It are somewhat seperate problems. But let's begin with ad's, tracking and malware/bots/whatever uses a domainname. You have two different options SaaS and selfhosted. It's a matter of opinion but I would say PiHole (selfhosted) or NextDNS (SaaS) a no cost SaaS would be using the AdGuard DNS servers in your router instead of the ones of your ISP.
Personally I use NextDNS, it's robust and thanks to the options I can tweak it to my needs without having to upgrade / update stuff.
The second part, keeping my network secure is a bit more involved, it can mean anything from simply having different wireless networks for different purposes (IOT, video surveillance and guests are common) to packet inspection and intrusion detection. Mostly, use the seperate wireless network strategy and forget about the rest, the maintenance is too high and the gain too low for personal networks.
Regarding blocking ads, etc. - you might want to check out Pi-hole. It can run on a Raspberry Pi (hence the name) or just about anything. It’s pretty easy to set up. Works for blocking ads and trackers, and you can set up additional blocks as well (for Instagram, for example).
Apple isn't the end all for privacy at all. Use Linux devices in which you have 100% control over every aspect, not proprietary black boxes which still track you.
Does it really matter how private & secure your network is when the nsa can capture all traffic in the upstream?
They can't spy on any US citizens they say, that's the rule, & they have many oversight committees such as Congressional oversight committees to watchdog them.
Tricky nsa moved the Upstream & Downstreams to South Africa. So a US citizen's data is no longer in the USA_technically...& they can collect it.
Bulk collection, encryption breaking, data mining with algorithms & keywords....but they only keep it all for 72 hours then it gets securely deleted.
That's the way it is boys. And I'm not a hacker, at all & I found this.
I believe the thing to do is fly stealth under the radar at all times, as minimally as possible, and count the hours (72) between transmissions.
You aren't going to get detailed instructions on how to set these services up here. I would suggest reading the documentation at the parents link, to start.
The instructions on setting up PiHole are pretty straight forward. Myself I have a few Pis so it was not an issue.
Although I must say the nextdns people might be worth going towards, given the ability to use anywhere, not just at home. Yeah I can install it in the cloud but then you have to pay to maintain that.
You can use ethernet connections whenever possible so you aren't broadcasting as much info.
Not very helpful, but you can also reduce your wifi power and/or place to in the basement (if you have one) to limit the range (physical attack surface). You can also schedule the wifi to turn off during hours that you don't need it (11pm-6am?). This will reduce the amount of time someone could monitor/attack via wifi. It also reduces your exposure to RF, if you're into that.
Honestly, as a network engineer with 4 kids, we’re kinda just screwed.
The popular responses here are going to be about Pi-Hole and NextDNS (which I use today), but overall it’s a losing battle and all of it is easily circumvented.
With DNS-over-HTTPS becoming more and more prevalent in all things end-user devices, I suspect by this time next year using any kind of traditional DNS controls will be worthless.
We could go super heavy handed and deploy some home version of enterprise packet inspection, but that’s a whole bag of worms.
As for kiddos, I’ve gotten to the point where I combine good communication over obscurantism, device level traffic logging/monitoring, all mixed with a hard off switch for communications at and after certain times to be the winning ticket.
As far as tracking and ads... we’re all going to lose that battle fairly soon. The same tech we all praise as good for privacy is also great for data collection and advertising.
>As far as tracking and ads... we’re all going to lose that battle fairly soon. The same tech we all praise as good for privacy is also great for data collection and advertising.
Can you elaborate on this? I'd be interested to know more about how this could happen.
Well, traditional DNS is all unencrypted traffic over port 80 on a network firewall/router. Typically, what some people are doing is setting up their own DNS servers on the internal LAN that recognizes lookups that are unfavorable and just refuses to allow the resolve.
An example is a tracker DNS lookup might be something like: tracker.ad.amazon.com. My self controlled DNS sees that url lookup, compares it to a list of known tracking or advertising urls, finds it in that list and instead of responding with the server IP, it just says “not found”. I then block devices on my local LAN from circumventing my internal DNS (I.e manually changing device DNS servers that would typically be my internal server, to something public like google’s 8.8.8.8), by only allowing traffic out of port 80 that originates from my Self-made local dns server.
Client device -> local dns -> public server = ok.
Client device -> public dns -> = blocked.
So this same method is also used by almost every major ISP out there to track your browsing and usage history. Along with other security problems this poses, the tech community has been developing and pushing things like DNS-over-TLS and DNS-over-HTTPS. What this does is takes a DNS request and packages it into an HTTPS packet that acts and looks like any other encrypted web traffic over port 443. The server on the other end then unpacks it back to a DNS query and responds in the same way.
That effectively obscures DNS traffic as any ole web traffic that I can no longer detect and manipulate. An example is that your Alexas will eventually (I think they may already do it in some cases, I know my Samsung TV does) use that kind of DNS tech to pass tracking and ad data back to their home servers. I can no long really stop that and preserve the function intent of the device (I.e I could place them on a gapped VLAN, but it would render all connectivity inoperable and thereby make the device useless).
