| ▲ | efitz 6 days ago |
| Two thoughts: 1. Try using pi-hole to block those particular endpoints via making DNS resolution fail; see if it still works if it can’t access the telemetry endpoints. 2. Their ridiculous tracking, disregard of the user preference to not send telemetry, and behavior on the Discord when you mentioned tracking says everything you need to know about the company. You cannot change them. If you don’t want to be tracked, then stay away from Bytedance. |
|
| ▲ | nosrepa 6 days ago | parent | next [-] |
| Why use pihole? Most OSes have a hosts file you can edit if you're just blocking one domain. |
| |
| ▲ | meindnoch 6 days ago | parent | next [-] | | Hate to break it to you, but /etc/hosts only works for apps that use getaddrinfo or similar APIs. Anything that does its own DNS resolution, which coincidentally includes anything Chromium-based, is free to ignore your hosts file. | | |
| ▲ | gruez 6 days ago | parent | next [-] | | But pi-hole seems equally susceptible to the same issue? If you're really serious about blocking you'd need some sort of firewall that can intercept TLS connections and parse SNI headers, which typically requires specialized hardware and/or beefy processor if you want reasonable throughput speeds. | | |
| ▲ | neurostimulant 6 days ago | parent | next [-] | | I configured my router to redirect all outbound port 53 udp traffic to adguard home running on a raspberry pi. From the log, it seems to be working reasonably enough, especially for apps that do their own dns resolution like the netflix app on my chromecast. Hopefully they don't switch to dns over https any time soon to circumvent it. | | |
| ▲ | efitz 6 days ago | parent [-] | | DNS over https depends on the ability to resolve the DoH hostname via DNS, which is blockable via PiHole, or depend on a set of static IPs, which can be blocked by your favorite firewall. | | |
| ▲ | gruez 6 days ago | parent [-] | | A sufficiently spiteful app could host a DoH resolver/proxy on the same server as its api server (eg. api.example.com/dns-query), which would make it impossible for you to override DNS settings for the app without breaking the app itself. | | |
| ▲ | dishsoap 6 days ago | parent [-] | | or it wouldn't even need to use any sort of dns. bit of a silly discussion. |
|
|
| |
| ▲ | ses1984 6 days ago | parent | prev [-] | | You can’t just intercept tls, unless you can control the certificate store on the device. | | |
| ▲ | Andoryuuta 6 days ago | parent [-] | | In the context of snooping on the SNI extension, you definitely can. The SNI extension is sent unencrypted as part of the ClientHello (first part of the TLS handshake). Any router along the way see the hostname that the client provides in the SNI data, and can/could drop the packet if they so choose. |
|
| |
| ▲ | lowwave 6 days ago | parent | prev [-] | | Would it also be true for DNS over HTTPS right. |
| |
| ▲ | 3eb7988a1663 6 days ago | parent | prev | next [-] | | When the nefarious actor is already inside the house, who knows to what lengths they will go to circumvent the protections? External network blocker is more straightforward (packets go in, packets go out), so easier to ensure that there is nothing funny happening. On Apple devices, first-party applications get to circumvent LittleSnitch-like filtering. Presumably harder to hide this kind of activity on Linux, but then you need to have the expertise to be aware of the gaps. Docker still punches through your firewall configuration. | |
| ▲ | cluckindan 6 days ago | parent | prev | next [-] | | Set up your router to offer DNS through pihole and everything in your network now has tracking and ads blocked, even the wifi dishwasher. | | |
| ▲ | bangaladore 6 days ago | parent | next [-] | | Until everything starts using DoH (DNS over HTTPS). There is pretty much no reason to use anything else as a consumer nowadays. In fact, most web browsers are using DoH, so pihole is useless in that regard. | | | |
| ▲ | godelski 6 days ago | parent | prev [-] | | Even the dishwasher that has Wifi that you don't know has Wifi and will happily jump onto open networks or has a deal with xfinity |
| |
| ▲ | rs186 6 days ago | parent | prev | next [-] | | So that these domains are automatically blocked on all devices on a local network. Also, you can't really edit the hosts file on Android or iOS, but I guess mobile OSes are not part of the discussion here. Although there are caveats -- if an app decides to use its own DNS server, sometimes secure DNS, you are still out of luck. I just recently discovered that Android webview may bypass whatever DNS your Wi-Fi points to. | |
| ▲ | charcircuit 6 days ago | parent | prev | next [-] | | The hosts file doesn't let you properly block domains. It only lets you resolve them to something else. It's the wrong tool for the job. | |
| ▲ | Zolomon 6 days ago | parent | prev [-] | | If you have multiple devices on the same LAN, all of them will use the pihole. |
|
|
| ▲ | genghisjahn 6 days ago | parent | prev | next [-] |
| Are there any other companies I should worry about for tracking? |
| |
| ▲ | dotancohen 6 days ago | parent | next [-] | | Meta is pretty much number one, Google is pretty much number two. Whoever number three is, they are very far behind. For what it's worth, I do use Google products personally. But I won't go near Facebook, WhatsApp, or Instagram. | | |
| ▲ | orbital-decay 6 days ago | parent [-] | | Microsoft is definitely not that far behind in scale. They own a ton of software and services that are used by basically everyone. |
| |
| ▲ | randallsquared 6 days ago | parent | prev [-] | | Yes. | | |
| ▲ | genghisjahn 6 days ago | parent [-] | | Yeah, that was my point. I'm not sure what's so breath taking about what ByteDance is doing. I'm not a fan. But, with Meta, Google, Microsoft and I'll throw on Amazon, a huge chunk of the general public's web activity is tracked. Everywhere. All the time. The people have spoken, they are okay with being tracked. I've yet to talk with a non-technical person who was shocked that their online activity was tracked. They know it is. They assume it is. ByteDance's range of telemetry does not matter to them. Just wanna keep on tiktok'ing. Why does telemetry sent to Bytedance matter? Is it a China thing? I'm not concerned about a data profile on me in China. I'm concerned about the ones here in the US. I'll stop. I'm not sure I have a coherent point. | | |
|
|
|
| ▲ | ethan1990 4 days ago | parent | prev | next [-] |
| I can’t really speak to the DNS blocking approach you mentioned, but as a regular user in the Trae community, I do want to clarify one thing: The Discord timeout occurred because anti-ads automod was triggered by crypto-related keywords. I saw the community moderator already explained. I hope you can know the truth rather than be misled. |
|
| ▲ | tojumpship 6 days ago | parent | prev [-] |
| I can also suggest OpenSnitch or Portmaster to anyone whose conscious about these network connections. I couldn't live without them, never trust opt-outs. |