I’ve occasionally stumbled on it during remote logins, usually when an SSH session wants to download something new, like NPM requesting NodeJS bits. The text terminal SSH download will block; if I figure out it’s the Little Snitch then I have to walk all the way to my desk downstairs, wiggle the mouse to wake up the monitor and unlock the screen saver, and click “Allow” on the Little Snitch dialog box.
Works as intended.
BUT by default it’s common to set such things to silently allow local network requests, so I don’t know if such shenanigans in the OP would work in my case.
In my case, I couldn't imagine configuring LittleSnitch to only allow certain hostnames from my browser. It has a "allow all traffic to 53/80/443" rule, otherwise most websites would flood me with hundreds of new LittleSnitch popups.
You'd think so, but the way I've set it up Little Snitch throws up a dialog box when a browser makes errant requests but otherwise remains silent. Most recently this caught Firefox trying to force DNS over HTTPS despite me having disabled it when it first became generally available. I suppose leaking DNS requests to Cloudflare isn't the worst thing in the world, but it would circumvent the ad blocking I've set up locally.
Ah so I just dug into the rules. What happened was a plugin made a DNS request to mozilla.cloudflare-dns.com. I've nothing special set up for Firefox, but basically no rules for plugin-container, so when a plugin tries to make a DNS request Little Snitch pops up an alert.
Not great I suppose, but better than nothing. Generally what I'll see for Firefox itself are requests for non 80/443 ports.
False dichotomy. Not only am I pretty sure Sonic isn't selling my DNS queries, I've already opted out of DNS over HTTPS. Refusing to respect the choices I've made is worse than not.
Besides, unencrypted SNI means that if my ISP wanted to get the hosts I was looking at, they could.
Is it? The best I could find was a bit from 2021 that showed 92 of the Alexa Top 1000 site supporting ESNI. If adoption has skyrocketed since then that's great… meanwhile Firefox is showing HN negotiated a TLS 1.2 connection with no ESNI support.
Can you elaborate on why you'd want to opt-out of DNS over HTTPS? I was under the impression that it was useful and good for privacy, but I may be misinformed.
It breaks DNS based blocking if you have it setup. Some people setup ad-blocking so that it encompasses their entire network and the way this works is that it silently drops DNS requests to ad domains on the edge of your local network.
And in some/many jurisdictions, your ISP is more regulated by your local government (also in regards to data protection) than cloudflare who has no obligation to you.
How do you even use bank apps on a jailbroken phone? Last time I was JB'd everything from McDonald's to my bank just threw up a big 'no' and refused to even work.
Also: the noscript plugin downloads every .js file first before it decides if it's not going to execute it which is a massive data leak unless you also have host file entries or firewall rules blocking access to the most common privacy abusers.
Just FYI, DNS-resolutions do still occur BEFORE THE POPUP DIALOGUE TO CONFIRM/DENY CONNECTION (i.e. www.example.com gets resolved to 1.1.1.1 , but no connection is made to 1.1.1.1 until `Confirm` is selected).
Add a PiHole to your network, you will not regret this time/$$$/investment.
I’d expect most firewalls to allow DNS traffic to locally configured resolvers without prompts, and I figure this is also extended to mDNS traffic, which doesn’t leave your local LAN by default.
From the mDNS side of things, you could easily block if your firewall allows you to set up port based deny rules (in this case UDP/5353). This should resolve the privacy leak from the OP, though you may find that you lose expected functionality on your host and local network depending on whether you block inbound, outbound, or both.
Unicast DNS gets a bit trickier (even without considering DoH). Depending on browser and OS configuration, you won’t be talking to more than a handful of resolvers directly. Ideally, you allow communication with these resolvers and block all other DNS traffic. You definitely don’t want to set a rule that allows you to accept each and every query, so in that sense, DNS will be bypassing the firewall.
What’s better in this case is resolver with filtering capabilities, e.g., pihole.
What I'm saying specifically is that LittleSnitch creates an inquiry to your DNS service (to resolve hostname to IP) before you select either option (`Deny` / `Allow`). If you have DNS that is offsite (i.e. 99% of consumer-facing accounts) then your ISP knows that you have made an inquiry to http://www.example.com [because ISP handles 99% of users' DNS resolution].
I’ve been enjoying Windows Firewall Control from BiniSoft/Malwarebytes. It’s a sort of a (better IMHO) hybrid GUI between Windows built in host firewall, and Little Snitch’s application firewalling.
I checked that out once but the safing/SPN thing spooked me. It doesn't really explain what it is and why it is needed for a software firewall. As far as I can tell is it a peer-to-peer VPN network? I don't want that. If you have a good answer I'd love to learn it.
CTO of Safing here. I hope I can bring some clarity into this.
Portmaster is actually a privacy suite consisting of many features and modules. It is often described as an "application firewall" to give people a quick, but incomplete idea of what it is.
The SPN is one of these features. It is a blend of VPN and Tor - oversimplified - and is fully optional. In fact, it is a paid feature and won't activate without logging in with an eligible account.
I humbly suggest that you add an entry in your FAQ regarding this question. I tried (quickly) to find answers in the documentation and then moved on when I couldn't find one. Take of that what you will.
I've heard of little snitch a ton, but is it just a really smart firewall essentially? On Windows, every darn thing connects to something, its ridiculous.
Same with macOS. Install LittleSnitch in strict mode, and you won't go 5s without a pop up blocking something. You can either trust all of the lists that are available to keep LS somewhat out of your way, or you can go full tilt and approve everything. Personally, I've never found that middle ground.
https://www.obdev.at/products/littlesnitch/index.html
I’ve occasionally stumbled on it during remote logins, usually when an SSH session wants to download something new, like NPM requesting NodeJS bits. The text terminal SSH download will block; if I figure out it’s the Little Snitch then I have to walk all the way to my desk downstairs, wiggle the mouse to wake up the monitor and unlock the screen saver, and click “Allow” on the Little Snitch dialog box.
Works as intended.
BUT by default it’s common to set such things to silently allow local network requests, so I don’t know if such shenanigans in the OP would work in my case.