Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'd prefer a solution that does not just work for a specific browser, but instead blocks all traffic regardless of browser, application, virtual machine, ...

That's just putting rules into /etc/hosts ?

edit - answered my own question :) Yes it will.



Consider something like Pi Hole (https://pi-hole.net/) as the DNS on your network. Where it will affect all devices on the network.


My problem with Pi Hole is that I'd rather have it return NXDOMAIN, instead of redirecting to some other IP.


If you want NXDOMAIN on Pi-Hole, upvote this feature request: https://discourse.pi-hole.net/t/implement-response-zone-poli...


This will only protect you while your on your own network. A lot of the juciest data is about your public location, for that you need something device/browser specific.


There's nothing (except possibly your ISP) stoping you from opening your firewall and using it remotely. I personally run dnsmasq (manually configured, but otherwise similar to pihole) on a VPS.


> There's nothing (except possibly your ISP) stopping you from opening your firewall and using it remotely.

My ISP won't but there are ways around that. The biggest problem I've faced is on the modem side of things, finding something I'd trust to be open to the internet, ideally something I can install openWRT or similar on and something I know will work in my market. It's an options minefield.


Just run a local caching resolver, on Linux that is super easy and uses little resources.


I've got a RaspberryPi Zero (WiFi via USB..ugh). Would that be too slow for DNS, or would having my DNS server be local vs remote negate that slow interface?


It's running fine for me on a Pi Zero W. There's honestly like no slowdown at all


I don't have a Pi0, but I've had no problems running it on a single-core CHIP.


Doesn't support OS X though.


How wouldn't it support OSX. You just set it up as the device that provides a mac with it's network. It doesn't have anything to do with OS's


wait do you mean you want to run it on OSX, or that the DNS in OSX is somehow different, and wont work with pihole as its server?


The idea is you use some inexpensive hardware (like a Raspberry Pi) and simple set all your devices to use it as a DNS server.


I use Little Snitch[1] (and its sibling Micro Snitch[2]) for filtering connections at the system level. I don't interact with it too often though, because I rarely install new apps.

Not to say /etc/hosts doesn't work, these days I just find I prefer things with better UX.

---

[1] https://www.obdev.at/products/littlesnitch/index.html

[2] https://www.obdev.at/products/microsnitch/index.html


Using Little Snitch to block all Facebook connections is like using goat to land on moon...


That made me laugh out a boogie.


To clarify, I whitelist my browser entirely in Little Snitch and delegate to uMatrix and other extensions.

I also don't pre-emptively load in rules into Little Snitch - I have it running in active/interrupt mode, so it prompts me whenever it tries to make a new connection I haven't signed off on before. Unsurprisingly, not very many apps try to connect to Facebook.


What a funny example, why is that?


Because it is completely impractical. I used LS but it's a waste of time to check and block ads servers or malicious domains, which is why most garbage should be blocked from hosts or dnsmasq.


The maintenance aspect of LS is definitely on the high side and only really dedicated folks will stick to it; if it were to come with auto-updated maintained lists it would most likely be used more


Little Snitch is for MacOS. As a linux user I desperately looked for an equivalent and found none. Douane was suggested. It's no good. What a sorry state of affair. We need a simple app-level filtering solution.


There's OpenSnitch[1], though it hasn't been touched in a while. Someone needs to step up and maintain it (maybe I should do that...).

[1]: https://github.com/evilsocket/opensnitch


Same story. I have always been dreaming of a Linux equivalent for LittleSnitch. More than a decade has passes since I've switched to Linux, still nothing...


Even better would be doing it on a device. It's a reason to have an intelligent router on your network where you run a custom dnsmasq or whatever, then you cover your phones and all the hootenanny that comes with a digital life. Like your fridge.


Does /etc/hosts support wildcarding subdomains?


No. It supports no wildcards at all.


Is there a way to export the list for a /etc/hosts.allow?


/etc/hosts won't work for your VM, probably


It will work if you set the /etc/hosts inside the VM.


Aye, that it will


I see no reason why not actually.


Your VM uses its own network stack and handles its own DNS resolution. /etc/hosts isn't a firewall, it's a zone file.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: