> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"
It can’t see the contents of connections but it records all the metadata. You know a lot about what the contents are going to be based on the ports. The default configuration of Tailscale will also collect all your DNS requests.
> I never want to send any fraction of information about my Internet browsing to Tailscale.
I'm slightly confused about this part of the ticket. If you're using Tailscale DNS, how do you avoid sending Tailscale information about your internet browsing?
This is completely unacceptable for a service like tailscale to not offer an easy way to opt out of all logs. Uninstalling it now from all my machines.
I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
You can also force the browser to behave in "corporate" mode, where DNS requests are analyzed by the corporation (you in this case) to determine which domains can and which cannot be accessed by employees (you and your family in this case).
"This article describes DNS over HTTPS and how to enable, edit settings, or disable this feature."
Notice the "or disable this feature".
You change the "trr" value (trusted recursive resolver) and DoH is not supposed to happen anymore.
Setting the browser to not use DoH and blocking known DoH servers is great.
What I wonder is if can then easily configure my DNS resolver (I run unbound) to itself use DoH: I don't have anything against DoH. What I have something against is not being able to blocklist based on domain names.
I don't know about GP's motivations in doing the blocking and redirections, but if they're anything like mine, Firefox is not one of them. The main issue is random "IoT" devices, think smart TVs and the like, phoning home for a fresh batch of ads and whatnot.
Neat! I set up something very similar a few years ago (just with raw dnsmasq); fun to see someone else hit upon the same solution.[0] For anyone running a similar setup: if you want to keep everything as-is, but also expose a single service to the Internet, you can use Tails ale's "Funnel" feature.[1] I use it to self-host Plausible on my home server (i.e. to allow hits to my blog to be counted by my home server, even though that server isn't "generally" available on the Internet).
Its a trick one. Traditional DNS runs over port 53/udp and fails over to 53/tcp for large queries/results. That's easy to deal with on a packet filter firewall.
Then in the name of ... something, something, security ... DNS over http(s) was invented. Now you can balkanize DNS by requiring certain SSL certificates be involved. To my knowledge this hasn't been abused large scale yet but it could.
Let's go easy on the tinfoil and simply redirect outbound traffic to 53/udp and tcp to a PiHole or other DNS server under your control.
If you insist on the tin foil, you will probably need to look into a MitM proxy such as Squid - look into "bump" and "spice".
This falls apart when you realize DoH can (and does) just go out to 443/TCP.
It looks like a web request, which was literally the point of the specification.
"DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port."
Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
> Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
You may be breaking things altogether, actually, since many of the devices for which this song and dance needs to exist don't actually offer a way to alter certificates. I don't know that my smart tv actually uses DoH (it's not physically connected to the network), but I have no idea how I'd add a trusted certificate to its chain, even for other purposes.
My older Kindle Fire HD 10 flips over to DNS over HTTPS if it can't see Google on port 53.
I've tried to add a couple of rules in iptables on my Ubiquiti Dream Machine (UDM), but the out-of-box configuration on the UDM is pages and pages to iptables rules. I can modify that config via a shell interface (a shell script with four iptables command lines), but it doesn't play with the web based GUI, and I have yet to figure out how the UDM handles such traffic.
Yes, I've simply blocked all traffic for 8.8.8.8 and 8.8.4.4, via the UDM GUI, the rules are there. The Kindle still shows me ads.
It may be possible to delete the entries for Google DNS on the Kindle via adb commands during boot, but I haven't gotten that far.
Someday I will get around to setting up a homelab network enough to learn iptables etc without blacking out my home network. As any network outage bring immediate screams from the house, I have to treat the firewall configuration as critical infrastructure: brittle. Don't touch.
Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don't know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP's of all the common resolvers (or at least the ones it will try)
Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:
(nftables syntax)
ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment "Force all DNS traffic to go through local DNS servers"
It's the same reason why they reverted silently the options to disable referrer (the default since chrome took over is now to send full url even on xdomain, which was unthinkable during mozilla vs ie)
anything that impacts delivery of ads (dns on android/chromecast) or attribution (referrer) will be fought against by google.
I've run into some performance issues routing everything over a local wireguard link. I have a 10gig connection between my desktop and my NAS, though I only get ~1.1gbps over the wireguard link to the NAS. Without wireguard I can saturate the link.
I could probably tweak it, but I haven't had the bandwidth (ha) to troubleshoot it.
I think the attacker won't be able to complete a TCP handshake if spoofing an IP, because the return packets won't be routed to the attacker.
The attacker would have to be on the local network, in which case the attacker isn't really bypassing the allow rule, because the allow rule is intended to allow anyone on the local netowkr.
The post says:
> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"
I don't trust a VC backed company and neither should you. Headscale is extremely easy to configure and setup, go for it instead
It can’t see the contents of connections but it records all the metadata. You know a lot about what the contents are going to be based on the ports. The default configuration of Tailscale will also collect all your DNS requests.
https://github.com/tailscale/tailscale/issues/16165
From the issue:
> I never want to send any fraction of information about my Internet browsing to Tailscale.
I'm slightly confused about this part of the ticket. If you're using Tailscale DNS, how do you avoid sending Tailscale information about your internet browsing?
> If you're using Tailscale DNS, how do you avoid sending Tailscale information about your internet browsing?
You can't.
This is completely unacceptable for a service like tailscale to not offer an easy way to opt out of all logs. Uninstalling it now from all my machines.
So Tailscale is now a US company and you can't bind to Headscale? Enshittification.
