Conversation
Notices
-
@cstrotm @dvl the point is that encrypted DNS is easily unraveled. Just watch for the next SYN from that source IP and now you know the destination they're going to and you can infer what the DNS query was.
Does not help with anyone's safety as a dictatorship will still identify your dissent. Only solution is a VPN and there's no value in doing this over a VPN.
-
@cstrotm @dvl this is another issue that was discussed. Combination of DoH and TLS 1.3 (encrypted SNI) means you can no longer do filtering of traffic on the edge at your company. Now what do you do? You have to whitelist IPs?
And then look at the UK where it's illegal for ISPs to permit access to sites that host child porn. C-level execs will go to prison if the filtering is not working.
Well, Firefox is (or will be?) shipping with DNS over HTTP enabled out of the box... this bypasses the ISP's DNS filters...
So now what do we do?
-
@cstrotm @dvl You want to do content filtering for your children: what network-wide options do you have now?
Ok, we can choose to allow censorship but we want to prevent MITM attacks on DNS records: DNSSEC is our only tool. But DNSSEC has almost no uptake and might be entirely dead if Resolverless DNS happens because they bypass it.
( Resolverless DNS has the webserver respond with a header including all DNS records of any external resources required to load the site so you don't have to waste the round trip doing DNS lookups. )
-
@cstrotm @dvl DNS filters are bypassed with a VPN though and protects you better than either of these solutions ever could. That's the point being made.
I'll send you a link to the video of Paul Vixie's talk when we have the editing completed. It will make more sense when all of the details presented.
-
@cstrotm @dvl correct but the Resolverless DNS authors are not interested in supporting DNSSEC
-
@cstrotm @dvl one other point important to me for security:
How do you detect malware, backdoors, and exfiltration if you can't filter DNS and alert based on it? You can no longer rely on things like a list of C&C servers, for example, or get an alert if Dropbox (banned at your company) is being used
-
@cstrotm @dvl to clarify: you prefer individual privacy at the risk of of making it harder for security folk to enforce security on their networks which might mean $tech_giant is hacked by a state actor and they get the info they need on the targets anyway
-
@cstrotm @dvl software can include their own DoH resolver... like Firefox is doing. Malware can include it too. How do you stop that?
Require every device only run signed software? Enforce that at kernel level? I don't even know where to start with that.
-
@cstrotm @sillystring @dvl thank you for sharing
-
@cstrotm @hannesm how is DNS privacy an issue when the IP of destination is never private? It doesn't make sense
Ruby Rhod
All Bobinas P4G content and data are available under the