Pi-hole has helped improve my “relationship” with Firefox, or better phrased with Firefox forks like LibreWolf and Tor browser. Cool thing with Pi-hole is that you can watch the query log and see what happened in the background while you were surfing the Internet. I learned that :

  • After removing the sponsored shortcuts in Firefox and putting your own shortcuts there Firefox will make connections each time you start the browser. So, if you would have icons on your quick start page in Firefox for let’s say EFF, Lemmy, Mastodon, HackerNews, with each Firefox start up, it would query these sites. which I didn’t like so much. Since then I’ve gone back to a complete blank start page, removing search and all those quick start icons, using just toolbar folders with bookmarks.

  • Pi-hole defaults to blocking telemetry for Firefox and Thunderbird.

  • Signal uses Google servers I saw via Pi-hole. I thought that they were using Amazon servers, but looking at Wikipedia for the history of Signal hosting I learned that Signal went back to Google for hosting.

  • Firefox push notification services are hosted on Google servers. LibreWolf removes a lot of Google things that Firefox has by default, but not the push parts. With Pi-hole it is very easy to block that.

  • ZeDoTelhado@lemmy.world
    link
    fedilink
    arrow-up
    32
    ·
    7 months ago

    Pi hole is an amazing tool and gives a lot of insight on what is being queried and blocked against the block lists. Also, makes completely transparent on the entire network to have nasty things blocked. One thing I will mention to make the setup better: make sure on the firewall level you can have a rule that makes every request for a DNS to go through pi hole. Some devices will use a hard coded DNS instead of respecting the one on the network

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        Yes but I think OP is referring to plain DNS requests to a preferred server.

        You can hijack port 53 and redirect them to your preferred server. Also acts as a method of hardening DNS for devices and apps that do not support encrypted DNS.

        • ZeDoTelhado@lemmy.world
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Forgot to mention the port but that’s it. Notorious devices like smart TVs and consoles like to use the hard coded DNS method

        • Turun@feddit.de
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          7 months ago

          Some devices will use a hard coded DNS instead of respecting the one on the network

          Right, and I am pointing out that non-cooperative devices still won’t be blocked by pihole if they so desire.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            Only if they do encrypted DNS, and you can still block them, you just can’t force them to use the DNS you want. Embedded devices tend to avoid encryption to cut down on hardware requirements, they typically even pull their updates over unencrypted connections. IoT is a crazy world. 😃

            And may I point out that if you have embedded devices freely connecting to the Internet you have a lot bigger problems than the fact they use encrypted DNS. Hell you should be so lucky for them to use encrypted DNS, at least it would be secure.

              • lemmyvore@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                7 months ago

                Media players, TVs, IP cameras, lightbulbs… anything with wifi capability really.

                • Chiro@lemm.ee
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  Is there a safe way to use these devices? I’m moderately tech savvy at best, and I do worry a lot about my tv. I also use some smart plugs to manage equipment on my aquarium, but that’s it. I’ve considered the implications of these devices, but didn’t know if there was anything I could do about it.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Who do you think developed DoH? Google has it’s paws on everything. It may be private, but as soon as I see Google, I’m out of there.

      • ZeDoTelhado@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        7 months ago

        I was making a quick check, and yes, the DoH situation is a bit more dicey. From how I see it, the best way to make this work is to, at the firewall level, either block as much as possible any requests that look like DoH (and hope whatever was using that falls back to regular DNS calls) or setup a local DoH server to resolve those queries (although I am not sure if it is possible to fully redirect those). In that sense, pihole can’t really do much against DoH on its own

        EDIT: decided to look a bit further on the router level, and for pfsense at least this is one way to do this recipe for DNS block and redirect

        • Turun@feddit.de
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          7 months ago

          Right, so flowing that link there are three ways for DNS:

          Classic on port 53,

          Dns over TLS on port 853

          Dns over https.

          The first two can be blocked, because they have specific ports exclusively assigned to them. DoH can’t be blocked reliably, because it is encrypted and on a common port. Though blocking 443 on common DNS resolvers can force some clients to fall back to one of the variants that can be blocked/redirected

      • Pete90@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        With most firewalls, there is an option to download ip lists for blocking. There are several list I don’t recall right now, that aggregate DoH services. It’s not perfect, but better than nothing.

    • aStonedSanta@lemm.ee
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago

      What does something like this look like? I have an Orbi pro but have never really messed with firewall settings

      • ZeDoTelhado@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Hm… I am not familiar with that device myself, and since I use opnsense for a while I forget most people do not use routers outside of the provided one.