So fundamentally, the same stuff we’re putting together to maintain personal privacy and security, is also going to be used to maintain the same features for Amazon’s, Google’s, any other data house’s data that it collects about you.
Further, as this become normal protocol in browsers, things like content blocking and parental controls become very difficult to do without end device sudo rights or the manufacturer building parental controls into the OS (like Apple is keen to do).
A little elementary explaining there, but hopefully you get the idea.
I just bought a firewalla blue device that handles this. It's a bit expensive but it really is a no hassle solution. So far I don't regret the purchase.
20 comments
[ 3.1 ms ] story [ 62.4 ms ] thread- Use privacy-respecting mobile devices, such as Apple.
- Use an anti-tracking measures as mentioned like pi-hole and/or hostfile service.
- Forbid social media apps, they are a scourge.
- Use privacy-respecting browsers like Firefox and Safari. Set protection higher than standard.
- Consider browser extensions like ghostery, etc.
Tricky nsa moved the Upstream & Downstreams to South Africa. So a US citizen's data is no longer in the USA_technically...& they can collect it. Bulk collection, encryption breaking, data mining with algorithms & keywords....but they only keep it all for 72 hours then it gets securely deleted. That's the way it is boys. And I'm not a hacker, at all & I found this. I believe the thing to do is fly stealth under the radar at all times, as minimally as possible, and count the hours (72) between transmissions.
But I suspect NSA can decyrpt their stuff.
I suspect the question breaks down to: 1) are you important or rich enough for someone to target? 2) Who are you protecting against?
https://pi-hole.net/
Blocklists are all over the place, do some googling. I like https://firebog.net as a jump off point.
The instructions on setting up PiHole are pretty straight forward. Myself I have a few Pis so it was not an issue.
Although I must say the nextdns people might be worth going towards, given the ability to use anywhere, not just at home. Yeah I can install it in the cloud but then you have to pay to maintain that.
Not very helpful, but you can also reduce your wifi power and/or place to in the basement (if you have one) to limit the range (physical attack surface). You can also schedule the wifi to turn off during hours that you don't need it (11pm-6am?). This will reduce the amount of time someone could monitor/attack via wifi. It also reduces your exposure to RF, if you're into that.
The popular responses here are going to be about Pi-Hole and NextDNS (which I use today), but overall it’s a losing battle and all of it is easily circumvented.
With DNS-over-HTTPS becoming more and more prevalent in all things end-user devices, I suspect by this time next year using any kind of traditional DNS controls will be worthless.
We could go super heavy handed and deploy some home version of enterprise packet inspection, but that’s a whole bag of worms.
As for kiddos, I’ve gotten to the point where I combine good communication over obscurantism, device level traffic logging/monitoring, all mixed with a hard off switch for communications at and after certain times to be the winning ticket.
As far as tracking and ads... we’re all going to lose that battle fairly soon. The same tech we all praise as good for privacy is also great for data collection and advertising.
Can you elaborate on this? I'd be interested to know more about how this could happen.
An example is a tracker DNS lookup might be something like: tracker.ad.amazon.com. My self controlled DNS sees that url lookup, compares it to a list of known tracking or advertising urls, finds it in that list and instead of responding with the server IP, it just says “not found”. I then block devices on my local LAN from circumventing my internal DNS (I.e manually changing device DNS servers that would typically be my internal server, to something public like google’s 8.8.8.8), by only allowing traffic out of port 80 that originates from my Self-made local dns server.
Client device -> local dns -> public server = ok. Client device -> public dns -> = blocked.
So this same method is also used by almost every major ISP out there to track your browsing and usage history. Along with other security problems this poses, the tech community has been developing and pushing things like DNS-over-TLS and DNS-over-HTTPS. What this does is takes a DNS request and packages it into an HTTPS packet that acts and looks like any other encrypted web traffic over port 443. The server on the other end then unpacks it back to a DNS query and responds in the same way.
That effectively obscures DNS traffic as any ole web traffic that I can no longer detect and manipulate. An example is that your Alexas will eventually (I think they may already do it in some cases, I know my Samsung TV does) use that kind of DNS tech to pass tracking and ad data back to their home servers. I can no long really stop that and preserve the function intent of the device (I.e I could place them on a gapped VLAN, but it would render all connectivity inoperable and thereby make the device useless).
So fundamentally, the same stuff we’re putting together to maintain personal privacy and security, is also going to be used to maintain the same features for Amazon’s, Google’s, any other data house’s data that it collects about you.
Further, as this become normal protocol in browsers, things like content blocking and parental controls become very difficult to do without end device sudo rights or the manufacturer building parental controls into the OS (like Apple is keen to do).
A little elementary explaining there, but hopefully you get the idea.