Nonetheless, I have never stopped tackling all sorts of problems! :D
In fact, I recently dealt with a rather tricky issue that friends and family pointed out to me, and I decided to explore it further.

The Problem

Recently, some of the largest Italian ISPs have begun enforcing DNS traffic rules.
This is most likely related to the crackdown on illegal content streaming, but it also opens up an interesting discussion about user security.

The main risk is that by forcing users to use their DNS servers, ISPs can monitor and log all DNS requests. This means they can track which websites are visited, creating a detailed profile of users’ browsing habits.

Additionally, this practice could expose users to potential DNS traffic manipulations, such as redirection to malicious sites or selective blocking of certain online resources not hosting malicious contents.
Another critical aspect is that ISPs could use this information for commercial purposes or share it with third parties, further compromising user privacy.

Technical Dive-In

With patience, I decided to conduct a series of in-depth tests to verify this claim. I configured various public DNS services (including Google DNS, Cloudflare, and OpenDNS) on two routers from different ISPs and monitored the DNS traffic. The results were unequivocal: despite the DNS settings configured on the router, all DNS requests were systematically redirected to the ISP’s DNS servers.

I conducted further tests on a ZTE router provided by a major Italian ISP. Even though the official manual clearly indicated an “ISP DNS” option that could be disabled to use custom DNS, after disabling this option, the router continued to ignore the custom DNS settings.

The Solution: DNS-over-HTTPS (DoH)

After various attempts, the solution turned out to be the use of DNS-over-HTTPS (DoH). This technology represents a significant evolution over traditional DNS as it encapsulates DNS requests within the HTTPS protocol.

The working principle is simple but effective: instead of sending DNS requests in plain text over port 53 (which can be easily intercepted and modified by the ISP), DoH uses the HTTPS protocol on port 443. Since HTTPS traffic is encrypted, the ISP cannot read or modify DNS requests, making forced redirection to their servers impossible.

In practice, when a browser or application configured to use DoH needs to resolve a domain name, it sends an HTTPS request to a DoH server (such as those from Cloudflare or Google). The server responds with the requested IP address, all through a secure and encrypted connection.

This method is particularly effective because, although the ISP can see that we are communicating with an HTTPS server, it cannot determine which DNS requests we are making or alter them.

Comparison with Traditional DNS

To better understand the difference, let’s look at how traditional DNS works compared to DoH. In traditional DNS, requests are sent in plain text, which means anyone on the network path, including ISPs, can see and potentially manipulate them.

In contrast, DoH encrypts the requests, ensuring that only the intended DoH server can decode them. This encryption prevents ISPs and other intermediaries from viewing or altering the DNS traffic.

By adopting DoH, users can significantly enhance their privacy and security, bypassing ISP content blocking and preventing potential DNS manipulations.

Contacts

For questions or suggestions, contact: noc@balzabu.io.

Introduction

Managing cloud infrastructure often involves dealing with various initialization and configuration tasks. For Ubuntu servers, the cloud-init package plays a crucial role in handling these tasks during the instance boot process. However, there may be scenarios where you want to disable cloud-init for specific use cases or configurations.

To simplify this process, I’ve created a Bash script called disable-cloud-init. This script automates the task of disabling cloud-init on Ubuntu servers in a non-interactive manner, streamlining the configuration process.

Features

• Automation: The script automates the process of disabling cloud-init, saving time and effort.
• Non-Interactive: Designed to be run in a non-interactive environment, so you won’t have to specify or do anything.
• Based on Gist: The script is based on this Gist, providing a reliable foundation.

Usage

Prerequisites

Before using the script, ensure:

• You are using an Ubuntu server.
• You have the necessary privileges (root access) to execute the script.

Running the Script

Execute the following one-liner in your terminal to run the script:

bash -c "$(curl -fsSL https://raw.githubusercontent.com/balzabu/disable-cloud-init/main/disable-cloud-init.sh)"

Note: after running the script, consider performing a manual reboot to ensure that the changes take effect.

Conclusion

Feel free to check out the project on GitHub and give it a try on your Ubuntu servers. Your feedback and contributions are highly appreciated!

Happy scripting!

Contacts

For questions or suggestions, contact: noc@balzabu.io.