Re: [SOLVED] Re: Firefox: Warning: Potential Security Risk Ahead for the USPS.com
David Wright wrote:
> On Tue 04 Jan 2022 at 19:37:34 (+0100), tomas@tuxteam.de wrote:
> > On Tue, Jan 04, 2022 at 01:19:37PM -0500, Michael Stone wrote:
> >
> > [...]
> >
> > > And this is why putting stuff into /etc/hosts is basically never the right
> > > answer. :)
> >
> > Eye, beholder and things. I've got a couple of them like so:
> >
> > # Pest:
> > 127.0.0.1 www.google-analytics.com
> > 127.0.0.1 ajax.google.com
> > 127.0.0.1 ad.doublecklick.net
> > 127.0.0.1 www.gstatic.com
> > ...
> >
> > Yeah, some things stop working then. I want them to :)
>
> Agreed. I append a list of close to 14,000 addresses (including
> comments) to the end of my own local /etc/hosts. I see very
> few adverts. In fact, I was quite shocked when I just tried
> DNS over HTTPS for a couple of minutes. The 10-day weather
> profile that I screenshoot every day was plastered in popups.
>
> Anyone know how to combine DoH with resolving 14,000 addresses
> to 127.0.0.1? Also, does that mean that DoH attempts to resolve
> my local hosts before consulting /etc/hosts? I didn't stick
> around DoH long enough to find out.
Here's what I do:
My local DNS resolver offers DNS, DNS over TLS, and DNS over
HTTPS.
I supply a use-application-dns.net zone that returns NXDOMAIN.
That tells browsers to not use DoH.
I build an adblocker zone via a script that grabs several public
lists, and those all return an address that is answered by a web
server that always answers with a 204 (No Content, success).
That's where you get to put your 14,000 addresses.
The adblocker zone gets rebuilt when I feel like it; otherwise,
I could put in a cron job to update it once a month or so.
-dsr-
Reply to: