But honestly, Do you really need all these devices?
Working the feeds to be just right for usability can be a bit annoying, but you again will see how much will "call home." The caveat I do not like is how the talk on the network can increase much-much more due to blocking (sinkhole). As security increase usability will decrease. However, there is an inverse relationship with security. So, many ads, malware sites, etc will just get the packet dropped based on the feeds. If you ever watch your network you can see just how many devices try to talk to an external DNS's-it can be very eye opening about security for the newly initiated. Honestly, every business and household should be at this level of security, and any ISP provider in which you cannot run your own endpoint is not worth it. Limiting the DNS request to only be through the pfSense server and then not allow any third party or external resolution is very, very important. You still send the request to a place that collects metadata, and you are not controlling your DNS request in a better secure method. Funny thing is it is slower than the local request cache and resolution. They think that encryption will "save" them. The biggest mistake that many make with pfSense is not running Resolver to query the root servers only. However limiting can be fun, and consuming of your admin'ing soul. Everything gives data, even the act of not giving is data itself and truly cannot be escaped from. You can even fingerprint the NTP requests from a host to the crystal used due to the variations of the jitter caused by heat and such-look it up. Your activity, and such on the internet is well known. Anything you look up shopping sites, diapers, whatever, you look up can then be metadata they collect and even fingerprint you. Say you rather use a provided router, and therefore likely the ISP's DNS by default. There is also data that can be collected within the requests. Basically, if it tries to go outside of the network, NAT captures the requests and then makes it go through Resolver's settings. Redirecting DNS will force the DNS request for that host to 8.8.8.8 to have to use the pfSense's DNS servers. For example, an Amazon Echo will use Google's DNS to send analytics. Many IoT's have Google's DNS integrated into them to send the data to their servers. It can point to a malicious host(s) and allow packets into the LAN for compromise-very important due to the fact that that most firewalls in use have no ingress filter to internal connections after NAT/Resolved host(s) handshaking. This host can then use DNS of its own accord to look up whatever it wants to resolve. You can have a host on the network either friendly or hostile (taken over).
0 kommentar(er)
