(no title)
unixsheikh | 5 years ago
> Why on earth would we want to use 5 different encryption protocols in the browser? That's just pointlessly adding attack surface. What's wrong with HTTPS that means it's a bad fit for encrypting a DNS query? A DNS query is essentially at its core an HTTP request to a remote server, and HTTPS is already very good at encrypting HTTP requests. There's no need to reinvent the wheel here.
This is where you're wrong. A DNS request is far from the same as a HTTP request!
You don't seem to understand how the technology really works in the underlying protocol.
HTTPS is designed to encrypt HTTP traffic, it was never designed to be stuffed by other kinds of traffic. When you stuff DNS into HTTPS you not only get a destination IP in clear text, something you cannot get if you use DoT e.g.
Furthermore, DoH also completely ruins analysis and monitoring of DNS traffic for security purposes. Already DoH has been used in a worm to mask connections to its command-and-control server.
If you want to solve the obvious problems with DNS, you don't keep doing the same mistake over and over again by patching with the same half-baked solution.
DoH does not solve ANY of the issues it is set out to do! I have worked for a long time in the ISP industry, users gets tracked by source IP and destination IP mainly, and figuring out what particular website they have visited, even when the hosting provider has multiple websites running on the same IP, is so easy just by looking at a hash of the payload that it is ridiculous.
DoH is "fake privacy". Period.
danShumway|5 years ago
No, I don't see what you're getting at. DoH is an almost strict upgrade over DoT, specifically because DNS queries get mixed in with regular traffic so they can't be separated and analyzed on their own.
I stand by my point, the differences between DNS and HTTP are not large enough to justify the kind of separation you're advocating for. This is not such a fundamentally different technology that we need to use multiple separate systems to handle it, and people definitely shouldn't be advocating for DoT over DoH. The fact that DoT uses a dedicated port is a weakness, not a strength.
For you to argue that DoH is fake privacy, and then to advocate for DoT of all things as a superior alternative makes me skeptical of rest of your arguments. We don't want user DNS settings to be subject to the whims of network operators.
> Furthermore, DoH also completely ruins analysis and monitoring of DNS traffic for security purposes. Already DoH has been used in a worm to mask connections to its command-and-control server.
> DoH is "fake privacy". Period.
DoH can't be both fake privacy and masking worms/ruining traffic analysis at the same time. Either it works or it doesn't, pick a lane.
The fact that ISPs, governments, and network administrators are complaining about DoH is strong evidence that it is an improvement over the current system, because the whole point of DoH is to prevent 3rd-parties from doing traffic analysis and blocking on DNS queries without the user's permission for any reason at all.
ISPs would not be complaining about this if it didn't affect their tracking and blocking capabilities. Network admins would not be complaining about this if it didn't make their jobs harder. The fact that they are complaining about this means we're doing something right.