[mhils]

This approach is a natural escalation step as DNS-based blocking is getting increasingly difficult. But it's not without its drawbacks. For example, browsers tend to have by far the best TLS implementations. By MITMing yourself, you essentially trust the proxy's TLS implementation instead, which will receive much less scrutiny. There's a lot of precedent for TLS vulnerabilities introduced by middleboxes. If browser extensions are possible they should be preferred. But the author does have a point that this can't be taken for granted anymore!

[randomhodler84]

Why is DNS based blocking getting difficult? You run a bind server and tell it what it can and cannot resolve. It can even listen on DoH so you get transport security between peer and local dns server.

[rsync]

Your browser (or your tv) can just skip your entire dns infra and make its own lookups over https- which you won’t see.

That’s the evil genius of doh- you can’t block 443 and their “dns server” could be the same hostname as the site you visit … and now we’re discussing mitm’ing ourselves…

Sigh.

[randomhodler84]

Could, but do? I have never seen DNS or DOH pinning. Seems fragile. Would likely fall back to host resolver anyway.

[mhils]

AdTech increasingly uses CNAME cloaking-style tricks to evade DNS blocking. Some of those tricks are detectable, but DNS blocking will inevitably fail once ads are served from the first party domain. It's still rare, but simple CNAME cloaks specifically have seen an uptick in the last few years.

[trasz]

A TLS proxy is something that’s trivially easy to sandbox; a browser is the exact opposite.