Question DNS rebinding attacks

[Marko :)]

@TairikuOkami Sorry, I still don't understand why you hate ControlD.

 

[ForgottenSeer 116559]

Hi,
Does Brave have LNA Protection for WebSockets + WebRTC like Chrome?

Brave doesn't implement WebSockets and WebRTC protections in the way Chrome has extended the LNA permission prompt. Instead, in addition to Shields restricting IP leaks, Brave added localhost resource protection to the web permission API: Localhost Resource Permission

Brave's per-site localhost permissions only handle HTTP/S and WebSockets. It hasn't yet incorporated WebRTC permission prompts like Chrome, but rather there is a privacy-focused WebRTC IP handling policy that allows you to dictate which IPs—public or private—are exposed through the protocol. This reduces the attack surface for rebinding and fingerprinting.

 

[oldschool]

I am currently trying RethinkDNS (Hagezi TIF + OISD big).

Are you still using RethinkDNS? What has your experience been?

 

[Parkinsond]

Are you still using RethinkDNS? What has your experience been?

Moved to ControlD hagezi tif; Rethink DNS was a very short experience.

 

[Marko :)]

I switched from Rethink DNS app back to AdGuard app. Turns out AdGuard is more battery efficient if used as DNS client only.

 

[SeriousHoax]

I switched from Rethink DNS app back to AdGuard app. Turns out AdGuard is more battery efficient if used as DNS client only.

Is it not better to use Android's native DOT as the DNS client?

 

[Marko :)]

Is it not better to use Android's native DOT as the DNS client?

DoT works on port 853 which is commonly blocked on public networks and when that happens, device loses internet access. For that reason, I prefer DoH which works on port 443 and is indistinguishable from regular HTTPS traffic unless you're doing some kind of DPI.

Using AdGuard also have its benefits such as firewall feature or DNS log so I don't have to visit Cloudflare dash to see if something was incorrectly blocked or not.

 

[SeriousHoax]

DoT works on port 583 which is commonly blocked on public networks and when that happens, device loses internet access. For that reason, I prefer DoH which works on port 443 and is indistinguishable from regular HTTPS traffic unless you're doing some kind of DPI.

Using AdGuard also have its benefits such as firewall feature or DNS log so I don't have to visit Cloudflare dash to see if something was incorrectly blocked or not.

Port 853.
I see. I haven't faced a situation yet where Port 853 was blocked so no issue so far. It has one advantage which is even if I have to use a VPN for something, Android DoT still works. For Google and Cloudflare DNS, Android auto upgrades DoT to DoH/3. I don't know why can't they make it available for all DoH/3 supported providers.

 

[Marko :)]

Port 853.
I see. I haven't faced a situation yet where Port 853 was blocked so no issue so far. It has one advantage which is even if I have to use a VPN for something, Android DoT still works. For Google and Cloudflare DNS, Android auto upgrades DoT to DoH/3. I don't know why can't they make it available for all DoH/3 supported providers.

Thanks! I was typing fast.

I actually did have one encounter with a network when it was blocked and it was enough for me. Yeah, Google limiting DoH for themselves and Cloudflare sucks. I tried using Zero Trust domain, still uses DoT.