that's cute that you think smart device manufacturers will give a damn about metered connections.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple and Cloudflare Develop New Privacy-Focused Internet Protocol
- Thread starter MacRumors
- Start date
- Sort by reaction score
that's cute that you think smart device manufacturers will give a damn about metered connections.
Good chance its needed for an app or website you have open. On a desktop you could use an extension like Decentraleyes to get rid of it but its probably required for your phone.
It will render a pihole useless. You can fight it though step one you need a firewall that blocks all port 53 UDP requests to stop rouge traditional DNS servers.Create a rule that allows requests to your pihole though. Second you block traffic on port 853 to prevent DNS over TLS work arounds. Third you need to block the DOH addresses in PiHole such as dns.google.com im sure a blocklist exists somewhere. This will force devices on your network to resolve domains through your PiHole but honestly its a decent amount of work for the average person I see the project losing some users.
Ive used it for awhile too Warp+ is worth it in my opinion if you visit a lot of foreign sites not hosted on a large CDN. Cant beat a free VPN though that's reputable.
Well, if I were to program a "phone home" device or app, I'd have it check if the DHCP-supplied DNS server, in this case your Pi-Hole or some filtering server of the ones that e.g. Cloudflare(!) offers ("dns for families"...) yealds the "correct" response for my "phone home activities" I'm about to start. If not, I'd (O-)DoH or DoT to some server on the Internet to find out my "home" to deliver my data.
That can be countered by a few measures, but it's probably something not everyone would do. You can:
-Set up a man-in-the-middle HTTPS decrypting proxy. Advantage: you see ALL HTTPS connection in clear text (unless further end to end encrypted), and you can define rules that won't allow DOH, DoT or the like. Disadvantage: lots of work to do, AND the client needs to accept a certificate from your MITM box that allows the box to fake in turn all the HTTPS certificates in order to make your client think it communicates with a genuine server when in fact it's communicating with the MITM proxy. This is something businesses will do for DLP or compliance reasons. For home use IMHO a bad thing to do and too much effort, even though there are free solutions (e.g. Squid) available.
-Block all the known DoT/(O-)DoH servers. Probably easy to do on a Pi-Hole; if there aren't enough lists there at this time, there certainly will be in the future. Disadvantage here: not all the DoH DNS servers will be on well known block lists. That approach could be done by a few ambitious "home users", but it's not filtering all unwanted DoH traffic.
-block devices on your router that don't "need" Internet access. I can't really see why my TV (Samsung -- LOTS OF DATA SENT HOME) would need to access the Internet. Firmware updates could be a reason, but I'm willing to unblock the TV manually before I do that; it's not happening more than once a year; normally I don't need to fix what's not broken. Disadvantage here: you can't do it to your smartphone (and the phone home apps there) but easily to the smart light bulb or the fridge or whatever other devices you may have that from your point of view don't need Internet access.
I've set up a Pi-Hole in the past and tried the MITM-proxy with Squid just out of interest. But when someone with a tablet comes around yours, having them accept your certificate is probably a bit over the top....
H.
Last edited:
This is not how DNS works. Cloudflare’s DNS server can lookup any domains for you, regardless of whether the domain uses Cloudflare's name servers or not.
People pick dishwashers based on how many gallons of water and Wh of electricity they user per wash cycle. Dishwasher manufacturers work hard to keep these numbers as low as possible, or else lose buyers.
Of course the same thing would apply to smart TVs or whatever if suddenly the consumer had to pay for each GB downloaded.
I don't have any apps open, I've quit them all, including Safari. I always use Private mode anyway. I've previously shut down and restarted the iPhone and the damn thing is still there.
If I "Remove All Website Data" I lose all my recently opened tabs too.
I only see it on my iPhone, never in Safari or Firefox on my MBP, unless I visit fastly.com, or fastly.net
I am not impressed.
You could try blocking the fastly domains if your DNS provider supports it or you have a pihole and run through your normal apps and sites to see if anything breaks.
If I have the choice if my local ISP sees my DNS queries or Google (or Cloudflare for that matter, or any DoH server or ODoh proxy (which technically should not be able to decrypt them)) sees my DNS queries, I'd prefer my local ISP any time. Your mileage may vary.
The problem here is that you just introduce one more instance you need to trust. And while I would also prefer to segregate my data traces as much as possible, the threat from my ISP is just not enough of a justification to choose yet another provider to rely on.
H.
A privacy Apple twofer in the news today. Great stuff! I’ve liked 1.1.1.1 and would use it exclusively if I didn’t also have a VPN subscription.
I strongly disagree, but I’m certainly not angry about it.
What does the app do that just changing your device or router DNS to 1.1.1.1 doesn't do?
Is the app just if you want to pay for their Warp+ service?
Why am I not surprised to learn this:
Fastly - Wikipedia
"Fastly was founded in 2011. In September 2015, Google partnered with Fastly and other content delivery network providers to offer services to its users."
