On Thu, 2019-11-07 at 07:47 -0700, stan via devel wrote: > On Thu, 7 Nov 2019 12:20:50 +0100 > David Sommerseth <dazo@xxxxxxxxxxxx> wrote: > > > Please just watch the talk by Paul Vixie (who is one of the really > > big DNS gurus these days, even ISC BIND maintainer for quite some > > years). And you will see that DoH is pointless when you have DoT. > > But DoT can also go much further than DoH will, when you consider > > the > > bigger part of the DNS query chain. > > Thank you for pointing to that talk. I found it very informative, as > a > mostly ignorant user of DNS. I run knot-resolver as a local caching > DNS > server, pulling from, ironically, 1.1.1.1 via the router, and > bypassing > my ISP's DNS servers. Really opened my eyes. > The talk is right on many points, but I think it dismisses the most essential point DoH does right: DNS is a decision of the device owner. When you are the real owner of the device, you can configure the device to use whatever DoH server you want. This includes company DoH servers. We have to stop to make security products that rely on the same mechanisms as an attacker would use. For corporate environments use Puppet, Ansible, GPOs, MDM, whatever your company device management you have to use at scale anyway, to configure your preferred DoH server, which then can apply all the measures he is talking about to protect things. For private setups: Take the 10 minutes it takes to configure devices properly instead of relying on easy to break network attacker-based solutions. And when you give a device to your kids, then it will probably just take them one internet search to learn how to use the /etc/hosts file in order to access evilpage.com. I agree that DoH and DoT doesn't bring so much more privacy, but it provides integrity to DNS that unencrypted DNS even with DNSSec is lagging as an attack can always opt to not answer for a specific domain name. And whenever or not applications of the system should implement it, is probably decided by how fast the system side will decide to deploy encrypted DNS effectively. -- Signed Sheogorath OpenPGP: https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
