StevenBlack / hosts

🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.
MIT License
26.92k stars 2.23k forks source link

Why block AWS Kinesis? #1287

Closed gchamon closed 4 years ago

gchamon commented 4 years ago

Today I was left puzzled as to why kinesis.us-east-1.amazonaws.com was resolving to 0.0.0.0 as I was producing a plan with terraform to check out a production bug in our infrastructure.

It turns out that the DNS is in the hosts file. It didn't really take me too long to find, because of the handy DNS Query List tool in pihole, but still, why is this domain blocked here in the first place?

I managed to workaround it by whitelisting it in pihole, but is there some serious security consideration to justify blocking this domain? Is this abused somehow by shady domains?

Thanks!

welcome[bot] commented 4 years ago

Hello! Thank you for opening your first issue in this repo. It’s people like you who make these host files better!

StevenBlack commented 4 years ago

Hi Gabriel @gchamon the inesis.us-east-1.amazonaws.com domain comes to us via AdAway.

Ping @jawz101, can you have a look at this one? Thanks.

gchamon commented 4 years ago

Thanks for the quick reply! Love the project btw!!

jawz101 commented 4 years ago

I'll think about it. Looking into the product Amazon Kinesis involves realtime analytics processing and I can see that be for ads and tracking

YieldMo case study

Veritone facial recognition and Sonos monitoring all of their customer's stereos- both mentioned on the Kinesis webpage

Nielsen TV ratings, Salesforce, Zeta, Quantcast use cases

Amazon Prime Video advertising at scale

more Amazon vids demoing it for realtime analytics

Someone can whitelist it but I'm not interested in doing so unless it affects me on my phone. When I see my phone churning out connections to it because Amazon wants to analyze everything I do, read from logcat logs and whatnot- I really don't have interest in helping them because their whole platform is built on your phone being a portable cash register you buy.

Certainly they sell the infrastructure to others to use in other solutions but I'm not inclined to simply remove it for those few use cases when the majority of its service is for analyzing end users sentiments and interactions.

StevenBlack commented 4 years ago

Thanks @jawz101 I appreciate the thorough assessment here.

Gabriel @gchamon I trust the judgment our curators — they are Good People.

Closing.

gchamon commented 4 years ago

@StevenBlack

Thanks for the feedback, it was interesting to see ways kinesis is used directly to handle ads streams.

I will have to whitelist it, but I am happy to know this is not a wrongly blacklisted domain.

Just one more thought...

Kinesis is also available in the following regions: [1]

image

It might be interesting to discuss with the curators to add those regions to the list. As it stands now, only data streams based in North Virginia will be blocked. If ads streams are set in São Paulo, for instance, they will not be blocked by this list because kinesis.sa-east-1.amazonaws.com is not in the list. [2]

[1] https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/

[2] https://docs.aws.amazon.com/general/latest/gr/rande.html

StevenBlack commented 4 years ago

@jawz101 you got dis ⬆️ ?

