top | item 34821656

(no title)

eftepede | 3 years ago

DNSSEC only makes you sure that the DNS response is 'correct' and 'legit', like 'no one has poisoned it during the transfer'. But the traffic is still unencrypted, so someone (like your ISP) can see what names you're trying to resolve and when. This can be a base for some profiling or even making opinions, like 'this guy goes to porn sites every evening' or 'this person likes to browse amazon, maybe they're addicted to online shopping'. Of course I exaggerate a lot here, but it's possible.

With DoH, or DNS-over-HTTPS, your DNS requests are traveling through the network encrypted. The first advantage is: man in the middle can't see what domain names are you trying to resolve. The second: they don't even know if the traffic they see right now is actually resolving a domain, or just browsing a website.

So DoH is a lot more private than DNSSEC. But it's fair to say it's a lot slower than standard DNS taffic (although it's not the difference a human can actually notice in most cases).

discuss

No comments yet.