fsebugoutzone.org:9999

       Post A2rmyAMsTsAIjV2BbU by leip4Ier@infosec.exchange
 (DIR) More posts by leip4Ier@infosec.exchange
 (DIR) Post #A2gm3YqwdX2PQVXzk0 by leip4Ier@infosec.exchange
       2020-12-29T09:23:06Z
       
       1 likes, 0 repeats
       
       i was so excited when #mikrotik announced #DoH support, but now i&#39;ve used it for what, at least half a year? and it seems like either CPUs in low-end routers aren&#39;t powerful enough to handle tls, or routeros doesn&#39;t do it correctly. whichever it is, my router just hangs and fails to retrieve the records once in a while.
       
 (DIR) Post #A2gmdElQnuxXXxypFY by leip4Ier@infosec.exchange
       2020-12-29T09:29:36Z
       
       1 likes, 0 repeats
       
       plus public DoH resolvers aren&#39;t as stable as regular dns ones. both nextdns and adguard that i used were sometimes down for like noticeable time.so i guess i&#39;ll disable it. i recently learned that my isp logs all https connections, including the certificate domain, so it&#39;s largely pointless anyway.
       
 (DIR) Post #A2gneRZCmymTUvOtmq by leip4Ier@infosec.exchange
       2020-12-29T09:40:58Z
       
       0 likes, 0 repeats
       
       what&#39;s weird about the mikrotik announcement, they introduced DoH and static dns entries at the same time. which i understood as, DoH works with tls, and tls (usually) requires a domain, and we don&#39;t wanna resolve that over regular dns. so now you can add a static A record for the DoH server you use.i set it up this way and it works. but all the articles about configuring it, including the one in mikrotik wiki, say you have to specify a fallback dns-over-udp server..
       
 (DIR) Post #A2gnjTDM5ggi3VZr2u by leip4Ier@infosec.exchange
       2020-12-29T09:42:01Z
       
       0 likes, 0 repeats
       
       i couldn&#39;t figure out how to edit mikrotik wiki, seems like you can&#39;t
       
 (DIR) Post #A2rgpY0ccCqNit8Cgq by lx@infosec.exchange
       2021-01-03T15:46:25Z
       
       0 likes, 0 repeats
       
       @leip4Ier Why is it pointless to use DoH if your ISP logs all HTTPS connections? The only thing they learn is when you request a domain name and potentially how many, but the content (i.e. the DNS query) should be encrypted, right?
       
 (DIR) Post #A2rlNpmbRF0oVhB8j2 by leip4Ier@infosec.exchange
       2021-01-03T16:37:21Z
       
       0 likes, 0 repeats
       
       @lx they see the domain name in sni
       
 (DIR) Post #A2rljOOjw3LVwrISeW by lx@infosec.exchange
       2021-01-03T16:41:18Z
       
       0 likes, 0 repeats
       
       @leip4Ier But isn&#39;t that the SNI of the resolver? From my understanding, the HTTP request inside the TLS session contains the domain to resolve: https://tools.ietf.org/html/rfc8484#section-4.1
       
 (DIR) Post #A2rlvxpc1Ki3JmrQBs by leip4Ier@infosec.exchange
       2021-01-03T16:43:32Z
       
       0 likes, 0 repeats
       
       @lx oh, i meant that isp logs contain either sni or the ip address of each website i ever connected to. so whether or not they see my dns requests, they know which websites i browse.
       
 (DIR) Post #A2rmKdEdjaEagBKUym by lx@infosec.exchange
       2021-01-03T16:47:48Z
       
       0 likes, 0 repeats
       
       @leip4Ier Ah, I misunderstood you then 😄 Until we have ECH*, I guess the only mitigation for that is a VPN, however it technically only moves the problem and the involved trust to the VPN provider.*: https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypted_Client_Hello
       
 (DIR) Post #A2rml6QPpThujuSZf6 by leip4Ier@infosec.exchange
       2021-01-03T16:52:36Z
       
       0 likes, 0 repeats
       
       @lx ech won&#39;t save us either, see https://dl.acm.org/doi/10.1145/3340301.3341133. tldr: you can learn what website the user is browsing from the ip addresses they&#39;re connecting to. even if it&#39;s a cdn, patterns are relatively unique, since resources are usually loaded from multiple other ip addresses.
       
 (DIR) Post #A2rmt0HqXE0C1EDeKm by lx@infosec.exchange
       2021-01-03T16:54:18Z
       
       0 likes, 0 repeats
       
       @leip4Ier Hmm, that&#39;s true.. So TOR it is? 😄
       
 (DIR) Post #A2rmyAMsTsAIjV2BbU by leip4Ier@infosec.exchange
       2021-01-03T16:55:15Z
       
       0 likes, 0 repeats
       
       @lx seems so
       
 (DIR) Post #A2rnTYi61jPvCpvbqi by lx@infosec.exchange
       2021-01-03T17:00:21Z
       
       0 likes, 0 repeats
       
       @leip4Ier Too bad the performance is usually sub-optimal.. 🤔 But I guess you get to decide between privacy and comfort. #heywiretap
       
 (DIR) Post #A2rnqxgVL5IpK5LKJk by leip4Ier@infosec.exchange
       2021-01-03T17:05:04Z
       
       0 likes, 0 repeats
       
       @lx i think that for most people, vpn in a country that doesn&#39;t share data with theirs too easily is a decent compromise
       
 (DIR) Post #A2rnyXtB88hrdUt5KC by lx@infosec.exchange
       2021-01-03T17:06:32Z
       
       0 likes, 0 repeats
       
       @leip4Ier Yes, I agree. Thankfully, I live in such a country and my ISP is a bit of a privacy activist 😄
       
 (DIR) Post #A2ro2C529mTV9iAkBE by leip4Ier@infosec.exchange
       2021-01-03T17:07:09Z
       
       0 likes, 0 repeats
       
       @lx whoa, lucky!