On 05/11/2019 22:00, Nicolas Mailhot via devel wrote: > Le mardi 05 novembre 2019 à 19:45 +0100, Tomasz Torcz a écrit : [....] > > The day DoH actually gets decentralized the nowheristan state and its > ISPs will run DoH servers like everyone else and influence their > results exactly like today, and the nowheristan population will use the > result by default just like they use the state and ISP servers by > default. DoH won't even really work here. Yes, the DNS request is encrypted and you knock-a-whole through their firewall, you can be fairly confident the response has not been modified (as long as the TLS connection is validated, etc, etc). Except of the "knock-a-whole" aspect, DoT resolves exactly the same issues. But what is even more important to realize is what happens *after* the DNS query has been returned. You connect to the IP address provided in the response. And if that server is encrypted but uses TLSv1.2 or older, the hostname you are connecting to is "leaked" via the TLS negotiation (SNI hostname is not encrypted). The result is, you do not have any kind of privacy in regards to what services you connect to. A DPI capable firewall will still be able to block this access. Yes, TLSv1.3 with encrypted SNI will help to some degree, but still there IP addresses you connect to will still provide meta data which can be used to profile you and give an indication of what kind of sites you visit. So claiming DoH or DoT helps privacy is in best case ignorant to privacy. In worst case, it puts people needing privacy at risk. If you want privacy, you need to connect to a VPN server you choose to trust. And that VPN provider needs to find ways to circumvent any firewall blocks as needed. Now DoT on the other hand can have a purpose, when used between DNS servers. For more details about DoH challenges ... please have a look at this talk: <https://www.youtube.com/watch?v=8SJorQ9Ufm8> -- kind regards, David Sommerseth _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
