[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Paul Wouters paul at nohats.ca
Mon Feb 25 19:34:02 UTC 2019

On Sun, 24 Feb 2019, Patrik Fältström wrote:

> I would like to see one thing related to VPN, and that is to be able to say what apps on a phone (for example) can access internet when the VPN connection is down.

apple can already do that. Linux can do it using namespaces, but no
method exists yet for endusers to actually use this.

Although the more generic useful thing is "no application sees any
uplink until your sandbox for wifi/hotspot auth has been completed,
and that sandbox can only use its own DNS linked to the link, with
its own browser, with no permanent cache and no links to anything
outside the sandbox.

> I.e. just like the "allow this app to use mobile data", I would like to have "allow this app to work outside of VPN".

yeah, although i think on apple this is only available when using
enterprise mode management of the device :/

Again on Linux, with the XFRMi interfaces replacing the VTI interfaces,
we can build a per-process thing where we move the process into the
right namespace (eg the VPN namespace).

So the world is moving this way, but not there yet.

But on the other side, the world is moving to TLS-cloud hosted services
for everything without a VPN :(


More information about the dns-operations mailing list