[GTALUG] DNS-over-HTTPS - what's the use?

Mauro Souza thoriumbr at gmail.com
Mon Dec 23 14:19:56 EST 2019 

On the technical standpoint, I fully agree with Giles: let the browser
render pages, and OS do the resolution. This pattern of letting the browser
do more and more OS tasks is awkward. It have a couple issues, as is a new
protocol, not everyone agrees how things were done, Firefox forces it
instead of letting the OS decide, things like that. As it is now, it's a
mess.

On the other hand, I see governments fuming over DNS-over-HTTPS (DoH), and
that alone makes me wonder why. The old "terrorists and pedophiles" label
attached to it implies the government is losing access to something they
want to have. As DoH uses the same port as HTTPS (443), it's more difficult
to identify a DNS request among all HTTPS traffic, and that does not happen
with DNS-over-TLS(DoT).

For people in the "Free World," there's nothing much to fear by letting the
ISP know the domains you browse, except more spam and directed ads. For
people on the Chinese/Russian/Muslim block, a "restricted domain" can lead
to trouble. With DoH in place, and Cloudflare proxy for the "restricted
domain", anyone can access anything, and the ISP/government only knows you
are accessing one of the myriad of domains protected by Cloudflare. Or
Akamay.

I would install a dns-proxy that receives plain old DNS queries and
forwards them to a trusted DoH/DoT server somewhere else. So the OS would
do the resolution, not my programs.

Mauro
http://mauro.limeiratem.com - registered Linux User: 294521
Scripture is both history, and a love letter from God.


Em seg., 23 de dez. de 2019 às 15:37, Giles Orr via talk <talk at gtalug.org>
escreveu:

> On Mon, 23 Dec 2019 at 10:58, Alvin Starr via talk <talk at gtalug.org>
> wrote:
> > On 12/23/19 10:24 AM, James Knott via talk wrote:
> > > On 2019-12-23 10:19 AM, Alvin Starr via talk wrote:
> > >> This will also make it harder for people who are on your wifi link to
> > >> snoop on what your trying to connect to.
> > >> Still any security enhancement is a security enhancement and makes it
> > >> harder for others to steal your information, and generally that is a
> > >> good thing.
> > >
> > > Some people have other ideas:
> > >
> https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
> > >
> >
> > Its an interesting set of issues.
> >
> >  From a quick browse through the URL the complains seem to break into 2
> > categories.
> > - it makes tracking harder
> > - if not properly implemented it provides no extra security.
> >
> > Both things tend to be true of encryption technologies.
> >
> > I am not sure I would be running out to implement DoH any time soon
> > because it does not seem like a great value.
>
> I'm also not enthusiastic about taking DNS out of the hands of the
> operating system: not only does this break "do one thing and do it
> well" (although browsers did that long ago), it also means that if you
> have name resolution problems the solution becomes split on "is this
> in the browser or somewhere else?"  It seems to me that this solution
> - if implemented at all, and it's sounding like a bad idea - should be
> done at the OS level, not the browser.
>
> I'm going to pass on this little development and see how it plays out ...
>
> Thanks everyone.
>
> --
> Giles
> https://www.gilesorr.com/
> gilesorr at gmail.com
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20191223/010ebd48/attachment.html>

More information about the talk mailing list