If I implement my service to use the same underlying IP address for the primary service/critical access that I use for advertising services (e.g., I put a load balancer and have Windows Advertising integrated with Windows Update via the same IP addresses), you can’t block the IP without breaking Windows Update.
That’s worse for other ingrained systems, e.g., a news app that actually has to send you content could do this instead of using separate IPs for the advertising service, and then if you want to use their service you have to accept the advertising packets.
If you’re relying on DNS for your blocking as well, it’s entirely possible to distribute the IP address information without ever involving DNS by syncing up the appropriate IPs out of band on some built in IP addresses hard coded in the binary (plenty of things do this sort of thing already for security purposes, they want to minimize the risk of a local DHCP server handing out some garbage DNS record and sending you a virus via their update mechanism).
I could go on.
Do yourself a favor and learn a bit more about how this shit works lest you look like an idiot.
Don’t be a dick; especially if you don’t know what you’re talking about. Thanks.
DNS based blocking only works for regular DNS requests.
At this point, any app that wanted to bypass that could use DoH/DoT+ECH to completely bypass your DNS and thus the blocking it provides. With these tools, all you’d see is an outgoing TLS connection to a remote IP; all other data is encrypted.
DNS based ad blockers (I run one, it’s great, highly recommend) can’t block something if the address is both legit and also serves ads. For instance, if MS used the same domain name for updates and windows key validation as it does for ads, you’d quickly run into an issue. Especially if (please don’t read this MS), they required validation on every boot, then replied with a payload combination of a the ads and a “yea you’re legit and can boot”.
Also, MS could easily (and has) coded some processes to not lookup DNS addresses in things like LMHOSTS or HOSTS, they could just as easily bypass DNS itself. They certainly have plenty of public IPs they could have a process submit to the network stack.
Yeah, though … those don’t always work and it is entirely possible to break them if they become overly “pesky” for the corporations.
Removed by mod
If I implement my service to use the same underlying IP address for the primary service/critical access that I use for advertising services (e.g., I put a load balancer and have Windows Advertising integrated with Windows Update via the same IP addresses), you can’t block the IP without breaking Windows Update.
That’s worse for other ingrained systems, e.g., a news app that actually has to send you content could do this instead of using separate IPs for the advertising service, and then if you want to use their service you have to accept the advertising packets.
If you’re relying on DNS for your blocking as well, it’s entirely possible to distribute the IP address information without ever involving DNS by syncing up the appropriate IPs out of band on some built in IP addresses hard coded in the binary (plenty of things do this sort of thing already for security purposes, they want to minimize the risk of a local DHCP server handing out some garbage DNS record and sending you a virus via their update mechanism).
I could go on.
Don’t be a dick; especially if you don’t know what you’re talking about. Thanks.
DNS based blocking only works for regular DNS requests.
At this point, any app that wanted to bypass that could use DoH/DoT+ECH to completely bypass your DNS and thus the blocking it provides. With these tools, all you’d see is an outgoing TLS connection to a remote IP; all other data is encrypted.
Removed by mod
Removed by mod
DNS based ad blockers (I run one, it’s great, highly recommend) can’t block something if the address is both legit and also serves ads. For instance, if MS used the same domain name for updates and windows key validation as it does for ads, you’d quickly run into an issue. Especially if (please don’t read this MS), they required validation on every boot, then replied with a payload combination of a the ads and a “yea you’re legit and can boot”.
Also, MS could easily (and has) coded some processes to not lookup DNS addresses in things like LMHOSTS or HOSTS, they could just as easily bypass DNS itself. They certainly have plenty of public IPs they could have a process submit to the network stack.