I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
Would you be willing to share the list sources you use?
I don’t know about their list but I would start with https://github.com/StevenBlack/hosts
And perhaps automate pushing to a gist or repository?
Seconded
> And I block common DoH addresses.
You can also force the browser to behave in "corporate" mode, where DNS requests are analyzed by the corporation (you in this case) to determine which domains can and which cannot be accessed by employees (you and your family in this case).
Here for Firefox:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
"This article describes DNS over HTTPS and how to enable, edit settings, or disable this feature."
Notice the "or disable this feature".
You change the "trr" value (trusted recursive resolver) and DoH is not supposed to happen anymore.
Setting the browser to not use DoH and blocking known DoH servers is great.
What I wonder is if can then easily configure my DNS resolver (I run unbound) to itself use DoH: I don't have anything against DoH. What I have something against is not being able to blocklist based on domain names.
I don't know about GP's motivations in doing the blocking and redirections, but if they're anything like mine, Firefox is not one of them. The main issue is random "IoT" devices, think smart TVs and the like, phoning home for a fresh batch of ads and whatnot.
Neat! I set up something very similar a few years ago (just with raw dnsmasq); fun to see someone else hit upon the same solution.[0] For anyone running a similar setup: if you want to keep everything as-is, but also expose a single service to the Internet, you can use Tails ale's "Funnel" feature.[1] I use it to self-host Plausible on my home server (i.e. to allow hits to my blog to be counted by my home server, even though that server isn't "generally" available on the Internet).
[0]: https://simpsonian.ca/blog/securing-home-network-dnsmasq-tai...
[1]: https://simpsonian.ca/blog/selfhosting-plausible/
> Chromecasts ignore local DNS... grrr
Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?
Its a trick one. Traditional DNS runs over port 53/udp and fails over to 53/tcp for large queries/results. That's easy to deal with on a packet filter firewall.
Then in the name of ... something, something, security ... DNS over http(s) was invented. Now you can balkanize DNS by requiring certain SSL certificates be involved. To my knowledge this hasn't been abused large scale yet but it could.
Let's go easy on the tinfoil and simply redirect outbound traffic to 53/udp and tcp to a PiHole or other DNS server under your control.
If you insist on the tin foil, you will probably need to look into a MitM proxy such as Squid - look into "bump" and "spice".
This falls apart when you realize DoH can (and does) just go out to 443/TCP.
It looks like a web request, which was literally the point of the specification.
"DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port."
Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
> Now if you get into that territory, as you have suggested with your proxy comment, now you are breaking the security model for not just DNS requests but much of the overall traffic on the network.
You may be breaking things altogether, actually, since many of the devices for which this song and dance needs to exist don't actually offer a way to alter certificates. I don't know that my smart tv actually uses DoH (it's not physically connected to the network), but I have no idea how I'd add a trusted certificate to its chain, even for other purposes.
My older Kindle Fire HD 10 flips over to DNS over HTTPS if it can't see Google on port 53.
I've tried to add a couple of rules in iptables on my Ubiquiti Dream Machine (UDM), but the out-of-box configuration on the UDM is pages and pages to iptables rules. I can modify that config via a shell interface (a shell script with four iptables command lines), but it doesn't play with the web based GUI, and I have yet to figure out how the UDM handles such traffic.
Yes, I've simply blocked all traffic for 8.8.8.8 and 8.8.4.4, via the UDM GUI, the rules are there. The Kindle still shows me ads.
It may be possible to delete the entries for Google DNS on the Kindle via adb commands during boot, but I haven't gotten that far.
Someday I will get around to setting up a homelab network enough to learn iptables etc without blacking out my home network. As any network outage bring immediate screams from the house, I have to treat the firewall configuration as critical infrastructure: brittle. Don't touch.
With the UDM you can do DNS masquarade to redirect traffic destined for 8.8.8.8:53 to your local pihole / AdGuard instance.
Hagezi and others provide reasonable DoH block lists.
I think you can just block Google's servers and it'll use the DHCP-configured DNS server.
Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don't know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP's of all the common resolvers (or at least the ones it will try)
Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:
(nftables syntax)
ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment "Force all DNS traffic to go through local DNS servers"
On my LAN I send all DNS traffic to pi.hole with iptables. Won’t help if they DoH tunnel it though.
of course. ads are the life blood of google.
It's the same reason why they reverted silently the options to disable referrer (the default since chrome took over is now to send full url even on xdomain, which was unthinkable during mozilla vs ie)
anything that impacts delivery of ads (dns on android/chromecast) or attribution (referrer) will be fought against by google.
I use headscale and took the high road: Tailscale IPs all the time.
Why trust the wires at all. Just run all traffic through VPN, even if it's in the same LAN.
This way, I know all traffic is encrypted. I don't have to worry about SMB or the like being plaintext.
I've run into some performance issues routing everything over a local wireguard link. I have a 10gig connection between my desktop and my NAS, though I only get ~1.1gbps over the wireguard link to the NAS. Without wireguard I can saturate the link.
I could probably tweak it, but I haven't had the bandwidth (ha) to troubleshoot it.
SMB can be encrypted aswell.
I love how wireguard has made encrypted network connections so easy, fast and extremely convenient
> allow 192.168.3.0/24;
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?
I think the attacker won't be able to complete a TCP handshake if spoofing an IP, because the return packets won't be routed to the attacker.
The attacker would have to be on the local network, in which case the attacker isn't really bypassing the allow rule, because the allow rule is intended to allow anyone on the local netowkr.
[dead]