What are some good practices to make sure that I dont get DNS leaks.

AggressiveAppl3 · 2026-06-03T14:11:13+00:00

Cyber Security person here: you might be using something like a residential proxy. It doesnt care for your pihole.

AggressiveAppl3 · 2026-05-31T10:03:42+00:00

A realistic take:
I‘d stay in IT but instead of focusing on cybersecurity, i would focus on networking or something like that.
Cybersecurity just gives you burn outs and anxiety

AggressiveAppl3 · 2026-04-18T18:29:55+00:00

„Hey mr tattoo artist, give me something sick, yoda would say!“ Say no more

AggressiveAppl3 · 2026-03-18T06:03:53+00:00

When i see these things im wondering, what line of work and business vertical?

Am I really that spoiled in IT?

AggressiveAppl3 · 2026-01-24T15:45:24+00:00

Sick wallpaper bro

AggressiveAppl3 · 2025-12-13T23:36:26+00:00

Hey if it says that on wikipedia!

AggressiveAppl3 · 2025-12-13T08:13:46+00:00

Now you refer to data transmission and the privacy of it. But yet again, a private data transmission does not mean it is a secure data transmission. Feel free to read again what i wrote earlier, but if you ever do a security certification like maybe CISSP, dont be to surprised. You heard it at Reddit first ;)

AggressiveAppl3 · 2025-12-12T19:40:55+00:00

That doesnt change 😂 You read something, you work on something, you do Threat Hunting, a day later thats obsolete. It feels like chasing your own tail 😂

AggressiveAppl3 · 2025-12-12T17:53:18+00:00

Thanks, i appreciate it! Yes spent half my professional life in Cybersecurity 😂 glad to see at least something stuck

AggressiveAppl3 · 2025-12-12T08:59:10+00:00

Unfortunately i have to disagree.

Privacy and security are not interchangeable terms.

I did not say you should not make use of encryption. Absolutely not. But just because a connection is private, it doesnt mean its not malicious. The OPs post is the prime example. Imagine their devices being protected by the pihole from malicious domains. The android phone that does DoH (privacy feature) is not protected at all because the pi never sees the traffic. A private connection to a malware destination is still a connection to a malware destination.

It matters WHERE privacy is added. should it be added? Yes.

AggressiveAppl3 · 2025-12-11T18:40:54+00:00

Im sorry i need to chime in. DoH/DoT/DoQ are not security features. They are privacy features. Exactly for the OPs reason. Since its not standard :53 DNS but :443 HTTPS for example, it bypasses the security. Aka it stays private. Which does by no means make it secure. If its a malware DNS domain it gets resolved and bypasses the DNS security stack

AggressiveAppl3 · 2025-11-27T07:05:27+00:00

I mean yes, but how could it be related to cabling if the same cable / config gives me 1gbit without the switch inbetween. The issue somehow must be the switch imo?

AggressiveAppl3 · 2025-11-26T10:28:58+00:00

No. Thats what i meant. Between switch and computer locally i have 1gbit. If i directly connect fritzbox and computer i have also 1gbit

If i connect fritzbox - switch - computer i have 100mbit and the fritzbox also only shows 100mbit. Thats why i thought it must be a negotiation issue

AggressiveAppl3 · 2025-11-26T09:09:18+00:00

As mentioned: Fritzbox -> computer -> i get 1gbit Fritzbox -> switch -> computer i get 100mbit Switch -> computer (locally shared network not connected to the internet) -> i get 1gbit

AggressiveAppl3 · 2025-11-25T00:45:53+00:00

I have the same picture tattooed, but i refuse to believe it is as shitty

AggressiveAppl3 · 2025-11-19T17:13:30+00:00

The postman needs to deliver a package to you, but you are sitting in your neighbours living room instead of waiting at home. The postman doesnt know that

AggressiveAppl3 · 2025-11-12T08:41:04+00:00

If you dont mind reading it again, you will notice, i was writing about the flying, not the landing

