Hacker News new | ask | show | jobs
by willis936 2208 days ago
I'm no expert, but the most obvious answer is "you MITM yourself".

If there is a userbase for a list, they have to trust the list to not filter out domains that shouldn't be filtered. I have a hard time thinking how this could lead to hidden repercussions, other than some security flaw that is only exploitable when some subset of requests go through.
1 comments
ciarannolan 2208 days ago
Perhaps they can point a particular host to a malicious IP rather than "0.0.0.0". In a list of several hundred thousand domains, you wouldn't be able to notice this manually.

ex., make Bank of America resolve to a phishing site rather than the real BoA IP.

Pi-Hole and others might check for this though, I don't know.

link
tejtm 2208 days ago
Back before security fatigue set in, I would filter the lists through my own sanity checks for this sort of thing (never found a single one amiss after years) then point my clients at my vetted lists.
link
willis936 2208 days ago
I am under the impression that the blocklist programs (such as ublock origin or pi-hole) do not have an option to redirect to anything other than the void. I can only see downsides to allowing this.
link
contravariant 2208 days ago
Actually ublock-origin has some options to replace Javascripts with custom (presumably less intrusive) scripts. Although I don't think 3rd party lists can do this.

Anyway the repository in this post also provides host files, which most definitely can redirect you to malicious IPs.

Edit: Turns out 3rd party block lists can use the redirect feature but only to Ublock Origin managed resources: https://github.com/gorhill/uBlock/wiki/Resources-Library

link
jlgaddis 2208 days ago
> ... do not have an option to redirect to anything other than the void.

Pi-hole uses dnsmasq [0], a caching DNS resolver (among other things), and includes its own customized configuration files for it.

With that level of control, Pi-hole has the ability to redirect you anywhere on the Internet that they want.

We all hope that the folks behind Pi-hole would never do such a thing -- but they do have the "option".

---

[0]: http://www.thekelleys.org.uk/dnsmasq/doc.html

link
csunbird 2208 days ago
HTTPS should protect you from that.
link