I realized that most DNS-Blocking is just straigt up useless. Big corporations have hard coded lists of ip addresses which they can access at any time without using a DNS-Server. So I had this idea in my mind. I don’t know why nobody thought about this before but maybe i’m overseeing something. So this is the idea:
DNS Server with Domain-Based Blocking: This server blocks access to websites using a list of specific domains and patterns (regexes), ensuring a broad range of unwanted sites are denied.
Custom VPN/Hardware with Dynamic IP Whitelisting: A setup (VPN or device) between your network and the internet allows only IP addresses that the DNS server recently resolved. This creates a temporary, constantly-updated whitelist of safe IPs.
Temporary Permission for Approved IPs: An IP address is allowed network access for a short period (like 5 minutes) after DNS approval. For continued access, it must be re-approved, maintaining a secure and constantly verified network.
(edit) Another very important point I forgot to add:
Currently, many applications are avoiding the system’s DNS resolvers (to avoid people like us with custom dns servers blocking their tracking attempts). They do this by getting the IP addresses directly from their own DNS servers using HTTPS (port 443) or other protocols. The method i proposed above would also block malicious attempts like these.
I mean sure, DNS-based blocking is not a panacea, but it can deal with known bad things decently. If you’re hitting the point where you’re worried about hardcoded IP addresses still doing things you don’t want, you probably would want to have a whitelist for “trusted” devices, or even just not connecting the most trusted devices to the internet at all. Anything else is just badness enumeration because you won’t ever figure out every single “bad” IP address to block for a blacklist.
The other angle is that “hardcoded IPs” would only be an issue with big tech (if that), which it seems are part of your threat model and thus you should be avoiding their software anyway.
This is DNS level blocking? See PiHole and other solutions.
Don’t think I follow. Isn’t this just saying to point your devices to your DNS server? If you have a DNS server not on your LAN, you could setup a VPN to the DNS Server. But most people have their DNS Server (if they have set it up like using Unbound) on their LAN and a VPN to route in your own LAN to your LAN has no purpose.
Manually approving IPs is possible if you want to block everything and allow list as you go. This is going to be annoyingly cumbersome to maintain. Most people therefore use block lists maintained by people who have done most of the work.
If you are worried about cache time, just configure your own DNS server to have a shorter cache. Otherwise, every device caches DNS entries after the DNS server, regardless how you configured the DNS Server.
I typically am not paranoid about DNS cache poisoning. This is cutting teeth on security for me, and existing solutions are good enough for privacy
Well, of course, I agree with you. We should shun the privacy-avoiding services and use custom ROMs, Linux, etc. But I myself just can’t keep up with this all the time. I have a life, and following all these small things is just unbearable for me. Also there is some apps/services I want to continue using but don’t want them evading my privacy. The solution I am implying if done right would solve all of this (mostly…) without even requiring a ton of time to setup.
You would still be able to use all the services that you want to. Yeah, one can’t control what exactly is going through if a domain went through your blacklist . For example, with videos.test.com you would expect that it fetches some video. But of course, it could also be sending voice recordings from your device. But I think most services really bind something to a domain name. For example, if they want to track you, the domain is something like track.test.com.
But sometimes they also hard code ips if track.test.com doesn’t work. But if we now block both the ‘IP addresses from track.test.com’ and also the hardcoded IPs, only the data from videos.test.com would go through. A couple of applications also make DNS requests routinely, every few seconds. And if they get the IP address at some point, say in 1 split second, all your DNS blocking is useless because that IP address most likely will be a corporate static IP address which won’t time out.
But if you would create a whitelist of IP addresses like I explained, and every IP address resolved by your custom DNS server (with a blocking list) is allowed for only a few minutes and then has to “get to the whitelist again”, then you’ll have much better protection than current DNS blocking methods. I mean, it’s still not perfect. A domain with the name videos.test.com could still be sending your data to a corporation and also fetch the video you’re watching at the same time. But I think this would be so much more secure than the previous methods of 'just dns blocking 'and would open a new wave of ideas and methods to secure privacy.
This is DNS level blocking? See PiHole and other solutions.
No what i’m proposing is a bit different. Please read the other comment i made to @pinkandwhite
Don’t think I follow. Isn’t this just saying to point your devices to your DNS server? If you have a DNS server not on your LAN, you could setup a VPN to the DNS Server. But most people have their DNS Server (if they have set it up like using Unbound) on their LAN and a VPN to route in your own LAN to your LAN has no purpose.
No a dns server is only responding to your dns requests. If you don’t have anything else configured, the rest of your internet traffic just goes through the usual routes. My proposal is to block internet connection for all ip addresses which weren’t resolved by your dns server and also time them out every few minutes.
Manually approving IPs is possible if you want to block everything and allow list as you go. This is going to be annoyingly cumbersome to maintain. Most people therefore use block lists maintained by people who have done most of the work.
Yes i’m aware of this. the custom dns server would still use publicly available black lists. This method would be like dns blocking on steroids. You still have everything you had in dns blocking but you’re also blocking all ip addresses which didnt went through your dns blacklist.
If you are worried about cache time, just configure your own DNS server to have a shorter cache. Otherwise, every device caches DNS entries after the DNS server, regardless how you configured the DNS Server.
If we block ip’s with a device in the middle, vpn or directly from the kernel, even cached dns entries won’t be able to access the internet if not allowed like i explained before.
I think what the rest you are describing is more of a circuit breaker logic. Concisely: a domain is allowed connection to D for X time if resolved by DNS Server S before connection to gets D blocked for a given device. This concept technically can be decoupled from the DNS Server seems more like a middleware DNS service or IP. Also this would likely need to live on a per device basis OR on the router itself.
How common is this? I feel like this only matters if running untrusted devices, and you are paranoid your block list isn’t doing good enough job.
I also feel like this could accidentally block VPNs or compromise privacy. VPNs use their own DNS sometimes, and so I have to override the VPN DNS with a possible local one, and now I risk DNS leaks. Not an ideal scenario.
What’s the threat model here? This is a different goal than the above: have 0 cache on a local device, and don’t trust the upstream DNS resolved, so use a VPN to handle the caching? I’m not so paranoid that someone is going to steal my DNS cache on my local machine. Plus if I don’t trust the upstream DNS, I already have paid VPNs which so that.
Also cached DNS entries is just data, it can’t do anything. The device just sends a network request, using the IP from DNS.
Just thought of a way to do this half ass - simply add all most known DNS servers to your block list lol. Then bam, untrusted devices have to have their own custom DNS server running and resolve that. If you see an untrusted device continues resolving, then start a TCP Dump / Wireshark analysis and start digging in.
This solves this problem. Doesn’t do the intense connection drop, but that’s a higher threat model.
So basically instead of just having VMs or some other method to do trusted/secure and untrusted/insecure devices you want to babysit a DNS whitelist? Seems like just a tonne of extra work to reinvent the wheel really
It’s not good to just completely shut down people’s ideas, maybe he/she/them has a some ideas in their post some of which might change things for the better. Idk myself tho