<div dir="ltr"><div>On the technical standpoint, I fully agree with Giles: let the browser render pages, and OS do the resolution. This pattern of letting the browser do more and more OS tasks is awkward. It have a couple issues, as is a new protocol, not everyone agrees how things were done, Firefox forces it instead of letting the OS decide, things like that. As it is now, it's a mess.<br></div><div><br></div><div>On the other hand, I see governments fuming over DNS-over-HTTPS (DoH), and that alone makes me wonder why. The old "terrorists and pedophiles" label attached to it implies the government is losing access to something they want to have. As DoH uses the same port as HTTPS (443), it's more difficult to identify a DNS request among all HTTPS traffic, and that does not happen with DNS-over-TLS(DoT).</div><div><br></div><div>For people in the "Free World," there's nothing much to fear by letting the ISP know the domains you browse, except more spam and directed ads. For people on the Chinese/Russian/Muslim block, a "restricted domain" can lead to trouble. With DoH in place, and Cloudflare proxy for the "restricted domain", anyone can access anything, and the ISP/government only knows you are accessing one of the myriad of domains protected by Cloudflare. Or Akamay.<br></div><div><br></div><div>I would install a dns-proxy that receives plain old DNS queries and forwards them to a trusted DoH/DoT server somewhere else. So the OS would do the resolution, not my programs.</div><div><br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Mauro<br><a href="http://mauro.limeiratem.com" target="_blank">http://mauro.limeiratem.com</a> - registered Linux User: 294521<br>Scripture is both history, and a love letter from God.</div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em seg., 23 de dez. de 2019 às 15:37, Giles Orr via talk <<a href="mailto:talk@gtalug.org">talk@gtalug.org</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 23 Dec 2019 at 10:58, Alvin Starr via talk <<a href="mailto:talk@gtalug.org" target="_blank">talk@gtalug.org</a>> wrote:<br>
> On 12/23/19 10:24 AM, James Knott via talk wrote:<br>
> > On 2019-12-23 10:19 AM, Alvin Starr via talk wrote:<br>
> >> This will also make it harder for people who are on your wifi link to<br>
> >> snoop on what your trying to connect to.<br>
> >> Still any security enhancement is a security enhancement and makes it<br>
> >> harder for others to steal your information, and generally that is a<br>
> >> good thing.<br>
> ><br>
> > Some people have other ideas:<br>
> > <a href="https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/" rel="noreferrer" target="_blank">https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/</a><br>
> ><br>
><br>
> Its an interesting set of issues.<br>
><br>
> From a quick browse through the URL the complains seem to break into 2<br>
> categories.<br>
> - it makes tracking harder<br>
> - if not properly implemented it provides no extra security.<br>
><br>
> Both things tend to be true of encryption technologies.<br>
><br>
> I am not sure I would be running out to implement DoH any time soon<br>
> because it does not seem like a great value.<br>
<br>
I'm also not enthusiastic about taking DNS out of the hands of the<br>
operating system: not only does this break "do one thing and do it<br>
well" (although browsers did that long ago), it also means that if you<br>
have name resolution problems the solution becomes split on "is this<br>
in the browser or somewhere else?" It seems to me that this solution<br>
- if implemented at all, and it's sounding like a bad idea - should be<br>
done at the OS level, not the browser.<br>
<br>
I'm going to pass on this little development and see how it plays out ...<br>
<br>
Thanks everyone.<br>
<br>
-- <br>
Giles<br>
<a href="https://www.gilesorr.com/" rel="noreferrer" target="_blank">https://www.gilesorr.com/</a><br>
<a href="mailto:gilesorr@gmail.com" target="_blank">gilesorr@gmail.com</a><br>
---<br>
Post to this mailing list <a href="mailto:talk@gtalug.org" target="_blank">talk@gtalug.org</a><br>
Unsubscribe from this mailing list <a href="https://gtalug.org/mailman/listinfo/talk" rel="noreferrer" target="_blank">https://gtalug.org/mailman/listinfo/talk</a><br>
</blockquote></div>