this post was submitted on 08 Aug 2024
80 points (98.8% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54500 readers
685 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
top 10 comments
sorted by: hot top controversial new old
[–] lemmyvore@feddit.nl 56 points 3 months ago (1 children)

Everybody should be using DNS over HTTPS (DoH) or over TLS (DoT) nowadays. Clear DNS is way too easy to subvert and even when it's not being tampered with most ISP snoop on it to compile statistics about what their customers visit.

DoH and DoT aren't a full-proof solution though. HTTPS connections still leak domain names when the target server doesn't use Encrypted Hello (ECH) and you need to be using DoH for ECH to work.

Even if all that is in place, a determined ISP, workplace or state actor can identify DoH/DoT servers and compile block lists, perform deep packet inspection to detect such connections regardless of server, or set up their own honey trap servers.

There's also the negative side of DoH/DoT, when appliances and IoT devices on your network use it to bypass your control over your LAN.

[–] Findmysec@infosec.pub 5 points 3 months ago

How would they do DPI on DNS packets routed using DoH? It looks like HTTPS traffic, it's encrypted, and other than size and frequency I don't see how they can gey anything out of it. Yeah they'll get the SNI with eCH but that's supported by FF and by a lot of providers using DoH

[–] ironsoap@lemmy.one 31 points 3 months ago

A brief technical summary from iMAP reveals what happens when users attempt to access sites using Cloudflare and Google DNS.

• On Maxis, DNS queries to Google Public DNS (8.8.8.8) servers are being automatically redirected to Maxis ISP DNS Servers;

**

• On Time, DNS queries to both Google Public DNS (8.8.8.8) and Cloudflare Public DNS (1.1.1.1) are being automatically redirected to Time ISP DNS servers.

“Instead of the intended Google and Cloudflare servers, users are being served results from ISP DNS servers. In addition to MCMC blocked websites, other addresses returned from ISP DNS servers can also differ from those returned by Google and Cloudflare,” iMAP warns.

...

"Users that are affected, can configure their browser settings to enable DNS over HTTPS to secure their DNS lookups by using direct encrypted connection to private or public trusted DNS servers. This will also bypass transparent DNS proxy interference and provide warning of interference,” iMAP concludes.

Essentially Malaysia law required ISP to drop DNS entries for some sites, local users started using public DNS. ISP started redirecting public DNS requests, and local users started using DNS over HTTPS.

The pirate wars continue in their arms races.

[–] Melody@lemmy.one 23 points 3 months ago

This is why technologies like DoH and DoT are needed. To prevent this kind of tampering.

[–] jherazob@beehaw.org 7 points 3 months ago (2 children)

What's the "best practices" for DNS these days besides running your own local service?

[–] kbal@fedia.io 5 points 3 months ago

Just use your VPN provider's DNS.

[–] sabreW4K3@lazysoci.al 3 points 3 months ago (1 children)
[–] ReversalHatchery@beehaw.org 10 points 3 months ago* (last edited 3 months ago) (1 children)

Will be blocked just as well. These users need encrypted DNS, and honestly, not just them but everyone else too because of ISP tracking. dnscrypt or DoH is the solution.

[–] YourPrivatHater@ani.social 2 points 3 months ago (1 children)

Wouldn't a VPN still work? VPN+NextDNS would do the job.

Hope Proton comes up with a good encrypted DNS service however.

[–] ReversalHatchery@beehaw.org 1 points 3 months ago

Yes, that should work too