top | item 21705755

(no title)

cremp | 6 years ago

> crusading against DoH favor a different centralized DNS standard, DoT

I think that there are 2 camps against DoH. 1. Default centralization to specific points. EG firefox using cloudflare first and foremost, nobody else. 2. DoH adding complexity. DoT was (practically) superseeded with DoH anyway, if for nothing more than adoption.

> criticism against DoH that says it's wrong for browsers to co-opt DNS resolution at all, and that they should use the system's resolver. This is nonsense.

So... your argument is that I can't trust the OS to 'do the right thing' but I should trust the browser, because they know best? If you can't trust the OS, then how could I possibly trust a browser running on the said, untrusted OS?

Honestly asking how you came to that conclusion because the train of trust is broken on the OS level, so anything above is moot.

> DoH simply don't believe DNS lookups should be private

Problem with DoH is that it is private up to the endpoint. Nobody can listen on the request, but nobody is preventing the endpoint from telling everyone else that 'Joe Smith visited Youtube at {timestamp} Once the endpoint has the request, they have your info and can just as easily sell that to telcos.

End-to-End encryption and privacy is only as good as the people on the other side. Can't trust Alice with your message, then don't send it.

> modernizes the DNS protocol

If by modernize you mean convolutes. If I have a resolver on my network serving qwer.localnet. Browser asks cloudflare, returns nxdomain, then my system resolver asks for it; that is far more latency and is far from the modern proper solution for speed and privacy. Cloudflare now knows that I have a local domain, qwer.localnet.

discuss

tptacek|6 years ago

With respect to your OS versus your browser, you're using "trust" in a different way than I am. Obviously, you have to "trust" your OS in a strict engineering sense; if the kernel is compromised, nothing the browser can do will meaningfully mitigate that. That's not what I'm talking about. I'm saying I "trust" my browser developer to care more about DNS security than I "trust" my OS vendor, just like I "trust" Chrome's X.509 handling more than I "trust" the certificate validation code that ships on the OS. It's not that I think the OS developers are malicious; quite the opposite. I just believe, with some evidence, that they're not incentivized to adopt modern security mechanisms for those features.

My operating system ships with IPSEC VPN support. I'm not going to use it, even though I think highly of the poor souls tasked with maintaining it for Apple; I use WireGuard instead, because I trust Jason and, more importantly, Jason's incentives, more than I trust Apple. I certainly don't feel like I need permission from my OS (in the form of them formally adopting WireGuard) to do so.

With respect to endpoint security – I assume really what you mean is the security of the resolver server that you use, which can indeed monitor your DNS requests – yes! You do have to trust the DoH server with your requests. You should choose one that you do trust. But because your US ISP is already violating that trust flagrantly, you're almost better off with any off-network DoH server you can find. Really, if you're a stickler, you'll just run your own DoH server. You can't do worse than the status quo ante.

I don't care about the "convolution" argument.