So I’m not understanding how DNS over HTTPS helps anything. You still need to trust your local resolver to get to your trusted resolver, and you still need to trust everything your trusted resolver talks to. I also don’t see how this can work with BGP-based anycast resolution for CDNs. And what about corporate intranets, too?

It feels like the solution causes more problems which are all solved by throwing more “trusted” configuration at it. purports to explain DoH but really it does a good job of explaining the problem with port 53 DNS but then just does a gigantic handwave about DoH itself, and also “we’re happy to make cloudflare the default trusted resolver” like uhhhhhh.

Show thread

@fluffy I think you skip the local resolver by using the IP address, and then the cert tells you if you got the right trusted resolver. nfi how it interacts with BGP tho

@aeonofdiscord yeah the Mozilla explainer just says cloud flare will choose a resolver “close to you” but how do they do that? They imply geoIP which has its own set of fuckery

@fluffy gonna guess it's almost certainly geoIP yeah. I mean the choice of cloudflare in the first place sort of signals that they're gonna half-ass most of this imo

@fluffy I like the idea of, at the very least, an encrypted DNS that doesn't rely on your ISP, but I'm not super convinced DoH is really the best implementation of that

@aeonofdiscord at least it’s better than what the blockchain fetishists have been proposing

@aeonofdiscord id love to see a blockchain proposal that isn’t just “put it on the blockchain” without any technical details about how resolution, authority establishment, dynamic updates, etc. work, or how the blockchain itself continues to function, or how much raw computing power it takes

@fluffy "our product is exactly like bitcoin, except you can't buy drugs with it. we're seeking a small seed investment of eleven hundred gigadollars"

@aeonofdiscord The cert for verifying the resolver makes sense though, somehow my brain missed that aspect while overthinking it. So really the local resolver is fine, as long as it doesn’t just NXDOMAIN

@fluffy Pretty much, yes. Also there is no privacy once it hits the recursive server’s upstream wire.

@Kyreeth Yeah although when it gets upstream the source isn't (as) identifiable.

@fluffy Depends what’s cached and how many people are using the caching server, otherwise query generating recursion is possibly a bit more correlatable than you’d think.

@Kyreeth True. But the privacy concern that DoH supposedly handles is that of your ISP spying on you, not about the site's advertisers or whatever.

@fluffy my understanding has been that it's mostly about not trusting ISPs to misuse data leaked through DNS lookups. Ultimately you still have to trust a nameserver somewhere.

@SimonTesla sure, that part makes total sense and I am in favor of it. My questions were mostly about its implications on other important parts of DNS which none of the explainers cover.

@fluffy I suspect that most explainers are coming from the end-user privacy angle, with the aim of driving adoption, and an overly technical explainer would get in the way of that goal.

@fluffy agreed. Encrypting dns sounds like a great idea. DTLS exists and would probably do this well. DNS over TLS also makes sense, although the amount of back-and-forth has concerning performance implications.

DNS over HTTPS only makes sense to me to escape repressive networks? Like, what does http provide here?

@astraluma right and in the repression escape case you’re better served with a VPN anyway

@fluffy For example it breaks DNS-resolver based filtering, also DNS content sniffing. Also helps using far and slow DNS instead of local fast ones. Centralises a system designed to be decentralised. Pros and cons.

@grin yeah I’ve seen some handwavy explanations of how it doesn’t break pihole somehow but they didn’t seem to make any sense

Like yeah DNS has a privacy implication but is in exchange for speed and being an amazing distributed global cache which works amazingly well

@grin I kind of feel like maybe CloudFlare isn’t being quite on the level when they say they’re doing this thing that makes everyone rely on them even more to help privacy and freedom

@fluffy I don't think CF risks anything, DNS is pretty low-resource stuff compared to most things out there.

@grin yeah but like think about all the stuff they can monetize by getting all that juicy data, even if it actually is anonymous and aggregate like they claim

Really dislike how they’re taking over basically all internet infrastructure that hasn’t already been claimed by amazon or google

@fluffy apart from useful tech stats (which I'm interested in too!) there is not much juicy data: usage of domains and subdomains, but without any protocol information or source of traffic. That's not very easy to monetize. I don't really fear of CF playing evil here, I guess that's a large advrtisement for their name, not much more.

@grin I guess that’s reasonable. But I do worry based on them also providing CDN for a lot of stuff, including very widely-used js libraries, and being able to tie that to lookups for domains using those libraries might be usable nefariously.

I mean that’s sure better than amazon and google and Facebook doing the same but also actively selling products and ads to everyone, but still.

@fluffy 1. I completely agree in not liking any service centralied, DNS or else;
2. while I agree with the CDN problem but it is really not related to the DNS, especially DoH. 😉

@grin how’s it not related though? DoH is literally using their CDN infrastructure as a DNS proxy.

Sign in to participate in the conversation
Queer Party!

A silly instance of Mastodon for queer folk and non-queer folk alike. Let's be friends!