Google! 🤬
If you use your provider assigned DNS server, they can have a look at its log to see what you wanted to have resolved. That's the easiest setup for them. They know you wanted "www.helmlein.example" and the IP address the query came from, they match it with their subscriber IP table and then they got your name.
If you use your own DNS server (like PiHole or Unbound or whatever you may have set up), OR if you use one of the publicly available DNS services, your ISP needs to sniff the outgoing DNS queries, and while that's entirely possible (just catch everything with destination port 53), it's much harder for them. Also, the forwarded queries from a resolver DNS server don't look the same as the original ones from clients, but it's problem that can be solved.
If you use any of the DoT/DoH alternatives, your ISP sees an encrypted session to a known DoT/DoH server (possible on various ports). In turn, the DoH or DoT server needs to be trusted (e.g. Cloudflare says they keep no log at all).
If you use this new ODoH, many different users send their queries to a ODoH proxy which can't decrypt the queries but puts in its own IP, so not even Cloudflare ever sees the true IP the query came from. I have not yet read the respective papers, but the encryption is interesting in this one as the client needs to encrypt with something the target-server can decrypt, so will read up on that later. So in theory, you don't even need to trust either Cloudflare or the proxy.
H.
I agree with your end goal but the problem is, it won't be achieved by metered internet. The real incentive is when technology surpasses bandwidth therefore pushing more innovation into heavy compression to be able to deliver. 4K is picking up popularity especially with theaters being shut down, we need better compression to deliver it faster and more efficiently to customers rather than charging them more. The show Silicon Valley talked a lot about this, highly recommend watching it along with the added comedy.
Good write up. 👍 Thanks.
In continuation to your post...
Essentially, ODoH is like a dual trust authority. Both need to be compromised at the same time to get access to user data (although not impossible; is just harder and more difficult)
There is no perfect security; it is all a matter of how much effort any rogue party is willing to put in to grab our data. The principle of diminishing returns...
This is similar to someone stealing a car or robbing a house.
If someone is determined (or paid to specifically) steal your 'particular' car; then nothing really is going to stop them. But an average car thief is going to try and go after the easiest car to steal; and the more protection/ security one can put in, the harder it becomes.
Great news though... every bit towards a more secure, user-privacy focussed step is always welcome.
Last edited:
When I read ODoH....all I can picture is
Which I guess his good since he was the head of security
Which I guess his good since he was the head of security
For those that use Pihole, it appears that the Pihole team has a guide to implement the cloudflared binary for DoH.
Found here:
https://docs.pi-hole.net/guides/dns-over-https/
Additionally, Cloudflare has said that they are working to implement the ODoH protocol to the stub resolvers like cloudflared (Pihole interoperability guide shown in the above link).
Found here:
https://blog.cloudflare.com/oblivious-dns/
Found here:
https://docs.pi-hole.net/guides/dns-over-https/
Additionally, Cloudflare has said that they are working to implement the ODoH protocol to the stub resolvers like cloudflared (Pihole interoperability guide shown in the above link).
Found here:
https://blog.cloudflare.com/oblivious-dns/
Yea, I've watched through Silicon Valley. Agreed it's a great show.
These types of problems always have two major pillars. First pillar is technology. Second pillar is economics. You need both in order for a solution to arise.
My comment is more about the economics. If you give people unlimited or nearly unlimited data, they will not be incentivized to be efficient. On most ISPs right now, data is limited by speed. Setting aside the Xfinity data caps, the limiting factor is speed of data but not the amount of data. As you said, with 4k the issue is "delivering it faster." It's all about speed.
But I think speed is the wrong thing to prioritize from an economics standpoint. It drives the wrong incentives. Imagine a hypothetical country where the ISPs gave everyone maximum reasonably possible speed, but charged by the GB. The incentives are all different. Now instead of speed, you start to care about being efficient with data. Maybe a customer might choose to watch the 1080p version instead of the 4k version to save some money. Customers might start really caring about cacheing movies or tv shows for offline viewing by multiple family members. Maybe like electric companies, ISPs might introduce lower rates during off-peak hours so that Netflix will be incentivized to program their app to download and cache content onto your device at night when the rates are lower. If a consumer discovers their smart tv downloaded a GB of ads and other useless stuff last month, they'd throw that TV out and replace it with a more data-efficient TV. If a consumer sees that a freemium app on their phone downloaded many GB of ads, they would delete the game and maybe be incentivized to pay for an ad-free game in the future. Indeed, the entire ad industry would be turned on it's head as social media companies are forced to get as efficient as possible with their ads.
The technology pillar is equally important. Compression and technical efficiency. But without the economic pillar also supporting the same goals, it doesn't matter.
No such thing as free, something gotta give. I've been using NordVPN, they're good.
How does using a VPN fit into this? My understanding is that by using an VPN, whilst you are preventing your ISP from seeing which websites you visit, you are entrusting that information to your VPN provider. Does this announcement have an bearing on using a VPN? TIA