|
|
|
|
|
|
by Bender
995 days ago
|
|
|
The heavy-handed solution looks like this: local-zone: "api.someapp.com." always_nxdomain
Then I reach out to them and say something to the effect of, "Hey, nice application/device you have there! In order for anyone on my network to utilize this app/device the DNS would need to be put back into your DNS servers and removed from the API records." Of course they will laugh at me but that is fine given that 100% of the internet and internet connected devices are entirely optional for me. It is unlikely that a statistically significant number of people would use this heavy handed approach. Or perhaps I am OK with their API method and make use of their API that bypasses DNS. This probably depends on if this is malicious or not. i.e. serving ads or malwareAnother heavy-handed option would be to force all traffic through a MITM proxy which I have done in the past. Any device that can't have my CA cert loaded would be a paperweight and thus returned to Amazon with less than 5 stars and a review that details the DNS implementation which most customers would not care about or understand but my fellow cranky network admins may find useful. If it's a website then I would just not use it. Some businesses take this approach. There are both commercial and open source solutions for this. Look for Squid SSL-Bump MITM proxy if one is curious. This requires bypasses for domains still using public key pinning which is an insignificant number of them. Most have moved away from HPKP due to the induced fragility and risks. There are other methods but they come with security implications such as decompiling applications, shimming something into it or pre-loading libraries to do the same thing but this usually requires rooting a device and potentially compromising security as the vendor signing may be removed. I'm sure some of the mobile developers here have more elegant and secure methods. I doubt many would do any of this of course, but you asked. |
|
|