I just installed a DNS based firewall (I think) for the first time in my life. Help me understand which addresses to block.
For context:
I'm a tech noob when it comes to cyber-security stuff in particular, and anything network related in general. My devices are a MacBook Pro and an iPhone. Before anyone cringes at this, I buy all my Apple stuff second hand to dodge the brand premium. There, I hope that gives me some credibility in the eyes of all the techies around here. :DFor years I was more or less relying on Apple to do a decent job automatically when it comes to security, and granted, I haven't had any serious issues (that I know of). Some time ago it was brought to my attention that I'm most likely getting tracked even if I tick all the opt-out boxes on my device and browser settings. I hastily installed an open source app on my phone that prevents trackers and ad servers form connecting to it based on a list of addresses that the app provides. There was a long log of blocked domains already the next day. I made a mental note that I should probably look for something to do the same for my laptop, and then forgot about it, until last night.
When I went to check that log again on my phone, I found out that the app hadn't been functional in a while. A quick online search revealed that they aren't as open source as they claim to be, nor very reliable, so I embarked on a quest to find something else to do the job - this time for both devices.
I have managed to install and configure something called NextDNS on both of my devices and most browsers, even though the documentation seems to be made with more tech-savvy people in mind. So far so good. I turned on all the available blocklists, but a lot of strange looking (to me) traffic is still getting through. I'm assuming some of it is benign, but how do I evaluate which addresses I should block or not? I'll list some examples below.
init.ess.apple.com
init-p01md.apple.com
bag.itunes.apple.com
gsp-ssl.ls.apple.com
gspe35-ssl.ls.apple.com
pki-goog.l.google.com
For these, the service offers the following information: 'Provides advertising or advertising-related services such as data collection, behavioral analysis or retargeting.' Sounds like something I wouldn't want to enable. When it comes to the iTunes one, I don't use iTunes and don't even have it installed (don't ask how I managed to get rid of it - it took several days worth of trial and error..). One of these, pki-goog.l.google.com is listed as 'dangerously prevalent (tracks 21.23% of web traffic)'.
Then again, the same general description is sometimes given to addresses that seem legit, such as:
time.apple.com
weather-data.apple.com
Some are indecipherable to me and don't come with any sort of description:
fp2e7a.wpc.phicdn.net
init.ess.g.aaplimg.com
get-bx.g.aaplimg.com
ocsp2.g.aaplimg.com
ocsp.pki.goog
Some descriptions are kind of vague:
a2047.dscapi9.akamai.net
apis.apple.map.fastly.net
'Content delivery network that delivers resources for different site utilities and usually for many different customers.'
Some seem to be doing tasks that are definitely wanted:
ocsp.digicert.com
'Digicert Trust Seal - Includes tag managers, privacy notices, and technologies that are critical to the functionality of a website.'
Then there's an Amazon Web Service, go-updater-1830831421.us-west-2.elb.amazonaws.com, listed as very prevalent (tracks 5.5% of web traffic) that has been contacting my phone even though I haven't done any shopping or product related searches. What is this and should I block it?
And so on and so on. Is there any logic to these that I can follow? I tried google searching some to no avail.
Just because the domain says "amazon", it doesn't mean it has anything to do with shopping. AWS (an Amazon product) is THE biggest cloud computing platform in the world. That amazonaws.com url is most likely some non-Amazon application contacting its cloud service. Could be Keybase based on a quick search.
Your plan of blocking DNS addresses by ✨feel✨ is the same as my grandpa (RIP) making more space on his Windows computer by just deleting random files he didn't deem necessary inside C:\Windows. Please don't do that.
Just keep the default Next DNS blocklists, there are actual people with actual skills keeping those lists updated. It's what I use too. (5,3 million queries, 253k blocked - 4.77% blocked). The only thing "broken" are mobile game ads with rewards, but I consider that a feature.