        But in a theoretical sense, this firewall rule should look something like this:

        • origin of traffic is any IP that goes into port 53
        • outgoing traffic has to go to pi hole on port 53
        • aStonedSanta@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          7 months ago

          Perfect thank you. My brain gets that. Had a long day of work working on IP centrex phones remotely with dumb end users.

  • ivy@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    7 months ago

    Oh man glad you have learned about the favicons issue it’s insane that we just accept such an easily fingerprintable method of getting TINY IMAGES. Is there a way to cache all of it? I just disable everything lol

  • LWD@lemm.ee
    link
    fedilink
    arrow-up
    6
    ·
    7 months ago

    After removing the sponsored shortcuts in Firefox…

    with each Firefox start up, it would query these sites.

    I don’t like that. Sponsored sites get a free ping from FF?! I thought those icons would be preloaded.

    • sixtyfourK@scribe.disroot.orgOP
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      Yeah. I thought about that. When you add an icon to your rows of shortcuts in Firefox and it fails to fetch the correct icon and gives it a generic letter instead and you want to add an icon yourself you cannot just upload or insert an icon to your Firefox, you will need to point it to some web link where the remote icon is. I can imagine Firefox wants to check at each startup whether the remote icon has changed or not (Not completely unreasonable. Think about Twitter changing to X).

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Come on, who are we kidding. 😄 It’s done for pings. The privacy implication is so in-your-face there’s no way they missed it. 🙂

        • bloodfart@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          7 months ago

          Favicons are from 99. The technology and handling of them wasn’t developed to invade your privacy.

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            We’re talking about images on your homepage, which phone home every time you open the browser, and even each time you open a new tab.

            You can’t possibly believe that an organization that has been making a browser for a living for decades missed the implications of that.

            • bloodfart@lemmy.ml
              link
              fedilink
              arrow-up
              3
              ·
              7 months ago

              on my firefox those are all favicons. when you say that “they” phone home, what’s happening is that the browser is requesting the favicon for the sponsored links so it shows the right mini logo above the name of the website. if you want to disable this behavior, you can simply disable sponsored links with the gear menu in the top right corner.

              if you want to disable all favicons, disable browser.chrome.favicons (old?) and/or browser.chrome.site_icons and browser.shell.shortcutFavicons in about:config, clear your cache and restart.

              i’m pretty sure that firefox pulls favicons from cache for favorites or recents or whatever, but i haven’t checked.

              • ReversalHatchery@beehaw.org
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                The OP has clearly said that the problem was not with the sponsored links, but with the links they added themselves. Also, with your response to disable favicons you dismiss the problem itself. The problem is that there are favicons, the problem is that they are reloaded/rechecked every single time unnecessarily. The solution would be for firefox to cache these icons if it doesn’t do that already, to use this cache for loading the icons, and to heavily limit how often these icons are refreshed, with an option to never refresh them and maybe only refresh a single icon when refresh is pressed for it.
                It would also be perfectly fine if refreshing it only happened on the next time the page is visited.

                Sorry but your response reads like “your issue is silly, but if you really don’t like how it works you can disable it in its entirety”

                • bloodfart@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  That’s not a well thought out solution.

                  The problem you’re describing is that the sponsored links get resolved every time the new tab page is opened (ostensibly).

                  There’s a couple of ways this could be a problem: the most obvious way is if you the user use favicons to determine what underlying software is actually providing a service. Last time I used it it was called favicon hashing because you wouldn’t even physically look at the icon itself, just compare its hash to a list of other hashes to immediately know the attack surface you were looking at.

                  But that’s tangential and not really related to the new tab page.

                  The other way it’s a problem is for users, applies to cached favicons and was reported in 2021, websites would compare their locally cached favicons and know that you’d visited before or if you had been logged in before and bunch of other information. It was a big deal because even the then relatively new privacy badger couldn’t stop it. The “fix” was just to resolve favicons as needed every time instead of caching. The impact was minimal, they’re just little icons after all, and that’s where we are today!

                  So the “phone home” behavior was actually a fix for real in the wild privacy exploitation.

