[GTALUG] DNS-over-HTTPS - what's the use?
James Knott
james.knott at jknott.net
Mon Dec 23 10:12:04 EST 2019
On 2019-12-23 10:04 AM, Giles Orr via talk wrote:
> Firefox now makes available DNS-over-HTTPS. I'm a big fan of security
> and privacy, but I'm struggling to see the gains here: we stop some
> hypothetical observer from finding out what domain name we're querying
> ... and then immediately turn around and ask that domain for a web
> page. You hid the destination in your first query ... only to
> immediately expose it with your next query.
>
> I admit I'm thinking of our hypothetical advisor being at the ISP:
> they'll see both types of queries anyway. I suppose the argument can
> be made that an observer on the path to the DNS but not at the ISP has
> been stymied, but this seems ... lower value. Still, is that
> primarily what this will stop?
>
I also wonder about that. I can understand DNSSEC, to prevent DNS
highjacking, etc.. Also, this means that TCP will be required, complete
with the full sync/ack process, whereas DNS normally uses UDP.
More information about the talk
mailing list