If your goal is more privacy, you can look into Tor and maybe Mullvad VPN. But they won't help either unless you de-Google yourself, get off all Meta platforms and reduce your digital footprint. No VPN or DNS block will do anything if you willingly give away your data.
I first figured this out when I deployed pihole years ago. I don't use many apps/games that have these ad-based bonuses but if I'm at home and need to spin that wheel it's just as easy as turning off wifi, run the ad, then turn it back on. It's worth the minor inconvenience
Thank you for the information.
Your grandpa was a smart man. I've been doing the same for as long as I can remember. Not removing system files, obviously, but folders that dictate how they should be used and other gimmicks that I have no use for. They seriously mess up my productivity and it's a shame that visually pleasing (also a requirement for me) operating systems always come with stuff like that - all of which can't be removed.
I also use NextDNS and I stick to their default blocklists. I have tried blocking manually some of these weird domains like you list, but it seems like it often breaks some wanted functionality. I put my trust in that the open source nature of the big blocklists I can automatically subscribe to, are already doing the work of filtering out which domains break functionality and which can safely be blocked. It is simply too time consuming doing the whack-a-mole yourself, but then we have to accept that we probably can't block all tracking. Because these companies are likely also getting better at putting tracking and advertisement on the same domains as the real services.
I'm sure you are right. I've selected an aggressive combination of lists to start with, as I can always just revert back to the basics if I get fed up.
Thanks for your kind reply.
I use a pihole instead and route traffic through there. You have to be careful with amazon as sometimes it is legit traffic.
Check firebog.net for composable blocklists of what you want to block, you can source the best lists from there
Thanks for the link! Pi-hole seems more fully featured than my current choice. I might end up switching at a later time if I find myself grow more enthusiastic about this topic.
NextDNS's browser based UI is displaying the last updated times for all lists, which made it a lot easier to edit down my choices.
I use the big blocklist from https://oisd.nl/ on my pi-hole at home. I'm more interested in blocking ads than specifically trackers, but that list handles both and more, it's kept up to date, and I don't need to worry about it.
I want to second the advice here about not blocking domains based solely on guesswork (unless you enjoy tinkering with it and also enjoy having websites and apps break often). I have seen and blocked things before that way, but it's rarely worthwhile, and I'm much more likely to break something I want along the way.
I do, actually. I'm a bit weird that way. Of course I'm not going to do anything "based solely on guesswork", which is why I've posted to ask for info.
Thanks for the link and sharing your experience. I ended up with the OISD list plus the most aggressive Hazegi one and a few others as a starting point. Adding some tinkering on top of that should keep me happy for a while. :)
https://github.com/yokoffing/NextDNS-Config
Here is a guide explaining options and blocklist setup - I followed their recommendation for HaGeZi's lists. On mobile now, sorry for short response, but I'll check back later!
Thank you for that link. Not sure how I missed it! Something to do with the enshittification of Google search, I'm sure.
This answered most of my remaining n00b questions as well as gave me ideas on what to add to my personal block list. For example, there's a mention that xp.apple.com needs to be unblocked to receive device updates. Could this mean that as long as I'm blocking it, they can't force an OS update on me like they sometimes do out of the blue? Remains to be seen.
"OCSP" stands for Online Certificate Status Protocol typically. When you see destinations referencing this, know that most likely it's used to check validity of certificates. Your browser does a ton of different things checking certs and one of them is to reach out and reference the certificates revocation servers and see if the cert presented by the website has been revoked. Why would a cert be revoked? Many reasons but these lists are typically maintained by the CA (Certificate Authorities) themselves. If a certificate is revoked, typically modern browsers bail and disallow the connection from occurring. Depending on the configuration of the browser, if it cannot reach the OCSP/Revocation server, it may also kill the connection.
The relevant part that you want to question is typically the root domain of the OCSP DNS name. Common ones like:
These examples are all pretty obvious and allowing them is probably a good idea.
Also... I am not super familiar with the product that you are mentioning but to me it doesn't actually sound like a Firewall, it sounds more like a CASB/Web Content filter, kinda like OpenDNS. Source: IT Security guy.
Thanks, IT Security Guy. I was unsure about the term firewall and I'm sure your definition is correct. I would edit the header but I don't think I can.
It was helpful to learn a little about OCSP.
I wish you a fun day - go secure yourself some IT!
As was already mentioned plenty above, please don’t try to brick anything by hand :D.
I wanted to give insight into a potential use “similar” to the AWS – seemingly there for nefarious purposes, but probably actually harmless.
I’ll try to break down the domain by the part(s) that caught my eye:
Not sure about “phi” without looking it up, but CDN stands for Content Delivery Network… and most often, but not always of course, the “content” really is content (and not e.g. advertisement). Spotify uses a scheme containing “cdn” for example, IIRC.
(Edit; looked it up and this seems to be the case, one source mentioned
i.scdn.coas part of Spotify’s image CDN – if you’re not paying attention it’s very easy to dismiss this as something unknown that shouldn’t be there…)Fastly is again a sort of delivery network for developers to ensure that code, data or whatever else they need to load in arrives at a user’s device from “the cloud”, well, fastly. I didn’t know Apple were using them, but for something potentially time-critical like in Apple Maps, it doesn’t seem out of place.
“img” is images, and “aapl” is Apple’s stock ticker abbreviation (yeah, sometimes they have to get creative with the domain names…). So this probably loads up some icons that might or might not change over time – perhaps App Store app logos?
Of course this is just speculation, but based on just the association with Apple in the second example, I wouldn’t remove it without knowing it does purely tracking stuff and that there won’t be breakage by cutting off contact with these addresses.
Second edit: Looked up that first domain a bit more, and it actually seems to be related to the legitimate ocsp.digicert.com again, not quite a typical CDN use case, but revealing nonetheless!
Yay! Thank you so much for typing the response I was hoping to see. :) This got me started when it comes to deciphering some of those seemingly garbled names.
If you don't mind my asking: why are people acting like my HD will catch fire if I happen to accidentally block something important? Is this an appropriately measured response / what would be an example of a worst case scenario? Would you say that it's easy to cause damage that can't be reversed simply by removing the block?
I’m not the person you asked, but here is my take.
You are asking for a ton of extra work for absolutely 0 benefit. Publicly available blocklists will basically always work better than what you can come up with. (If they don’t, you should probably identify the issue in the public lists and contribute your fixes to help other people instead of rolling your own list.)
Poorly setup Adblock can break websites in very unexpected ways. You often get no useful error messages, and it is very difficult to diagnose.
When you run into issues, most people don’t think to disable their adblocker. Most web developers have to deal with people thinking their website is broken even though their Adblock is breaking the website.
If it’s a project you want to take on, go for it. But I would suggest your time and effort might be better utilized on a different project. The public blocklists are really good, and reinventing the wheel isn’t going to make them better.
Damage, no. It's the tech equivalent of doing no harm and minimizing risk by not introducing unnecessary changes to systems, especially if you don't have enough background knowledge what those changes are and what they will do.
You're essentially asking the Tildes community to perform very specific free support work for you that will only benefit your use case. If something went wrong and broke something important like a banking site or software updates, you'd be right and natural to ask back why something didn't work. It could be a lot of fumbling in the dark and lots of back and forth discussions. Essentially a lot of effort for minimal gain. In the meantime your systems have reduced or broken functionality than if you haven't applied the changes in the first place.
And with the existence of multiple open source projects that are already collaborative efforts specifically made for this purpose, stored in a repo like Github where you can see full audit trails and heaps of technical discussions on why a domain is part of the list in the first place, being cautious with personal advice (similar to medical and legal) and referring to better channels to minimize liability, breakage and not reinvent the wheel is the correct way.
It would really not be "right" for me to foist my IT systems management on some online strangers (and let's be honest: you don't seem to think so either).
I don't see why anyone would assume asking for information means I'd be doing that, but this does make some responses easier to understand. Thanks for the explanation.