story [ 58.2 ms ] thread__
¹https://github.com/lixingcong/dnsmasq-regex
²https://github.com/StevenBlack/hosts
Are you the author of this? I've been wanting something like this for a long time! Hopefully the patch has been submitted upstream for inclusion in dnsmasq..
But for my anti-phishing specific use-case it perfectly prevents unicode domains from resolving. It will discriminate against other languages where unicode is popular but I don't speak these languages so it is exactly what I want. And for those couple of sites that have legitimate reason for unicode domains I never encountered a site that I felt was interesting to me.
Nothing ever good -or even interesting- will come from Unicode domains.
But first he warned us: make sure you always use the -c flag if you're pinging something on the internet. This is to specify the count of pings sent out. If you didn't it would ping forever and generate too much traffic, and this useless noise would make you a "bad netizen". He explained this and everything to us so kindly and with such sincerity it was like watching Fred Rodgers speak.
Now we have to randomly barf noise onto the network to maybe have a better chance at some privacy. And that's on top of the half dozen browser extensions and the vpn and whatever other tools you need to have a moderately good experience on the network.
How did we let the internet become this awful?
The innocence of anything is always lost when the MBAs show up.
It's not a "we let" situation. To assume something sufficiently large can remain trusted via gentlemen agreements is naive. This is the fate of everything open/large enough that's shared and/or leverages third party resources.
https://www.youtube.com/watch?v=PBWhzz_Gn10
If you're not worried about getting in trouble for some HTTPS or DNS traffic then why would you use this?
In short I don't understand the use case for this script. Anyone analyzing your traffic looking for specific DNS requests or specific SNIs will still see them.
Sorry to say, but you‘ll be much better off with an adblocker.
__
¹https://iotdarwinaward.com/post/improve-your-privacy-in-age-...
https://fortune.com/2018/03/07/best-buy-geek-squad-fbi-infor...
https://www.newsweek.com/best-buy-geek-squad-fbi-informants-...
https://slate.com/technology/2018/03/fbi-geek-squad-best-buy...
https://www.huffingtonpost.com/entry/fbi-geek-squad-customer...
https://www.npr.org/sections/thetwo-way/2018/03/07/591698708...
https://www.eff.org/deeplinks/2018/03/geek-squads-relationsh...
https://www.washingtonpost.com/news/true-crime/wp/2017/04/03...
Can't fail to remember the same trick used by megacorps outside Internet. Once Coca-Cola wanted to be certified as kosher. It of course did not want to uncover its secret recipe. They knew though that a mix of plant-based components is normally considered kosher is each component is also kosher. So they presented a huge list of such components and claimed that all components of Coca-Cola are listed there, among other, unrelated components. The list was considered kosher, and thus Coca-Cola the drink, too.
The difference is that they only had to do it once to keep their secret. This software needs to do it many times per real request.
Use dnscrypt: https://dnscrypt.info/ which has an easy macOS integration too.