Question Question on DNS numbers

[Lost_in_the_HTTP]

Simple question, need just basic information, not a network manager level understanding.

I've picked up a few el-cheapo ChinaCameras ... $40-50 range. Nothing super advanced, but they give me various levels of pan, tilt and or zoom.

I've set my own IP addresses for my home network and the primary DNS is my router/modem address.

First question ... Can/should the Primary be something else?

Second question, what about the secondary DNS? It looks like they picked up the one from the router/modem, but should it be something else?

Not that I'm super paranoid, but I don't want the Chinese government watching me mow my lawn.

 

[Tech Junky]

It probably is doing some connectivity checks that have to timeout before they display. hacking them or the NVR to point to an IP of the PC they're hardwired to should speed things up. Or the browser is confused by trying to find the route to the hardwired subnet. Disable auto configure / proxy / etc. in internet options > connection > LAN

 

[Lost_in_the_HTTP]

That was all unticked, but I also unticked 'Auto Detect Settings" and it's working a lot faster. I really don't use IE for anything other than this, so it isn't a big issue.

At this moment, it all seems to be working on the internal LAN and none of them seem to have web access.

I can't view them on the manufacturer's mobile programs for example.

 

[Tech Junky]

I can't view them on the manufacturer's mobile programs for example.

That's where the internet connectivity is needed for DDNS to setup back to the cams.

Since you don't want them to be reachable or able to get out it's a small sacrifice.

Leaking data for convenience vs privacy.

 

[Lost_in_the_HTTP]

Not really a sacrifice since I had no reason to do that to begin with and didn't really want to. Thing is, I guess I can simply plug that one LAN cable back in as I'm going out the door if I want to be able to look at them while I'm away for some reason.

 

[Tech Junky]

Sure, or setup a port trigger to activate the connection remotely through the firewall.

Port Knocking is a way to activate things remotely but, it depends on what kind of router / FW / etc. you're using as to whether that's an option or not.

With a Linux based DIY router / FW though it's a potential feature you could use. Also, it would enable you to lockdown the cams a bit more granularly than the segregation method.

Depend son how deep you want to get into personalizing things. From effort to $$.

 

[VirtualLarry]

I found a quirk after updating to Android 12 on my phone where it allows Chrome to bypass my static info completely to allow ads when they were being blocked with Pihole. This is a bit perplexing because all other apps block them properly as they did before. Seems Google put in a backdoor to allow traffic to bypass things in A12.

This is a bit perplexing as to how they're doing this w/o permission. I'm still digging into it though trying to figure out how they're circumventing explicit settings. Chrome didn't exhibit this behavior on A11 so, it's not Chrome doing it. At least I don't think so yet.

Maybe Chrome is using DNS-over-HTTPS, bypassing your PI-hole?

 

[Tech Junky]

Maybe Chrome is using DNS-over-HTTPS, bypassing your PI-hole?

If that were the case it should be happening on all Chrome versions not just mobile.

I've done all of the tricks mentioned from disabling private DNS and so on and while it glitches after toggling things and blocks ads they come back after another refresh.

I have 2 things in play here to block this junk. 1 pihole / 2 vpn - disabled SIM data to make sure it's not circumventing the static IP info.

The thought of Chrome bundling in some sort of VPN on itself in A12 comes to mind as it seems all of the browsers are jumping on the VPN bandwagon lately. I'm also pondering the idea that OnePlus might have rolled something into the update to permit / bypass the DNS manual settings. I haven't bothered really debugging it yet to see where the leak is coming from.

So, my phone apparently knows I'm looking to fix the issue and a new browser popped up in the news app while scrolling through headlines.

Vivaldi Browser | Powerful, Personal and Private web browser

It’s a web browser. But fun. It comes with a bunch of clever features built-in. It’s super flexible and does not track you. Get the Vivaldi browser for desktop, mobile, and your car!

vivaldi.com

It's just bothersome that windows / linux machines are abiding by the rules like they have been for years but, the stupid phone update allows it to bypass things.

 

[Lost_in_the_HTTP]

Vivaldi isn't new, but it's pretty cool in many ways. I have it on my notebook, but haven't put it on a mobile yet.

It's just another Chromium clone though, same as Brave and Opera.

In fact, I may try it on mobile as I'm not overly satisfied with Brave, DDG or Adblock's attempts.

 

[Tech Junky]

Vivaldi isn't new,

I hadn't heard of it before seeing the mention of it on the news feed. Of course chromium based options have existed for quite awhile ( decades ). Chrome though has worked fine for quite awhile and no need to look into other options until this. If it's bypassing DNS though it makes me wonder what else it's leaking in the process.

Just another annoyance to deal with.

 

[Lost_in_the_HTTP]

Chrome though has worked fine for quite awhile and no need to look into other options until this. If it's bypassing DNS though it makes me wonder what else it's leaking in the process.

Just another annoyance to deal with.

I've always considered anything from the G to be spyware. I've never trusted their stuff. I use only what cannot be avoided and then only very sparingly. No 'Tube or anything similar. G's entire business plan is gathering and selling personal information.


.

 

[mxnerd]

You should use UNBOUND as Pi-Hole's upstream server

unbound - Pi-hole documentation

docs.pi-hole.net

 

[Tech Junky]

I agree but, in my book G is the lesser of 2 evils when it comes to some things. For the phone I don't use it for much that they can track or would want to sell anyway. Everything is entwined with G anyway in one shape or another. It's about limiting things as much as possible from being siphoned in the process.

I guess the ease of cross device sync is the appeal for me and using SSO with the same login makes things smooth. Each platform OS though acts a bit different from Windows / Linux / Android they all have their quirks in how they handle G products.

