This DNS over HTTP thing

Jeroen Massar jeroen at massar.ch
Tue Oct 1 10:11:32 UTC 2019


TDLR:
 - Using DoT or DoH as a protocol is fine, though the recursor still controls/views the DNS queries
 - Using a centralized/forced-upon DNS service (be that over DoT/DoH or even plain old Do53 is does not improve security or privacy...
   Getting that forced fed by the monopolies controlling the browser.... bad for the Internet.
 - Use a VPN if you do not trust your network provider.
 - Use Tor if you really want 'privacy'.


On 2019-10-01 11:57, Stephane Bortzmeyer wrote:
> On Tue, Oct 01, 2019 at 10:35:31AM +0200,
>  Jeroen Massar <jeroen at massar.ch> wrote 
>  a message of 29 lines which said:
> 
>> Correct: for the DoH protocol it is not that goal, there it solely
>> is "encryption". But DoT already solves that.
> 
> DoT is fine, (and my own public resolver activates it) but, as you
> know, it is too easy to block, either explicitely, or as a by-product
> of a "only port 443" policy.

Sounds like you don't trust the network you get access from (and possibly pay).

Use a VPN to get out of there. Though then you also move your trust point of course, but at least you do it for everything.

Just doing this for your webbrowser is not solving your problem (till encrypted SNI is a thing *everywhere*), there are other services on the Internet than this "HTTP" thing...

You might also want to look into this amazing thing called Tor if you really want privacy.

> Also, most of the complaints (for instance by the lobby who wrote to
> the US congress) about DoH apply also to DoT (for instance, like DoH,
> it prevents the ISP to modify or even to see the DNS requests and
> responses, so the lobbies who don't like DoH won't like DoT either).

You just moved your problem to the entity that now runs your DNS recursor.

Before "encryption" the network and the recursor could view/change your requests.
Likely these where both your ISP.

Encrypting to the recursor will still allow that recursor to see and modify answers.

Btw enabling DNSSEC only allows you to verify that there was a lie (or no answer).


Most users currently use their network provided DNS server. As such, they are likely using the one from the ISP...


The question is: who do you trust, in this question: the one that offers the recursive service.

If you do not trust your local network, VPN/Tor out of there.

If you trust your local network (as you pay them, just trust them, or live in a country with strong privacy enforcement and data collection policies), then just use them.


Browsers forcing upon a user per default a DNS provider does not address any of these things.


>> For the implementation though of DoH (what most people have a
>> problem with), the sole goal is centralization
> 
> This is your personal opinion, not a fact. (Speaking as someone who
> deployed a DoH resolver.)

You are mixing things.


A) Anybody can deploy DoT or DoH for their recursors (I have too).

B) Browser vendors are doing this "DoH" thing to centralize DNS to their recursors.


Noting that many ISPs are deploying both DoT and DoH next to Do53.

And Mozilla claims that suddenly that is a good thing as 'it is encrypted', while it does not change the adversary: recursor still run by an ISP, that apparently one does not trust...


>> and moving the information collection from the ISP to single
>> entities that are already collection so much data,
> 
> That's why we need more DoH resolvers. Install one!

Installed a whole bunch of them....

But not using them myself. DoT is the technically better version.


>> The point is that the claimed goal (for the deployment) is that it
>> gives users 'privacy', but in the end that 'privacy' just moves from
>> the ISP that the user pays to an unrelated company that wants to see
>> it all...
> 
> Security is often moving stuff to a different trusted party (think of
> VPNs, for instance).

See above.


Moving only your DNS to Cloudflare or Google does not solve the security stance, even though that is what people are marketing this whole DoH move for....


Greets,
 Jeroen




More information about the NANOG mailing list