I have been running pihole for quite some time (coupled with wireguard, that's a great way to stay ad-free on the go as well), but a question is nagging at my brain the whole time: What's stopping the bad guys from circumventing DNS entirely by calling their ad/data collection/malware C&C by IP rather than FQDN? Provided it's a public IP, that should slip through all the DNS based filtering, wouldn't it?
The bigger concern for PiHole circumvention is DNS-over-HTTPS or apps that ignore your device's DNS settings and use their own stack. In those cases, the DNS traffic isn't even going to hit your PiHole.
I happen to run a public DoH/DoT content-blocking resolver, and we do see some apps / services bypassing user-set /network-set DNS with regularity these days. But that's not even the bigger problem for DNS-based content blockers. These trackers can and do run under first-party domains these days:
Sure, and you can do BYOIP with cloud providers or CDNs. But then those IPs are trivial to block, and although I've never tried it, I suspect AWS GA isn't set up to constantly rotate IP addresses.
I’ve wondered about the fourth thing. I imagine it is the marketing/sales/business people who love ads, while the techies don’t particularly like ads, so the techies, who probably are aware of ad blockers and pi hole and the such, avoid telling their business overlords about them.
We certainly wouldn't want them to know that if they just replace their main app web server ("www" for example) with a reverse proxy such that some paths ("/ads/" for example) are proxied to the ad server while all other paths are proxied to the app server, ads would make it through to users with no way to use DNS nor IP filtering, leaving only browser extensions! Oops, did I spill the beans?
It would let advertisements reach the segment of pihole users who (don't MITM and (use a browser that doesn't offer extensions such as many default mobile browsers, or use native apps more than web browsers)). I guess that's not huge.
You would need to hardcode the IP address everywhere it's needed and you would need to release an update every time you want to make changes to it, right? That doesn't sound like a thing anybody would do. Also, people using DNS level ad-blocking are rare and loosing that kind of flexibility just to make life harder for such a small amount of people doesn't really make sense.
Would a viable solution to this be to block all requests to IPs that have not been resolved via DNS?
E.g. I setup my router as a linux box that has Adblock DNS software package. Extend said package to write all resolved IPs such that its firewall checks the list before allowing traffic?
How else are people solving these rouge systems that ignore the network settings?
Bothered me as well, so I installed Little Snitch and subscribed to a well maintained list of rules. I’m sure there are some edge cases I’m missing, but now I’m positive Adobe isn’t phoning home.
True, but that's a pain to manage since it is fairly rigid. Even bad actors prefer flexibility in hosting that DNS provides. It's easier to burn a domain name than an IP address.