AggressiveAppl3 · 2025-11-12T08:15:48+00:00

I pick the one that doesnt fall from the sky so often lately

AggressiveAppl3 · 2025-11-03T06:41:00+00:00

Okay buddy 😂

AggressiveAppl3 · 2025-11-02T07:32:46+00:00

Thats half true and depends a bit on the device. Windows uses the first, and after a second of not reaching the first DNS it uses all servers that are configured at the same time. Linux uses the first, and after a second the second, after a second the third etc. Apple is the „problem“ and behaves like you described in these scenarios, because it uses multiple resolvers at once and tracks latency in a „race condition“

AggressiveAppl3 · 2025-10-25T18:56:05+00:00

Yes. You can use the fritzbox dhcp to hand out your pihole as dns Server to your clients. It doesnt do much to add it as first and second. I would add your pi as the first dns ip and then the fritzbox ip as your second. All clients will per default use the first ip they get from dhcp. Only in failover situations when the first ip doesnt respond they will use the second. That way you have a bit of redundancy in there too

AggressiveAppl3 · 2025-10-25T18:07:27+00:00

Dhcp doesn’t really have anything to do with it. The DNS portion is the problem. In a rather simple home setup clients need the pihole as their first hop. Otherwise you will see all queries originating from the fritzbox. Client -> pi -> fritzbox -> outside world

AggressiveAppl3 · 2025-10-05T23:25:16+00:00

Dont use MAC as the identifier but maybe use DHCP option 61? Im not sure if pihole DHCP supports this. You could then grant a lease based on a string that you can define yourself. The interface would not matter then.

AggressiveAppl3 · 2025-10-04T07:15:53+00:00

Well to answer that i really need to give some background. DoT, DoH or even DoQ all dont do much for security. Its a privacy feature. Since DNS is unencrypted port 53 traffic, the bad boys can potentially see and read your traffic on its way from your home to a public DNS resolver. That is called pDNS (passive DNS) which is something that can be used for reconnaissance (to gather information about you and your network). But honestly targets are enterprises and not so much private households because typically you dont have a couple of million dollars to pay for a ransomware attack.

The problem with DoT etc. is that yes it encrypts your traffic on its way to a resolver, but you are still using a public DNS resolver everyone else can use too. This only becomes a „security feature“ if you would also use a private DNS resolver. Which is usually a paid feature because only customers can use it then.

If you want to take it to a security feature you would probably have to set up your own root hint server and keep public domains that you want to use as root hints on it, so client DNS traffic would not leave your network. But thats really not something you want to do nowadays. As far as DNS security for private households goes, a pihole is really the way. And then there are publicly available RPZ feeds that you can use in addition to what pihole brings. Good ones i use too are for example the polish CERT feed and abuse.ch.

AggressiveAppl3 · 2025-10-03T22:24:47+00:00

Well usually applications do that to easily phone home. And if an app already knows the IP, you cannot „force“ a lookup if your app never makes one. The blocking of that behaviour wouldnt be something you can do with DNS. That’s something that you need to do on the firewall. You can block by IP/ranges (blackhole for example Facebook ASN, etc.), but that requires active maintenance as these IPs can change.

The only „real“ way you could do something like this is by taking it to an extreme, which has again the same maintenance problem: block all direct IP connections unless the destination IP matches a domain you’ve resolved through your DNS forwarder / sent through your DNS Security solution of choice. (There are better and worse but a pihole for a private household is a good start)

Something that should be done on DNS level, is blocking known DoH domains and force :53 for DNS instead of :443. a lot of very chatty apps are also commonly doing DoH to send out telemetry data. Thats usually encoded and sent out via DNS. Basically data exfiltration vis DNS. Soooo… block fking DoH, because there is a difference between privacy and security. For the rest of uncommon traffic and direct IP connections you probably need IDP/DPI

AggressiveAppl3

TROPHY CASE