Pi(e) Holing Facebook

It all started with a click. While reading the newspaper i clicked on a link to Facebook and was shocked when it opened.

The reason for my surprise was that in my /etc/hosts i had the following entry:

# Block Facebook
127.0.0.1   www.facebook.com
127.0.0.1   facebook.com

a rather blunt instrument, but one that until now had been effective at shitcanning any links. So why had it stopped working? After some confused poking around it became obvious that my new ISP provided way more IPv6 routing than the old ISP, and macOS was now favouring IPv6 traffic. As a consequence the hack in my /etc/hosts grew to include entries for IPv6:

fe80::1%lo0 www.facebook.com
fe80::1%lo0 facebook.com

And once more Facebook was back in the shitcan.

Note: adding hosts to /etc/hosts is obviously tedious – you can’t wildcard and blocking the root domain doesn’t block sub-domains. In order to get rid of all Facebook servers (just the obvious ones) takes over ten entries, all of which need to now be repeated for IPv6.

At this point any rational person would conclude that this is not a sane thing to be doing. Obviously it’s time to be running my own DNS server and sinkhole and shitcanning domains with wildcards!

Fortunately there are still plenty of people on the internet who haven’t given up, for example, Pi-hole. By installing Pi-hole on a Raspberry PI hanging off the back of my router, and updating clients to use it as a DNS, i have a place where it is possible to wildcard block entire domains.

As a well as providing DNS Pi-hole also maintains a (partial) list of domains that serve ads. This means that devices on your home network that aren’t running ad blocking now has a good chance of not being served ads. This was a partially solved problem, as the Raspberry PI also runs Privoxy  which also blocks a good percentage of ads.

As an aside, the war between ad blockers and ad pushers has been quietly escalating and i’ve been starting to notice that a few news sites are managing to execute Javascript that blocks uBlock Origin. Sites that employ such measures are still blocked from displaying ads by Pi-hole and / or Privoxy.

While installing Pi-hole it was necessary to make some decisions about what to use as a DNS authority. There are some obvious answers like 8.8.8.8 (Google), 9.9.9.9 (IBM and some shady law enforcement types), OpenDNS, OpenNIC, etc. None of which seem ideal.

You probably won’t be surprised to hear that all your DNS queries are sent, unencrypted, over port 53. Which initially sounds like a really bad thing – it would provide your ISP with an easy way to know every site that you looked up. However, in all likelihood they aren’t doing that… mostly because they have stronger, government mandated, requirements to meet, such as tracking every site that you actually visit and when you visited it, not just the ones that you happen to lookup, and then subsequently visit via a cached lookup. If all you had to do was run your own DNS to avoid tracking… yeah, not going to happen.

Despite the above rational, there exists a parallel DNS infrastructure called DNSCrypt, mostly volunteer run, that proxies encrypted access to DNS. Assuming that you can trust that they aren’t logging (something you’re already doing with the DNS providers listed above…) then you can effectively block any visibility of your DNS activity to your ISP… not that they’ll care. If your traffic isn’t leaving your machine via an encrypted tunnel (think VPN, Tor, etc) then you can assume that it is being inspected and logged at the packet level.

In terms of increasing privacy DNSCrypt doesn’t seem to offer very much. It does offer some other protections against DNS spoofing attacks, but i’m not sure how widespread those are in the wild. I’d also guess that the other major providers of DNS are taking countermeasures as they are needed… and are maybe more effective than the volunteer force behind DNSCrypt.

I’ll probably end up installing the dnscrypt-proxy on the Raspberry PI and using it as the resolver for Pi-hole. In the end it’s just going to be an encrypted proxy for OpenNIC, which if given a choice is where i’d want my DNS to be resolved.

I’d recommend looking into Pi-hole it’s a really nice of tools to have a better understanding and control of what devices on your network are actually doing. Oh, and keep in mind that IPv6 is now a thing, running in parallel to the IPv4 internet for which you probably had some reasonable mental model… learning about RA, SLAAC and it’s Privacy Extensions) DAD, etc. was an eye opener for me!

Advertisements

8 thoughts on “Pi(e) Holing Facebook

  1. You should try uMatrix and be shocked how the every web page stops working if you forbid loading stuff outside the primary domain. Even facebook can’t open unless you allow gazillions of facebook.net and other domains.

    So blocking just *.facebook.com is pretty much useless. You would actually have to do a whitelist DNS setting where you only allow DNS lookups to domains you want to.

    Anyway, uMatrix is something to look at, can be a pain to get some pages to working (what of the gazillion sub pages do I need to allow to actually SEE content), but it was eye opening and so I continue to use it (private)

  2. Yep, i’ve looked at uMatrix and just don’t have time for that level of fuckery.

    Facebook not loading is a benefit to me. Have no intention of ever logging in there, using any of their services, loading anything from their domains. Consequently there are quite a few wildcard blocks for their various domains 🙂

    The nice thing about uMatrix is that it makes it obvious how deeply fucked up the ad driven web has become. Toxic doesn’t even begin to cover it. It’s genuinely creepy out there. It has got to the point where i’d consider a parallel system that mandates an code of ethical operation.

    As usual the libertarian dreamers have built another Sierra Leone.

  3. I use uMatrix private, but there are moments where I just got “oh, fuckit, I just want to watch that video embedded into this page and don’t have time to reload three times so all scripts load everything so I can unblock it”

    Or when a page throws a hard error because it can’t load some JS from some third party server (some CC billing login in Japan).

    It is just a true eye opener how truly screwed the whole internet is.

    We are fucked.

  4. Excellent weblog right here! Also your site rather a lot up fast! What host are you using? Can I am getting your associate hyperlink for your host? I want my site loaded up as fast as yours lol

  5. You actually make it seem so easy along with your presentation however I to find this topic to be actually one thing which I think I might never understand. It kind of feels too complex and very wide for me. I’m having a look ahead in your next publish, I will try to get the hold of it!

  6. whoah this blog is fantastic i really like reading your posts. Stay up the good work! You understand, a lot of persons are hunting round for this information, you can aid them greatly.

  7. hi!,I love your writing so so much! percentage we be in contact more about your post on AOL? I need a specialist in this space to unravel my problem. May be that is you! Having a look ahead to look you.

  8. hi!,I love your writing so much! proportion we communicate extra approximately your post on AOL? I require a specialist on this space to resolve my problem. May be that’s you! Having a look ahead to look you.

Wise words...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s