I can’t think of a technology that has divided the infosec community quite like dns over https has. It’s almost as bad as vi/emacs before vi won.
@jerry the appropriate response is clearly to begin advocating for https over dns
@jerry Hah! I see what you did there.. But you know the only reason vi won was because all the emacs users have RSI now from all those "chords" they liked to type.
@jerry At the same time, I'm torn on DoH. On one hand it's nice to protect DNS traffic from snooping by your ISP, but on the other hand the acronym-inception is killing me! Oh, and the fact that my DNS proxies are going to need a complete re-think is bugging me too.
@JohnsNotHere it’s change and as an old person, I say change is bad!
There are only two camps: those who favor DoH and those who are wrong.
@jerry Really? I don't think the community is really divided, or I suffer from self-inflicted filter bubble. Basically everybody in my timeline is against it.
@berrot @jerry Cloudflare and Google unfair advantage as CDN is terrible for the Internet. Firefox downgrade mechanism is dumb AF. Using HTTPS instead of UDP is also dumb AF, performance-wise. Splitting view between OS and Apps will lead to terrible and painful troubleshooting sessions.
I don't see what's good about it, except doing stuff that were done better by other existing technologies (dnscrypt, for one).
@x_cli @jerry I do agree with most of what you are saying here, and sure, it moves the privacy issue away from the ISPs over to Cloudflare and Google (which is bad). Sure , there are other technologies that does the same, but non of them reached ciritical mass, but this might be the way to buypass privacy issues locally. I think I rather would let Google know what I'm doing than some f... gouvernment (I don't think I have an issue with that here in Norway,, but...)
The Cloudflare/Google main issue that most people are missing is that they will have a knowledge of the real client IP, while other CDN won't have that info.
With EDNS0, there was the subnet-client extension that was somewhat standard. Now, only Google and Cloudflare will have that knowledge, and this will most certainly kill their competition.
@berrot @jerry (to be clearer, having knowledge of the real client IP is useful because it enables a CDN to locate the datacenter closest to the client to serve the content efficiently. Without that knowledge, you can only guess where the client is, based on the recursive server IP address... which will be the IP of Cloudflare or Google resolvers... i.e. their competitors)
Cloudflare #OneOneOneOne does not honor EDNS client-subnet "for privacy reasons", and probably won't for DoH. This has nothing to do with unfair competition "of course".
@x_cli @berrot @jerry I am using DoH for over a year, and I am glad it is available. Just as I am able to select my search engine, I can select my DoH provider in Firefox. I can now browse with sufficient safety and privacy in public wifi without having to use a VPN.
Most folks who criticize DoH don't use it and don't understand how to use it.
@rudolf @berrot @jerry I have been paid to study DNS and its extensions for five years for a gov infosec agency, and I made numerous publications on my findings, which include a cache poisoning attack, a cross-implementation DoS vulnerability, and several studies of the DNS landscape, in France and worldwide. I don't need to use daily a protocol to evaluate its issues.
@rudolf @berrot @jerry Also, you are making use of the false dilemma fallacy by stating this is either VPN or DoH. There are several other ways to encrypt DNS traffic, including DNScrypt, DNS-over-TLS and even LDAPs in some weird settings.
Finally, encrypting DNS is hardly enough to ensure your security on a public wifi. Please use a VPN for that use case.
I never said 'either' VPN or DoH. I said I can be safe enough with DoH so I don't need a VPN. Using a VPN makes me a person of interest, DoH is much more discreet. If I were Snowden, I would decide otherwise.
Comparing the expertise someone needs to set up a DoH server/frontend with what one needs to enter a URL in a settings menu of their browser is grotesk.
The impact is very well studied here: https://samknows.com/blog/dns-over-https-performance
The performance hit of not supporting EDNS client-subnet is very clear and demonstrates the unfair competition I was talking about. Maybe Cloudflare is honest when they say that do not support client subnet for privacy reasons, but clearly they benefit from a "lucky" side-effect.
@berrot @jerry "We intentionally do not include the TLS setup time in the DoH results". That's because they assume that the cost is amortised across multiple requests. That's a fair assumption, but it misrepresents the case where the connection is shut down because the resolver could not maintain all client states in memory.
A Mastodon instance for info/cyber security-minded people.