hosts: Why block AWS Kinesis?
Today I was left puzzled as to why kinesis.us-east-1.amazonaws.com was resolving to 0.0.0.0 as I was producing a plan with terraform to check out a production bug in our infrastructure.
It turns out that the DNS is in the hosts file. It didn’t really take me too long to find, because of the handy DNS Query List tool in pihole, but still, why is this domain blocked here in the first place?
I managed to workaround it by whitelisting it in pihole, but is there some serious security consideration to justify blocking this domain? Is this abused somehow by shady domains?
Thanks!
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 18 (5 by maintainers)
Commits related to this issue
- remove Amazon Kinesis entries https://github.com/StevenBlack/hosts/issues/1287 — committed to AdAway/adaway.github.io by jawz101 4 years ago
I’ll think about it. Looking into the product Amazon Kinesis involves realtime analytics processing and I can see that be for ads and tracking
YieldMo case study
Veritone facial recognition and Sonos monitoring all of their customer’s stereos- both mentioned on the Kinesis webpage
Nielsen TV ratings, Salesforce, Zeta, Quantcast use cases
Amazon Prime Video advertising at scale
more Amazon vids demoing it for realtime analytics
Someone can whitelist it but I’m not interested in doing so unless it affects me on my phone. When I see my phone churning out connections to it because Amazon wants to analyze everything I do, read from logcat logs and whatnot- I really don’t have interest in helping them because their whole platform is built on your phone being a portable cash register you buy.
Certainly they sell the infrastructure to others to use in other solutions but I’m not inclined to simply remove it for those few use cases when the majority of its service is for analyzing end users sentiments and interactions.
@StevenBlack
Thanks for the feedback, it was interesting to see ways kinesis is used directly to handle ads streams.
I will have to whitelist it, but I am happy to know this is not a wrongly blacklisted domain.
Just one more thought…
Kinesis is also available in the following regions: [1]
It might be interesting to discuss with the curators to add those regions to the list. As it stands now, only data streams based in North Virginia will be blocked. If ads streams are set in São Paulo, for instance, they will not be blocked by this list because
kinesis.sa-east-1.amazonaws.comis not in the list. [2][1] https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
[2] https://docs.aws.amazon.com/general/latest/gr/rande.html
kinesis-Kinesis Data Streamsfirehose-Kinesis Data Firehoselogs-Amazon CloudWatch@tophee I don’t know. People kept talking about it so I removed it.
Removed. Thanks
hmm… well maybe I need to just remove it. When I see something like FIPS I feel like I would be causing some sort of crypto/authentication mechanism.
I went ahead and removed them. If anyone has any more insight into the whole enchilada I’d be interested to know what they may be used for.
Thanks @jawz101 I appreciate the thorough assessment here.
Gabriel @gchamon I trust the judgment our curators — they are Good People.
Closing.
Thanks for the quick reply! Love the project btw!!
Hi Gabriel @gchamon the
inesis.us-east-1.amazonaws.comdomain comes to us via AdAway.Ping @jawz101, can you have a look at this one? Thanks.