In aus.legal keithr0 <us...@account.invalid> wrote:
> On 3/28/2019 8:14 AM, Computer Nerd Kev wrote:
>> In aus.computers keithr0 <us...@account.invalid> wrote:
>>> If they're blocking the DNS request, simply use another DNS server.
>>
>> Yes I know, but in my case that requires a bit of documentation
>> reading, configuration file editing, and rebooting. Anyway, I had
>> time for that this morning so I tried with another DNS server and
>> I can access the sites. So Telstra aren't blocking the IP addresses,
>> just not resolving the DNS queries for blocked domains.
>>
>> This might be enough for me to switch to an alternative DNS server
>> permanently. In the past blocks haven't affected any sites that I
>> actually use, but I have used
archive.is before (although I usually
>> find what I need with
web.archive.org) and it could have been a real
>> inconvenience. I'll have to look into the DNS services better and
>> compare performance first though. What's bet that after all that
>> Telstra wake up and start blocking the IP addresses too?
>>
> I use a Raspberry Pi running PiHole as a DNS forwarder, it has a
> blacklist that filters adverts and trackers. It's the most effective way
> of doing it as it works across all the machines in the house, and all
> browsers.
I don't really see the need for that with my own use. Easier to have
NoScript installed on each browser and blocking everything except
what is explicitly allowed. A "block all except:" approach is safer
than "block these:", and is more easily tailored to minimise the
scripts running on a specific website to only the ones required for
it to do what you want, thereby improving performance as well as
security.
I only regularly use Dillo (can't run scripts in the first place) and
Firefox on my home PCs/Laptop, and don't use any "smart" gizmos, so
I'm assuming that there's some case for a PiHole once they're brought
into the mix (probably all the "apps" that call to things you don't
ask them to, but I'm blissfully ignorant about all that - except
Firefox does a bit of it, which I've tried to reduce by editing
about:config).
I connect to the internet via a router running OpenWRT with a 3G
mobile broadband modem plugged in. Now that I've found the right
commands to put in /etc/config/network, changing the DNS server
should be quicker next time (and I probably didn't need to reboot,
but I couldn't remember which process to restart (and the modem
takes about as long to reboot as the router anyway)).
One thing I am considering is using a Raspberry Pi as a proxy to
forward HTTPS connections to my local network via HTTP. This is
because an ever increasing amount of software (including some that
still receives security updates) seems to be having problems with
specific sites using specific encryption options. 90% are sites that
I don't need to use HTTPS with in the first place because I don't
want to submit any information to them besides the URL, but the
stupid webmasters force it upon their users. The router didn't prove
powerful enough to run the software required to do this, so a Pi is
a backup option - though I hate adding another computer to the mix.
> It is set up to use Cloudflare, I used to use IBM but
> Cloudflare support DNS requests over TLS which is my next step, it means
> that my ISP cannot even see what DNS requests that I am making.
But they can see the IP address, which in many/most cases will tell
them exactly what site you're viewing just as the DNS request would
have. Bringing Cloudflare into the mix just exposes you to the US
government's policies as well as the Aus gov's. Plus you can't trust
them as a company any more than your ISP anyway.
If I switch DNS server it would preferably be to one run by and
Australian company (which will probably rule it out as an option,
but I haven't looked yet (think I did once before though, and I
clearly didn't change)).
> If they
> want to block anything, they'll have to do deep packet inspection, and I
> can't see them putting that level of effort in.
No, they'll do what Optus already did and block the IP address.
> A crude check (using ping) shows Cloudflare the quickest by a fair
> margin, Google and IBM fairly similar.
That's cruder than I'd like, I'll have to find a tool that shows the
actual DNS resolution times.
> Bypassing your ISP should improve performance as it cuts out the
> middleman.
I don't see why that would be.