Re: Encrypted DNS in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2019-11-07 at 07:47 -0700, stan via devel wrote:
> On Thu, 7 Nov 2019 12:20:50 +0100
> David Sommerseth <dazo@xxxxxxxxxxxx> wrote:
>  
> > Please just watch the talk by Paul Vixie (who is one of the really
> > big DNS gurus these days, even ISC BIND maintainer for quite some
> > years).  And you will see that DoH is pointless when you have DoT.
> > But DoT can also go much further than DoH will, when you consider
> > the
> > bigger part of the DNS query chain.
> 
> Thank you for pointing to that talk.  I found it very informative, as
> a
> mostly ignorant user of DNS.  I run knot-resolver as a local caching
> DNS
> server, pulling from, ironically, 1.1.1.1 via the router, and
> bypassing
> my ISP's DNS servers.  Really opened my eyes.
> 

The talk is right on many points, but I think it dismisses the most
essential point DoH does right: DNS is a decision of the device owner.

When you are the real owner of the device, you can configure the device
to use whatever DoH server you want. This includes company DoH servers.

We have to stop to make security products that rely on the same
mechanisms as an attacker would use.

For corporate environments use Puppet, Ansible, GPOs, MDM, whatever
your company device management you have to use at scale anyway, to
configure your preferred DoH server, which then can apply all the
measures he is talking about to protect things.

For private setups: Take the 10 minutes it takes to configure devices
properly instead of relying on easy to break network attacker-based
solutions.

And when you give a device to your kids, then it will probably just
take them one internet search to learn how to use the /etc/hosts file
in order to access evilpage.com.

I agree that DoH and DoT doesn't bring so much more privacy, but it
provides integrity to DNS that unencrypted DNS even with DNSSec is
lagging as an attack can always opt to not answer for a specific domain
name.

And whenever or not applications of the system should implement it, is
probably decided by how fast the system side will decide to deploy
encrypted DNS effectively.

-- 
Signed
Sheogorath

OpenPGP: https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux