Static DNS Servers?

Hello all,

DNS is used to turn internet host names into IP addresses. It’s step 1 in any connection to a server on the internet, and Sense is no exception. The list of domains we connect to is listed in a KB article, but the list from @arch above looks correct for today’s monitor firmware.

I added the static DNS assignments because there’s a significant number of misconfigured or broken DHCP-provided DNS servers out there.

In particular, services which live on Amazon Web Services (like Sense) are moved between public-facing IP addresses occasionally. This is generally outside our control, and a local DNS server which caches (remembers) the original IP address will cause a Sense service outage until it gives up the old answer and fetches a new one. Major router vendors get this wrong (I won’t name any names Asus oops), but we get the angry emails and knee-jerk 1 star reviews, sadly.

The intention with the change was to use the DHCP-provided DNS server as a fallback if the public DNS was blocked or unavailable. If this isn’t working, I will look into it.

I hope that helps,
Jonah

2 Likes

I agree with this statement. I work for a global service provider and poorly configure DNS servers or stale name cache are often the source of customer issues for us.

Regardless of agreeing, I am still personally opposed to forcing customers to use a specific DNS server set. I’m sure you can imagine and appreciate the public backlash if an operating system provider hard coded their OS to only use a certain set and you had no way to override it within the OS. :slight_smile: Especially Google’s 8.8.8.8, whom is going to use any/all queries for advertising and tracking purposes.

Please consider backing this out, or provide an option for the end user to to override this behavior and use the DNS server values provided via DHCP.

1 Like

Is blocking the undesirable DNS servers at your router an option for you?

It’s a bit of a non sequitur to me. Am I able to? Yes. Should it be a requirement for an end user to have better control over their privacy? No. Please don’t look at this on a case by case basis, but on a wider “what are we or our customers giving up in order to gain with this change?” scope. If you ever expand to the EU I’d suggest not including this configuration. They really look down on behavior such as this.

1 Like

Thanks for the info. If we expand our network configuration options in the future, I’ll see if we can add a DNS preference.

Looking forward to this also being backed out. :beers:

In the meantime I’ve blocked Sense from any of the following outbound traffic.

TCP/UDP 53 (DNS)
TCP/UDP 853 (DNS over TLS)
TCP/UDP 5353 (mDNS though probably not necessary)

3 Likes

I’ll second the request from @scorp508 here.

First, many routers allow for setting a network wide DNS server.

Second, the DNS provider has the option to collect any information about every site you visit and resell it. There is a growing community which are using private DNS servers to prevent this data collection.

  • Some of these servers are paid/free services.(OpenDNS)
  • Some are physical hardware installed inside the network (see https://pi-hole.net/.)

Hardcoding DNS IP Addresses into the product means your users have no choice but to sell our data to these 3rd parties (I’m looking at you 8.8.8.8). Simply make the request to the network DNS and allow the users to do the DNS lookup as they please.

Finally, if you need to control exactly where my data is going (especially when you are sending it to 3rd party data logging services) then send it from your own servers, not from within my network. This product should be transparent in where our data is being sent because it contains considerable personal data.

Personal Data Sense has about me:

  • A list of every electronic device in my home (including model number).
  • A description of where these devices are.
  • Exact frequency and and duration of use.
  • Which modes they are being used in.
  • When I am home/away (or at least which rooms I have lights on).

When you use a tactic like hardcoding DNS lookups in the software I have much less visibility into where you are sending my data and less control over whether I choose to share it.

I understand the pain of a user with a misconfigured network returning poor reviews, but you have pushed too far in the other direction here, and you are risking all of your data aware correctly configured network users giving 1 star reviews as well.

A second thanks to @scorp508 as well for posting the port rules to block sense DNS lookups in the meantime Static DNS Servers? - #13 by scorp508

4 Likes

We hear you all about this. Privacy is important to us, and while DNS is a comparatively small part of the overall data privacy picture, I understand that it’s significant to you. If any of you would like me to reset this configuration change for your monitor specifically, please DM me your serial number or sense account email, and I can take care of that.

