Perhaps one of the most pressing issues of our days is the (lack of) control we have over our online presence. Being spied on became the default expectation, and the lengths that this has gone to is sometimes hard to believe. Even a few months ago, it was revealed that a novel tracking method had been discovered in Meta’s Android application (Facebook and Instagram), as well as Yandex’s, were exploiting the loopback interface to be able to track your habits - looks like there’s no boundaries, physical or moral, that these companies won’t overstep. I’m focusing on this particular incident not only because it’s relatively recent, but also because it goes to show that this is a veritable whack-a-mole game; we were supposed to have dealt with the correlation between web browsing and app activity, but the tech giants found yet another way to go around it.

When confronted with this, the most natural reaction is to do a proper ¯\_(ツ)_/¯, and carry on with one’s life. After all, there’s only so much energy you can dedicate to keep on trying to whack them. But I like to believe that besides the moral failings on display, there are also technical failings at display here. What I mean by this is that, because the digital space has been made more and more adversarial, we do need to change the way we interact with these technologies. And this post will explore what is, in my opinion, the most effective way to try and claw back some of the sovereignty over one’s online presence. Introducing: DNS sinkholes and content filtering.

DNS sinkhole#

For those that don’t know, DNS is one of the most important parts of the puzzle that make up the web. To put it simply, this is the technology that enables your computer to know that “www.google.com” is hosted at the 142.250.130.103 IP address. This association between the domain name and the IP address is so fundamental that, without it, most of the web as we know it wouldn’t exist.

The thing is, someone is responsible for keeping these associations between names and addresses. And when you ask about a given address by writing it on the address bar of your browser, what’s happening is that you’re asking that someone where you should go next. After you get your answer, your browser finally knows where to fetch all those sweet, sweet cat pics you needed for research purposes.

So, what’s a DNS sinkhole, and why should you have one? The idea is straight forward: some of the questions that your browser asks are made to 3rd parties that are adversarial. This can include ads, malware, spyware, tracking, and so on. And, by keeping a list of all these adversarial parties that are known to be malicious, a DNS sinkhole will basically eat up the DNS request and make your device believe that there’s actually nothing at the other end of the request it just made.

And how does the sinkhole know which records to ignore and which to resolve? This is where the beauty of community effort comes in: there are plenty of lists that are constantly updated to keep most of the unwanted side of the internet at bay. I can personally recommend using oisd’s big list, which should cover most of the cases for most of the people. Another solution is having a look at firebog’s collection of lists.

Then the remaining question is: what do you need to do to use a DNS sinkhole? There are several ways to implement this, but my recommendation would be to have a Pi-hole running somewhere on your internal network, as this provides the best type of deployment which guarantees that all your devices are going to use it. The official documentation is pretty good, so I won’t go over on how to do it. My recommendation of using a Pi-hole also has to do with the fact that it’s very easy to integrate with unbound and wireguard. Not that you can’t do it with other solutions, but here you’re sure that it’s all pretty much bound to work together.

Content filtering#

This is the second part of the puzzle. While I reckon that it’s not as important as the first part, the truth of the matter is that the synergetic effect with a DNS sinkhole, and the added bonus of having a much snappier web experience without much effort really makes this a no-brainer. To be honest, you’re probably already doing some sort of content filtering as it is if you ever used an ad-blocker, but doing it correctly really makes it so much better.

You’ve probably heard of AdBlock, and the idea is simple: again, there are lists that are maintained which contain a bunch of domains that are considered harmful. If, through your web browsing, something in the page you’re visiting makes a request to access one of the domains that are on one of those lists, those requests get filtered. While the process through which those requests are handled is different than the DNS sinkhole, the principle is roughly the same.

Here, the way to do it is simply to install uBlock Origin (and be careful that it’s actually this version, and not some other nasty copycat). By default, it will already come pre-configured to handle a lot of content that you shouldn’t be seeing, without any noticeable drawback to your web browsing experience. I’d recommend to go through the filter list and enable a few more of the filters (the cookie notices and annoyances ones are particularly nice), and you’re pretty much set to go.

The caveat here is that, as it stands, uBO works best with Firefox. Now, Firefox should already be the browser you’re using regardless, and there are several reason for that, but I realize that this is unfortunately not as common as it used to be, with most people using Chrome or one of its derivatives. But, with the advent of Manifest v3, uBO only works in a very limited fashion on Google Chrome - I know, it’s completely unexpected that a browser developed by the biggest seller of ads would cap your ability to filter them.

Closing thoughts#

While this might seem like a drop in a (huge) bucket, it’s actually a huge boost to your privacy. On a normal day, I’d say that Pi-hole blocks between 2 to 10% of the total DNS queries made on my network; and uBO reports that half a million (!!) domains have been blocked ever since I installed it. And while I don’t expect that this will solve all the aggressions against your digital life, it does help fighting against it. And every little bit counts.

I haven’t gone too much into the weeds into actually how to make all of this run. But if you’re interested and are not sure how to proceed, then why not schedule a call with me?, it’s free and I’d be really happy to help!