Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You, and the other commentator, are forgetting that the DNS Server handles all connections, not just those from your browser. Are you confident all the self updating software you use has no vulnerabilities? How about the video games that you play?

Even assuming the use of HTTPS, there are other threats. For example, PiHole redirecting you to a MiTM, who simply observes your connection and can learn sensitive information from the timing and length of your sessions.

I am not arguing browser extensions have strictly less access, just that both PiHole and your extensions have a fairly catastrophic level of access...



You don't have to be confident has "no vulnerabilities" (an absurd standard) to understand that the worst possible vuln in the DNS server (say CSRFable RCE in dnsmasq) still puts an attacker in a less privileged position than what they get if they control uBlock Origin: UXSS. Now that browsers are serious about mixed content, DNS poisoning just isn't as interesting as it used to be.

Also, odds are a lot of you are running dnsmasq on home routers already without knowing it, and those are worse from several perspectives, including patching (consider CVE-2017-14491), overall appsec vulns (CSRFable RCE: a thing in home routers!), and exploitability of network position (e.g. HTTPS stripping on any non-HSTS website).


I absolutely agree with you about users already running dnsmasq, but the context here is a malicious developer abusing their position. The actual quality of the software is orthogonal.

I still think you are understating the risk of a malicious DNS server. As you note, many users will have unpatched IOT or network facing devices (e.g. cameras, baby monitors or other smart gadgets). With DNS spoofing they all become vulnerable to a remote attacker...

Maybe we can agree if we consider different types of users? Technically skilled users are likely to stick to secure hardware and have an awareness of their general software vulnerability. They choose their passwords carefully and are concerned about compromise. Less saavy users are more likely to own insecure devices, use the same password everywhere and be less concerned by account compromise.

High skill users have more to fear from a Web Extension, its impact is undetectable and can siphon passwords. Low skill users have more to fear from a malicious DNS server, they won't notice the lack of HTTPS on none-HSTS sites and their hardware will get compromised remotely.


I did not say "a compromised DNS server is completely inconsequential", I said that a compromised WebExtension with :/// and tabs permissions has UXSS (obviously true) and UXSS is worse than compromising DNS resolution.

Which one of these is worse:

a) I might be able to convince a bad IOT device to connect to an IP I control which may or may not let me do something interesting,

-- or --

b) I can just use your session cookie for GMail and reset all of your passwords for your IOT services and also everything else? And since I get UXSS, I can scan your internal network and get XSS on that IP/origin too. Or, I dunno: try to use UXSS to log in to your home router and change the DNS server to a machine I control?

The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not. If anything, it's worse for non-technical users, because they by-and-large don't have 2FA, making e-mail compromise far worse.

I only use the quality of the software in one sense: to bound how bad DNS resolution could possibly be. dnsmasq has had more than one of those style of game-over vulns. A malicious WebExtension or DNS server is indistinguishable from one with a bad enough vuln.


> The crux of your argument seems to be "it is more valuable to be able to point an IOT device at the wrong IP than it is to get UXSS on a machine on that network". That seems obviously wrong to me for any user, technical or not.

If PiHole is malicious, there is already an attacker on your network, DNS Spoofing is just one example of the possible consequences. The PiHole can also port scan, connect to services etc. I don't think mounting an effective phishing attack on a user would be very hard.

My point is that both scenarios are catastrophic, and its hard to justify choosing one over the other on the grounds "the developer might be malicious". Telling people "don't worry a DNS server can't do much" is massively understating the problem, considering all the local network devices directly exposed to the PiHole device and the fact it is the DNS server.

As I said, I use both and cross my fingers that Mozilla / Open Source code review / the GDPR mitigates the risk of a bad developer


OK, so there's an attacker on the network in both cases (UXSS and the worst-case-dnsmasq-vuln). So, to compare the two, you look at what else you can do -- and UXSS clearly wins there. "It wouldn't be hard to mount a phishing attack" -- maybe? Except on the most valuable phishing domains, which already have HSTS -- and the UXSS alternative is that I literally control your browser which is clearly worse since I have almost definitionally attained the goal of the phishing attack! And if I really want to just steal your password instead of just using your session, I'm guessing "full control of the DOM everywhere" will help with that.

I have also already argued that an extension does not need to be malicious -- just buggy -- to get UXSS.


>If PiHole is malicious, there is already an attacker on your network

In contrast, UXSS provides an attacker on your network that already has access to everything inside your browser. That's banking, email, keylogging credit card numbers, etc. That's the end game right there.

A malicious rPi on your network is quite a few steps away from there, you'd still have to phish and deal with HTTPS/browser security and unlike UXSS that only gets you one set of credentials.


This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.

You can also inspect the block lists to ensure they all go to 0.0.0.0 if you’re worried about mitm attacks.


you could do the same with ublock


Not on a network-wide basis, and not on non-browsers. I don’t think anyone here is saying don’t use a browser-based blocker too. I use both a browser plugin on the client and dnsmasq on my network.


I think the blog post is saying that, especially in the quote that started this thread. The post portrays ad-blocking browser extensions as not worth the risk, discussing both the questionable value of blocking all ads and also the possible risk of the extension being sold to a malware creator. It then presents Pi-hole as a safe alternative to browser-based blockers.


when i said

>you could do the same with ublock

that was in response to

>This should just be dnsmasq, for which source code is readily available and inspectable. You can (and should) compile it yourself if you don’t trust someone else’s binary.


Exactly. This thing is in the best possible location for poisoning DNS for every system on your network. That should be a HUGE concern.


It is an order of magnitude safer than a browser plugin.


Right, neither one of them are great ideas unless you can trust the source. To argue otherwise is a relative privation fallacy.


and then this happened: https://news.ycombinator.com/item?id=18086418


Then don't do it and wait for taboola or google ads serve you a drive by rootkit?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: