Originally published at: https://boingboing.net/2019/07/06/dns-over-https.html

…

Firefox for the win, again along with duckduckgo, and EFF’s PrivacyBadger and HTTPS Everywhere. How about a Hall of Fame for apps?

Can we stop this spinning right away??? DoH does not make it impossible for third parties to see your DNS requests. It shifts the visibility to other parties, i.e. you might be safe from your government, but Mozilla, Google, or any other big tech company that becomes more and more indistinguishable from a government, has access to this data. Granted, they have all your other data anyway, so adding DNS probably makes little difference.

And with regard to censoring: So if the US government subpoenas a US-based DoH-provider, the whole world has to suffer? DNS has many shortcomings, but its decentrality is still one of its main assets. And DNSSEC is the correct method to secure that.

One of us is confused about how these two things work:

It’s my understanding that DoH is no more or less centralized than DNS: it’s just a spec for wrapping a DNS lookup as an HTTPS payload; there’s no change in the decentralized hierarchical arrangement of DNS servers.

As for 3rd party access; it’s of course true that whoever you make the DNS request to can see it; but anyone between the first and second parties can’t observe anything useful.

And DNSSEC, by design, provides authentication and integrity but not confidentiality.

The two are almost orthogonal to one another(some slight overlap in that some cases of tampering that DoH would block would also be made impossible by DNSSEC).

In summary: Dicks don’t like being called out for being dicks.

A messaging system based on distributed hash tables, that doesn’t use any DNS, now has the added advantage of seeing these people shit enough bricks to build Trump’s wall.

Caveat emptor: I have no working knowledge of either protocol, just a rough impression of what they do.

Of course the DoH resolver does regular DNS. But now all user requests are not solved by usually the local ISP, and therefore are spread over a lot of nodes, but are all funneled to a few hosts that are operated by browser vendors. As the ISP would see the access to the resolved address anyway, I think there is little security gained from diverting the initial DNS resolution away from that point. Plus splitting DNS resolution in HTTP and non-HTTP, or more precisely browser-based vs. everything else, will make debugging things unnecessary complicated.

DNSSEC does indeed not provide confidentiality, but as I said, as the resolved address can be seen by the access following the resolution, I think there is little gain in hiding this step. Being able to tell if the DNS data was modified is IMHO a far better protection.

And now for some speculation: I am no longer following any IETF mailing lists, and I wasn’t able to find any discussion about this, but the fact that DoH is developed in the Application Area of the IETF and not the Internet Area, as DNS related stuff is usually done, is an indicator for me, that the engineers with the deepest knowledge of DNS were not happy with that approach either.

OpenBSD and Unbound run a treat on PCEngines equipment. Installed themselves for me without asking twice. Configure DNS-over-TLS. Tell Unbound to cycle over a bunch of public DNS servers and direct all internal traffic to your shiny new DNS resolver box. YMMV but it works for me.

I’m not sure why DNS-over-TLS is not preferable to yet-another-Blah-over-HTTP(S) protocol, must everything map to port 80 or 432? Usually when Blah-over-HTTP(S) is promoted it’s something like “because corporate firewalls pass the traffic”… like SSH tunnels over port 432, which usually elicit little more than a pained “please don’t do that” from corporate security higher-ups, but I digress.

As long as the domain you are resolving is also using TLS, your connection (beyond the IP address, because the domain is requested inside the TLS tunnel) is safe from observation and tampering.

Sure, the data inside the stream is safe. But the fact that I access the (IP) address is visible, so hiding the resolution of that address in the preceding step bears little safety, IMHO. And DNSSEC is, again IMHO, the far better technique to prevent tampering with DNS itself.

I don’t want to drag this topic on forever, but I think this is the main misconception with DoH (from the linked article):

The UK ISPA’s objection is similar: The privacy afforded by DoH will make it easier for people to flout the law by avoiding filtering.

It allows to flout the UK law, but it makes users susceptible to the law of the country the DoH provider operates in. In this specific case, the UK law and especially the way it is enforced is of course totally braindead. But next time a US court takes an 18th century view on the constitution and how to apply it to the Internet, users outside the US may be cut off from sites that are acceptable to a modern society. DoH does not mean your DNS resolver is outside any jurisdiction, it only means it may be outside your own jurisdiction.

Well, I’m using Firefox, DuckDuckGo and Cloudflare’s 1.1.1.1, so as far as my country’s security people and government are concerned, I’m a naughty boy!
Like I give a shit.

As it applies to article, I have to side with Mozilla. Whether or not DNS traffic is encrypted should not be any of the governments business. That said, DoH does pose challenges for monitoring your own network. DNS tunnelling can become hard to detect, and malware is being found in the wild now, that uses DoH to hide its DNS traffic:

Internet imbeciles, aka British ISP lobbyists, backtrack on dubbing Mozilla a villain for DNS-over-HTTPS support

This topic was automatically closed after 5 days. New replies are no longer allowed.