[HN Gopher] Working in the open: Enhancing privacy and security ...
___________________________________________________________________
Working in the open: Enhancing privacy and security in the DNS
Author : cpeterso
Score : 21 points
Date : 2021-06-11 18:03 UTC (1 days ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| vorticalbox wrote:
| > current or prospective TRR partners will not be required to
| mandatorily publish DNS blocklists from here on out.
|
| This seems like a step backwards.
| ocdtrekkie wrote:
| But unsurprising, DoH is entirely about obscuring the behavior
| of large tech companies. Transparency is against the design
| goals.
| amarshall wrote:
| > We are aware of the downsides associated with blocklist
| publication in certain contexts
|
| What are they? Sadly doesn't seem to be mentioned here.
| bombcar wrote:
| Why not create a service that downloads a DNS cache of the -
| however many DNS names you can cache in a 10 or 100mb file and
| thereby allow a raspberry pi to reply to most dns queries?
| dna_polymerase wrote:
| Sending all DNS requests to Cloudflare isn't enhancing privacy
| and security. It's centralizing a decentral network.
| anjbe wrote:
| It can be both give and take. Just like a VPN, DoT/DoH is
| sensible if you trust your ISP less than your encrypted DNS
| operator.
|
| Someone will inevitably pop in and remark, "I trust my ISP with
| my DNS queries due to regulations in my country!" Good, I'm
| happy for you. But some of us are stuck with Comcast.
| ______- wrote:
| > Sending all DNS requests to Cloudflare
|
| I like to combine DoH with a VPN. The VPN doesn't see my DNS
| queries, and Cloudflare just sees a vague IP based in some
| vague colocation center. There is still plaintext SNI[0] to
| worry about though, which is being mitigated with something
| called ECH[1]. `Oblivious DoH`[2] is worth reading about too.
|
| [0] https://www.cloudflare.com/learning/ssl/what-is-sni/
|
| [1] https://blog.cloudflare.com/encrypted-client-hello/
|
| [2] https://blog.cloudflare.com/oblivious-dns/
| anjbe wrote:
| Cloudflare also provides DNS over a Tor hidden service:
| https://developers.cloudflare.com/1.1.1.1/fun-stuff/dns-
| over...
| devwastaken wrote:
| Every website you've ever visited or DNS query perfored is
| logged by your ISP due to that "decentralized" behavior. It's
| not decentralized when there's very few companies involved and
| a very long history of happy dragnetting.
| taviso wrote:
| I don't really buy the "centralizing" argument, any
| organization can join the TRR program. The main difference is
| that you have to agree to a bunch of baseline privacy
| requirements to join.
|
| It turns out that not many organizations who operate a resolver
| are willing to agree to those requirements. Isn't calling that
| centralization like saying the health inspector is centralizing
| restaurants by shutting down dirty kitchens?
| sschueller wrote:
| A nightmare. Why do we have to make DNS worse? Who benefits?
| kazen44 wrote:
| large tech.
|
| Mind you, this entire arms race exists because every single
| bit of data is being used for data mining.
| commoner wrote:
| Cloudflare is not the only DNS over HTTPS provider. For
| instance, Mullvad provides both DNS over HTTPS and DNS over TLS
| free of charge, with optional ad blocking, even if you're not
| using their VPN service. They have instructions for configuring
| Firefox and Android with their DNS endpoints:
|
| https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
___________________________________________________________________
(page generated 2021-06-12 23:01 UTC)