On 4/25/19, David Wright <deb...@lionunicorn.co.uk> wrote: > On Wed 24 Apr 2019 at 14:29:00 (-0400), Lee wrote: >> On 4/24/19, David Wright <deb...@lionunicorn.co.uk> wrote: >> > On Tue 23 Apr 2019 at 10:38:41 (-0400), Lee wrote: >> >> On 4/22/19, David Wright <deb...@lionunicorn.co.uk> wrote: >> >> > On Sun 21 Apr 2019 at 20:30:53 (-0700), pe...@easthope.ca wrote: >> >> >> From: David Wright <deb...@lionunicorn.co.uk> >> >> >> Date: Sun, 21 Apr 2019 16:13:11 -0500 >> >> >> > Does the behaviour reported in your OP cause you *great* concern? >> >> >> >> >> >> No. Just wastes time. Opening a simple local HTML home page >> >> >> requires >> >> >> roughly a minute rather than roughly a second. >> >> > >> >> > I tend to forget that, because my /etc/hosts file has ~14000 lines, >> >> > pages appear a lot faster here. >> >> >> >> Have you looked at bind's dns rpz? >> > >> > Just now. >> > >> >> http://zytrax.com/books/dns/ch7/rpz.html >> >> It lets you do things like >> >> *.2o7.net CNAME . >> >> *.doubleclick.net CNAME . >> >> >> >> to block entire domains instead of having to list each and every >> >> hostname in the domain. >> >> >> >> And you can log what is blocked/allowed to make troubleshooting easier >> > >> > It might be a good *mechanism* for the diversion itself, but AFAICT >> > it's aimed at the *policy* implementers rather than the end-user. >> >> Just out of curiosity - do you think pi-hole is aimed at policy >> implementers or end users? > > I don't know about their policies, or whether they have any. I've not > found any description of how you would configure it, only how you > install it. Do they provide blacklists?
It looks like they give you a default list of lists that you can modify: https://github.com/pi-hole/pi-hole/blob/master/automated%20install/basic-install.sh#L1181 > It's also not clear to me where I should install it to. My router > uses the Google nameservers, and all my machines have the router > as their nameserver. The router is the only part of the network > that's always up and running. I have a server that I leave running all the time; reconfigure your router to use your dns server instead of google, add a firewall rule to block all outgoing tcp/udp traffic to port 53 except from the server & you're done. > But let me explain what I mean by those terms I used earlier: > > Mechanism: Any method of modifying the result of trying to resolve > foo.bar to an IP address, irrespective of the specific domainnames > which somebody has to give to it. My mechanism is resolving to > localhost. > > Policy implementers: The people who make the decisions about which > domainnames should have their resolution modified. If you look > through the reference I gave for the source of my /etc/hosts, you > can see their policies listed as comments bracketing the sections, > and they are: > > #<shock-sites> > #<shortcut-examples> > #<hijack-sites> > #<spyware-sites> > #<maybe-spy> > #<malware-sites> > #<doubleclick-sites> > #<intellitxt-sites> > #<red-sheriff-sites> > #<cydoor-sites> > #<2o7-sites> > #<oewabox-sites> > #<ad-sites> > #<maybe-ads> > #<canvass-fingerprinting-sites> > #<evercookies-sites> > #<yahoo-ad-sites> > #<hitbox-sites> > #<extreme-dm-sites> > #<realmedia-sites> > #<fastclick-sites> > #<belo-interactive-sites> > #<popup-traps> > #<ecard-scam-sites> > #<IVW-sites> > #<wiki-spam-sites> > #<Windows10> > > End-users: The people whose browsing experience are improved by > the policies selected, and implemented using the chosen mechanism. > >> > The value I get from Dan Pollock is the list of sites rather than the >> > most elegant mechanism for handling that list. Looking at the comments >> > in the list, and by comparing evolving versions, it does appear that >> > Dan actively "opens holes" where people report interference or >> > difficulties using certain legitimate sites. But the holes get opened only after someone reports a problem. If you're using a host file, how do you figure out which host name(s) being blocked are causing the problem? I never figured out an easy way to troubleshoot hostfiles & switched to something that logged what all was blocked and allowed. >> > Finally, I wouldn't know where to start to compile a list of sites >> > like that. >> >> https://dnsrpz.info/ >> If you're a business, you can buy access to an rpz feed. > > I'm not, but I take it that different feeds have different policies on > which sites to include, and come at different prices. > >> If you're a [home?] network admin it's simple enough to enable logging >> & see what all is allowed that you'd rather have blocked. And/or grab >> things like Dan Pollock's list and turn them into an rpz file. > > Frankly, I don't want to be bothered with processing the list. That makes it easy then, stay with what you've got :) Regards, Lee