                  If my response came across as seeing the issue as silly (I read it again, and can’t see it, perfect lemmy post!), it’s possible that understanding leaked through. If you’re determined to view it in a negative light, consider though that I took the person at their word that it was a problem instead of explaining that it’s a fix for another problem that was widely reported and provided detailed instructions for how to disrupt that process.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            The new tab page is not from 99, however. And even for generic favicon handling my experience in case if bookmarks is that the bookmark won’t have the favicon of the website if it couldn’t obtain in in the moment the bookmark was created. So no, it does not seem to be an issue with the favicon system itself, but rather the new tab page.

            • bloodfart@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              I’m almost 100% that if sponsored links are enabled then new tab page calls mozilla or whoever to figure out what they are and then resolves the sponsored link pages to pull their favicon.

              I’ll verify when I get home and have control over both the computer and the gateway, but it really doesn’t seem malicious or dangerous to me…

              • ReversalHatchery@beehaw.org
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                Yeah, it really depends on where those requests go to. If they go to mozilla, that’s not that much of a problem, because for addon updates and profile sync it is happening anyways. But if they go to the websites themselves, now that is a problem.

                It may be easier for you to test it using the browser toolbox. It’s diagnostic tools are not limited to a single tab, but it shows everything of the browser.

  • ichbinjasokreativ@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    7 months ago

    The icon thing can be worked around with something like heimdall. I host my own docker container of it and just set that as my startup page in my browser. Looks much nicer than a blank page and everything happens in my own network.

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      18
      ·
      7 months ago

      That’s for one device.

      Where does a smart TV keep it’s hosts file? IPhone? Android?

      DNS (PiHole) works for all devices on your network, which I’d argue is better than a hosts file.

        • null@slrpnk.net
          link
          fedilink
          arrow-up
          11
          ·
          7 months ago

          Why maintain the same thing in multiple places? If the pi-hole is blocking it, the pi-hole is blocking it. What added value is there in also maintaining the hosts file?

          • retrogirl@lemmings.world
            link
            fedilink
            arrow-up
            4
            ·
            7 months ago

            The amount of times I’ve seen people request help because Pi-hole was not blocking/functioning properly, well a hosts file just ensures nothing leaves that you want blocked. Besides, you may have different machines set up to be strict or permissive depending on their use case.

            • Scott@lem.free.as
              link
              fedilink
              English
              arrow-up
              5
              ·
              7 months ago

              With Pihole you can restrict or be permissive with different devices, based on MAC or IP address.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            On mobile or on networks with a bigger load on the DNS server it could make sense to make things faster, but otherwise a pihole is fine I think. If the pihole is not working as it should, that should be found out and fixed ASAP.

      • suction@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        That’s for one network. That’s why I switched to Next DNS and have protection at home and everywhere else.

        • Swarfega@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          I ran PiHole for years. It started as a way to block ads but then also a way to block games and YouTube for my kids so they get a break. I had to manually control this though. I switched to NextDNS last year because this can be done on a schedule and they can’t get around it such as swapping to mobile data on their phones.

          In the house though I run AdGuard because there’s no way differentiate traffic for each of my kids NextDNS profiles. With AdGuard it can proxy DNS requests to take traffic from the TV in their bedroom and convert it to DNS over TLS so the traffic hits the correct profile. I don’t use AdGuard for anything else. It does not filter anything. It’s purely to make sure traffic hits the correct NextDNS profile.

    • oxomoxo@lemmy.world
      link
      fedilink
      arrow-up
      6
      ·
      7 months ago

      DNS services with blocks lists such as Pi-Hole, AdGuard, NextDNS, etc, provide a centralized config file for all devices on a network, so you only configure once, collect statistics, have built in block lists that can be easily modified and updated either automatically or manually and are fast.

      Using large lists in a host file will slow local resolution. It wasn’t designed for this use case as it’s acting a flat file database with a limited amount of RAM allocated for the process and will get slower the longer the list. While this latency won’t be noticeable in the thousands of lines, once you start hitting hundreds of thousand or millions of entries it will start to crawl.

      Hosts file are also unable to RegEx or Wildcard entries which means you would have to duplicated lots of variations in domains…

      I mean I can also statically assign IPs to ever client and keep a spreadsheet, but why don’t I just use DHCP?

      • retrogirl@lemmings.world
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Absolutely. These lists are created by server admins who collect what the firewall rejects, much like you see with the Pi-hole. They’ll automatically block some ads and many threats too. Another tip if you’re using Librewolf, Mullvad browser or Firefox with uBlock, enable more of the filter lists.

  • barbara@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    7 months ago

    Ever since using comouters I wonder why it is not built in to monitor your queries.