[GTALUG] DNS-over-HTTPS - what's the use?
Jamon Camisso
jamon.camisso at utoronto.ca
Mon Dec 23 14:19:33 EST 2019
On 12/23/19 1:37 PM, Giles Orr via talk wrote:
>> Both things tend to be true of encryption technologies.
>>
>> I am not sure I would be running out to implement DoH any time soon
>> because it does not seem like a great value.
>
> I'm also not enthusiastic about taking DNS out of the hands of the
> operating system: not only does this break "do one thing and do it
> well" (although browsers did that long ago), it also means that if you
> have name resolution problems the solution becomes split on "is this
> in the browser or somewhere else?" It seems to me that this solution
> - if implemented at all, and it's sounding like a bad idea - should be
> done at the OS level, not the browser.
I've been using DoH since it showed up in Firefox Nightly. DoH can be
set to fallback to an OS resolver in the event that the browser's
resolvers are unavailable.
The value of DoH is in not letting ISPs or employers or parties x, y,
and z track, monetize, and deanonymize DNS requests.
For example: ISPs as resolvers can take DNS requests and sell that data
on to a data broker to target ads and no one is the wiser. Likewise
sharing with law enforcement or government. Our ISPs are total black
boxes when it comes to how they run, share, and monetize our DNS data.
Another example: employers can track browsing habits on networks using a
VPN, DHCP, or preconfigured resolver. The recent case of Kathryn Spiers
at Google is roughly analogous. She made a browser extension to notify
users about their rights, but I have no doubt that every Google
employee's DNS queries to union busting sites are logged and can be
correlated if someone higher up decides to embark on further union
busting programs.
Then there are the countries with questionable human rights records who
surveil their citizens, activists, journalists etc.
I think that DNS is one of those things that we all take for granted and
trust without realizing how easy it is to monitor, subvert/tamper,
monetize, and identify individuals with.
I'm personally all for making surveillance capitalism incrementally more
costly to the data brokers and ad networks out there. Moreover tools
like DoH that make privacy a default setting go at least some way to
encouraging the idea that privacy online should be a fundamental right
(which is admittedly a matter of personal belief, but I haven't come
across a compelling argument to the contrary).
Cheers, Jamon
More information about the talk
mailing list