top | item 44216094

(no title)

xrmagnum | 8 months ago

I find it problematic that this article recommends disabling DoH, which leaves users with unencrypted DNS — still centralized (e.g. to Google’s 8.8.8.8 or an ISP) and now vulnerable to man-in-the-middle attacks. Replacing one form of centralization with another while giving up encryption doesn’t improve privacy — it worsens it.

If the goal is to reduce centralization, a better approach would be to use encrypted DNS (DoH or DoT) with resolver rotation or randomization. That way, users retain privacy from local networks and ISPs without concentrating all DNS traffic in a single provider’s hands.

discuss

exiguus|8 months ago

If you're looking to implement encrypted DNS with multiple servers or providers, consider using unbound, which supports TLS resolvers and can operate in recursive mode. Alternatively, you might opt for AdGuard DNSProxy or dnscrypt-proxy, both of which support DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. You can run these tools on your local network or computer and configure your resolve.conf to point to them.

tptacek|8 months ago

It is problematic; it's a post from 2018 that did not age well at all.

josephcsible|8 months ago

It wasn't correct even when it was originally posted.

WhyNotHugo|8 months ago

Disabling DoH in your browser’s settings should make it fall back to you system’s resolver.

You’ll only be vulnerable to a MitM attack if your system’s resolver is insecure and also vulnerable to a MitM attack.

sammy2255|8 months ago

(which all are by default)

piskov|8 months ago

DoT is explicitly mentioned as a better alternative

josephcsible|8 months ago

DoT is strictly worse than DoH. It doesn't actually fix any of the author's issues with DoH, and it has the gigantic downside that it's trivial for hostile networks to block.