@mxnerd - I haven't had any issues until the phone update. Switching the backend won't resolve the issue. The phone is bypassing pihole completely on Chrome as it's not hitting the server. I suppose I could add a rule to the FW forcing all DNS traffic to hit pihole but, that shouldn't be needed if the IP info is set static to push everything in that direction.

 

[mxnerd]

VL's suspicion seemed correct.

Android Update End-Running Pi-Hole Ad Blocking

Solution: On the Chrome browser on the phone, I see a "Use Secure DNS" entry set to auto on both. That could be DNS over TLS, but I don't see DoH. Still, the

community.spiceworks.com

 

[Tech Junky]

VL's suspicion seemed correct.

I've moved onto the FW side and forcing DNS to hit the PIHOLE instead of relying on Android to abide by what I tell it to do and then not do it.

Problem is the suspect APP is still able to reflect ads which means it's DOH/443 which blocking turns into a S-Show for any https site. I added some rules to the FW to see where DNS traffic is headed and I'm getting hits across different ports / protocols which makes things a bit more interesting.



I guess I have something to keep an eye on and potentially switch up the browser as a starting point to close the hole that G has created somehow or maybe it's OnePlus that did it through the A12 upgrade. Might be a coincidence or it could be both in tandem.

All other apps though adhere to the DNS / blocking. While looking around it seems this might have reared its head back in 12/2021 with an update that rolled out with the security patch on A12 but I was running A11 w/ 3/2022 patch.

SMH...... Looks like there's some other issues others are experiencing from another standpoint of admins not being able to hit local resources on the LAN.

 

[mxnerd]

Probably something to do with this. Where DoT use port 853

Secure transports for DNS | Public DNS | Google for Developers

developers.google.com

 

[Tech Junky]

@mxnerd

Well, it's rare as I've been watching the counters since the post above and whatever device is using it isn't very chatty about it.

 

[mxnerd]

DNS Privacy Clients :: dnsprivacy.org

dnsprivacy.org

quad 9 and possible 1.1.1.1 app?

 

[sdifox]

Outside of the cam / call home issue.....

I found a quirk after updating to Android 12 on my phone where it allows Chrome to bypass my static info completely to allow ads when they were being blocked with Pihole. This is a bit perplexing because all other apps block them properly as they did before. Seems Google put in a backdoor to allow traffic to bypass things in A12.

This is a bit perplexing as to how they're doing this w/o permission. I'm still digging into it though trying to figure out how they're circumventing explicit settings. Chrome didn't exhibit this behavior on A11 so, it's not Chrome doing it. At least I don't think so yet.

Try Brave Browser.

 

[Tech Junky]

Found it.

Chrome < settings < privacy and security < secure dns < disable

Similar to the phone settings m menu but within the app itself. It doesn't allow using an ip and has a drop down for providers or a URL.


The odd thing is this secure DNS option was enabled on the laptop but didn't bypass the PIHOLE restrictions. Which begs to question how the hell is the phone allowing Chrome to supersede the IP configuration that's blocking ads / domains. There must be something in A12 that wasn't in A11 that basically tunneled the DNS Chrome option to allow it to unblock things. It's a head scratcher as to exactly which chicken / egg option allowed for the exception to occur.

 

[Lost_in_the_HTTP]

I had this set up sort of as follows.

Connections from this notebook:

LAN >> Intranet
--- < OR > ---
LAN >> WAN

And also:

Wireless (Built in) >> WAN

The intranet is effectively fully disconnected from the web, but connected to each other via that left over modem/router.

I'm on wireless most of the time, but I like to go wired for certain things. With the above, I could have WAN from either wired or wireless, or I could have WAN from wireless and intranet from LAN, or some other combination.

Problem was, I had to physically unplug/plug the LAN cable to change which I wanted to connect to.

I was trying to figure out how to do away with that step. Somehow, I would need either a switch of some kind I could flip, or another IP port/address.

Then I remembered I had a few old USB >> wireless LAN dongles from years past. I found one that is rated at 150M and plugged that into a USB hub already in place. Once I got the IPs figured out, I now have:

Wireless 1 (Built in) >> WAN
Wireless 2 (USB) >> Intranet
LAN >> Can be plugged into either at will.

IPs are all set to Static, so I have three assigned to this laptop.

 

[Tech Junky]

IPs are all set to Static, so I have three assigned to this laptop.

The things we do for tech. That's not going to be confusing at all!

I was going to say... take the spare router and put it on a different subnet and hook the WAN up to the primary...

ISP <> Primary router
Primary <> LAN / primary subnet
Primary <> Spare / different subnet

Then you could do a VPN into the cam's or a one way route into the cam subnet. Or as you mentioned the easier way would be a L2/L3 switch w/or VLANs. Depends on a few different ways of setting it up but, if what you did works long term no need to pump more money into it.

 

[Lost_in_the_HTTP]

Yeah, well ....

With the LAN disconnected and the two wireless on line, I get a conflict and can't always browse the web. It seems to come and go. If I disable the one on the intranet, I can browse fine.

But I'm too dumb to try and figure it out.

 

[Tech Junky]

I would do one wired / one wireless to avoid the conflict. That machine could be your RDP gateway to viewing things and isolating them at the same time. Lazy doesn't mean dumb... you've already done more than most would ever take on. Just take a break from it and come back to it later when it comes to mind. Focusing for long periods of time leads to frustration when dealing with this stuff.

 

[Lost_in_the_HTTP]

RDP.

Really dumb pinhead.


:: 'tis I ::

 

[Tech Junky]

Remote Desktop