On 6/8/2021 12:16 PM, Michael Richardson wrote:
I didn't think oblivious-DNS was particularly useful either, because it was basically just turning stub resolvers into mutated full resolvers, without actually teaching them to do DNSSEC. If they could do DNSSEC, then we could trust answers from any place, and then we could do some kind of p2p DNS queries to get better anonymization (and probably, more resiliency for DNS).
I used to believe a variation of that, that if users wanted to hide the IP address of the client sending DNS requests, they could just as well use a VPN and there would be no need for such "oblivious DNS" service. But it turned out that oblivious DNS was easier to deploy than VPN services, and also had some very nice privacy characteristics. I think that oblivious HTTP has the same potential, splitting the processing between an initial proxy that knows the client but does not know the requested URL, and an oblivious proxy that knows the requested URL but does not know the source IP address of the client.
-- Christian Huitema