liamengland1 commented 4 years ago
0.0.0.0 firehose.ap-east-1.amazonaws.com
0.0.0.0 kinesis.ap-east-1.amazonaws.com
0.0.0.0 logs.ap-east-1.amazonaws.com
0.0.0.0 firehose.ap-northeast-1.amazonaws.com
0.0.0.0 kinesis.ap-northeast-1.amazonaws.com
0.0.0.0 logs.ap-northeast-1.amazonaws.com
0.0.0.0 firehose.ap-northeast-2.amazonaws.com
0.0.0.0 kinesis.ap-northeast-2.amazonaws.com
0.0.0.0 logs.ap-northeast-2.amazonaws.com
0.0.0.0 kinesis.ap-northeast-3.amazonaws.com
0.0.0.0 logs.ap-northeast-3.amazonaws.com
0.0.0.0 firehose.ap-south-1.amazonaws.com
0.0.0.0 kinesis.ap-south-1.amazonaws.com
0.0.0.0 logs.ap-south-1.amazonaws.com
0.0.0.0 firehose.ap-southeast-1.amazonaws.com
0.0.0.0 kinesis.ap-southeast-1.amazonaws.com
0.0.0.0 logs.ap-southeast-1.amazonaws.com
0.0.0.0 firehose.ap-southeast-2.amazonaws.com
0.0.0.0 kinesis.ap-southeast-2.amazonaws.com
0.0.0.0 logs.ap-southeast-2.amazonaws.com
0.0.0.0 firehose.ca-central-1.amazonaws.com
0.0.0.0 kinesis.ca-central-1.amazonaws.com
0.0.0.0 logs.ca-central-1.amazonaws.com
0.0.0.0 firehose.eu-central-1.amazonaws.com
0.0.0.0 kinesis.eu-central-1.amazonaws.com
0.0.0.0 logs.eu-central-1.amazonaws.com
0.0.0.0 firehose.eu-north-1.amazonaws.com
0.0.0.0 kinesis.eu-north-1.amazonaws.com
0.0.0.0 logs.eu-north-1.amazonaws.com
0.0.0.0 firehose.eu-west-1.amazonaws.com
0.0.0.0 kinesis.eu-west-1.amazonaws.com
0.0.0.0 logs.eu-west-1.amazonaws.com
0.0.0.0 firehose.eu-west-2.amazonaws.com
0.0.0.0 kinesis.eu-west-2.amazonaws.com
0.0.0.0 logs.eu-west-2.amazonaws.com
0.0.0.0 firehose.eu-west-3.amazonaws.com
0.0.0.0 kinesis.eu-west-3.amazonaws.com
0.0.0.0 logs.eu-west-3.amazonaws.com
0.0.0.0 firehose.me-south-1.amazonaws.com
0.0.0.0 kinesis.me-south-1.amazonaws.com
0.0.0.0 logs.me-south-1.amazonaws.com
0.0.0.0 firehose.sa-east-1.amazonaws.com
0.0.0.0 kinesis.sa-east-1.amazonaws.com
0.0.0.0 logs.sa-east-1.amazonaws.com
0.0.0.0 firehose.us-east-1.amazonaws.com
0.0.0.0 firehose-fips.us-east-1.amazonaws.com
0.0.0.0 kinesis.us-east-1.amazonaws.com
0.0.0.0 kinesis-fips.us-east-1.amazonaws.com
0.0.0.0 logs.us-east-1.amazonaws.com
0.0.0.0 firehose.us-east-2.amazonaws.com
0.0.0.0 firehose-fips.us-east-2.amazonaws.com
0.0.0.0 kinesis.us-east-2.amazonaws.com
0.0.0.0 kinesis-fips.us-east-2.amazonaws.com
0.0.0.0 logs.us-east-2.amazonaws.com
0.0.0.0 firehose.us-gov-east-1.amazonaws.com
0.0.0.0 firehose-fips.us-gov-east-1.amazonaws.com
0.0.0.0 kinesis.us-gov-east-1.amazonaws.com
0.0.0.0 logs.us-gov-east-1.amazonaws.com
0.0.0.0 firehose.us-gov-west-1.amazonaws.com
0.0.0.0 firehose-fips.us-gov-west-1.amazonaws.com
0.0.0.0 kinesis.us-gov-west-1.amazonaws.com
0.0.0.0 logs.us-gov-west-1.amazonaws.com
0.0.0.0 firehose.us-west-1.amazonaws.com
0.0.0.0 firehose-fips.us-west-1.amazonaws.com
0.0.0.0 kinesis.us-west-1.amazonaws.com
0.0.0.0 kinesis-fips.us-west-1.amazonaws.com
0.0.0.0 logs.us-west-1.amazonaws.com
0.0.0.0 firehose.us-west-2.amazonaws.com
0.0.0.0 firehose-fips.us-west-2.amazonaws.com
0.0.0.0 kinesis.us-west-2.amazonaws.com
0.0.0.0 kinesis-fips.us-west-2.amazonaws.com

kinesis - Kinesis Data Streams firehose - Kinesis Data Firehose logs - Amazon CloudWatch

jawz101 commented 4 years ago

hmm.... well maybe I need to just remove it. When I see something like FIPS I feel like I would be causing some sort of crypto/authentication mechanism.

I went ahead and removed them. If anyone has any more insight into the whole enchilada I'd be interested to know what they may be used for.

tophee commented 3 years ago

Has kinesis.us-east-1.amazonaws.com recently been added back to the list? Last night my Phyn water leak detector stopped working and I got it to work again by whitelisting kinesis.us-east-1.amazonaws.com based on the instructions at https://www.phyn.com/help/why-am-i-not-seeing-water-usage-events-in-water-use-plus-i-cant-run-plumbing-checks-and-im-getting-phyn-is-having-trouble-communicating-with-your-device-messages/.

Is it possible to whitelisting a domain only for a specific client?

Edit: I found the answer to the latter question here: https://docs.pi-hole.net/database/gravity/example/

dnmTX commented 3 years ago

ping @jawz101 for assist ☝️

jawz101 commented 3 years ago

Removed. Thanks

StevenBlack commented 3 years ago

Thanks Jawz @jawz101!

tophee commented 3 years ago

@jawz101 So do I understand correctly that those kinesis domains are used both for adds and more essential stuff, which forces us to unblock it? If so, is this a general trend for corporations to circumvent adblockers?

jawz101 commented 3 years ago

@tophee I don't know. People kept talking about it so I removed it.

ericlagergren commented 2 years ago

@jawz101 the FIPS domains are AWS locations that only use FIPS cryptography. They're usually only used by government services or by companies selling to the government.

jawz101 commented 2 years ago

@ericlagergren old post. It's not in adaway

ericlagergren commented 2 years ago

@jawz101 I understand, just wanted to clarify that for you.