2 Likes

@JonahAtSense I can confirm that this is not working as intended since my monitor was stuck offline until I whitelisted 1.1.1.1. Please see ticket number: 127718

Would it be possible for Sense to include changes like these in the release announcements or in a more detailed blog/wiki page that can be referenced?

Thanks

1 Like

Thanks for that — I’ll have a look.

I think this change was included in the release notes.

@JonahAtSense

I checked the firmware release notes going back 6 months and didn’t see a mention of the DNS:

Looking on Zendesk, I only see Web App and Mobile App notes:
https://help.sense.com/hc/en-us/sections/360002441674-Release-Notes

Should I look somewhere else?

Thanks

Nope, you looked in exactly the right place. That change must have been dropped from the notes. Not intentionally so — just very busy people doing the best they can. Sorry about that.

All good. Thanks for acknowledging the change and looking into the issue with not using local DNS.

Really appreciate the quick response.

Please provide a link to this article.
Thanks @scorp508 and @joshuacperkins for bringing this up. This discussion is likely to make many users more aware of potential privacy issues from any device on their network, not just Sense.

@samwooly1

The closest KB arcticle I could find was the one linked here:

I linked the post and not the article to show the changes coming to the article.

To be fair here, the list they give is a pretty decent one. I am with you on google selling the ads tracking my traffic but I don’t see much difference in blocking google’s DNS and setting my own DNS settings. I’d say there are other features I’d want to see them spending time coding way before this option.

I am not sure I understand what the objection to “hard-coded DNS serves” is, but it sounds like it is not very good for our privacy and could expose us to some bad people. I don’t even know what the DNS server is!
It is nice that you offer to reset a config for a specific monitor, but what about the rest of the community. I don’t know about others, but I don’t understand the ins and outs of the network. What I do know is that now I am concerned that my data may be available to people that could cause harm. This makes me uncomfortable.

@jkish
I’ll give you a answer since Sense employees are off for the day.
I wouldn’t be concerned with “bad people” doing some type of “harm” really. If your using google to search or using any of their products like chrome or Android, you are already exposing yourself to privacy issues.
For most people, this boils down to getting everything you do tracked and it’s mostly used for advertising. Have you ever gone to a website and the ads on the page were about things you recently searched for or were interested in?
While there is potential for bad things that go much, much deeper, for most of us it’s not as bad as your picturing it.
Think of it like this. Sense is asking a question to a server. “ What’s the address for this name?”. Server answers with numerical address. Server remembers exactly which sense monitor asked the question on which day and what time identifying itself.
Here is the problem:
Server has this information about where the question came from and this information is used by and sold to companies to target things like advertising. By the things being asked these companies can build a profile with buys and pieces of information. It’s like a puzzle and with a big enough piece, they can learn a lot.

I should add that Sense does not share or sell this information themselves.
Hope that helps

1 Like

For me this started 04/27/2019 at 03:07:52. I opened ticket 128258. I am extremely unhappy with this undocumented change. My firewall has been flipping out about “possible DNS hijack detected on the network.” I’ve had to allow access to 8.8.8.8 to remedy another device doing the same thing. But I’m not about to start setting static IP on devices just to allow non-standard DNS services. I’m sure if i dug around the web enough I can find a RFC that is violation.
Also, by using “cloud” DNS you are not get proper geographical DNS. In my experience, I found you end up connecting to services, like amazon, in the wrong location.
For example, in an office I manage, we were using 8.8.8.8 and were routed to an Amazon data center in Virginia, but using the location ISP DNS, we were routed to the NY data center. and the slowness issues cleared up.

2 Likes

@samwooly1 got the privacy half correct, for security DNS Hijacking is a real thing.

While I’m less worried about the big names (1.1.1.1 and 8.8.8.8) on the security front.
If there was a known active attack the only mitigation we would have would be to unplug Sense.
Before this change the remedy to such an attack (if we knew it was happening) would just be a simple change to a setting on a router.

A DNS attack could let someone pretend to be Sense.com (or any other site) and our devices would happily send all data to that entity. While I’m generally not worried about such a large scale targeted attack against Sense specifically. The more devices hardcoded against a single IP like this the more effective attacks could be. So I’ll fight against this practice for everything in my home.
See also Chromecast