He wants everyone to use DNS-over-TLS (RFCs 7858, 8310) instead of DNS-over-HTTPS (RFC 8484), which he considers a "political project", so that he and others can spy more easily on network traffic:
Paul Vixie is anti-RFC 8484 and is thus morally corrupt
DNS-over-HTTPS-with-SNI probably lets people spy on you just the same.
what's wrong with DNS-over-TLS?
It uses a designated port that is easily blockable. DNS-over-HTTPS uses the port 443 like HTTPS.
... that's it?
so for evasion purposes you can trivially change the port and use a DNS server that serves DNS-over-TLS on port 443.
if there's nothing wrong with the security of the traffic that's sent with the port, then it's fine. probably better than DNS-over-HTTPS.
it's a decade too late to think government firewalls are all about ports and that if you hide in the web traffic they can't do anything about you.
its not in your post but did he tell why he wanted tls instead
If it is mixed with other HTTPS traffic, then they have to snoop in on all HTTPS traffic.
and:
eh, but malware can get its DNS from any kind of ad-hoc process that it likes. DNS over pastebin.
I simply route everything through Tor, which should be encrypting my connections anyway. Don't see any reason hacking around things when outside observes shouldn't even have an idea about what IP address you are really connecting to.
Kill yourself OP
...
this is something that would affect everyone tho. anything that makes censoring easier than its now is bad
does DNS-over-TLS require purchasing a domain name and an HTTPS certificate from the extremely kosher Certificate and Domain name jews?
wait until pozjew and chromejew block any DNS that doesn't have a kosher domain name, ie your own DNS resolver, or a resolver that doesn't go along with the jewish censorship of a particular set of domain names, or DNS servers that service non-standard tld's, like opennic
anything new that comes out is almost 100% certainly more kosher than the previous thing it is replacing.
everything new is bad
everything old is less bad
DNS-over-TLS and DNS-over-HTTPS are distinct so please clarify your question.
I hate his fucking face. Is it possible to hate someone just after glancing at their photo only once? It apparently is!
his face doesn't bother me, and he looks alright: en.wikipedia.org
but he's got a twatter so ofc.
Spy agencies have probably found a security hole in https. I've suspected this since the letsencrypt movement was flooded by monetary "contributors".
how would pushing LE help them if that's the case? was there an alternative that LE made less compelling?
DNS over HTTPS is bloated as shit compared to DNS over TLS.
Who has access to all the CA root certificates?
...
that's correct. so what? DNS-over-HTTPS doesn't mean that if you want the IP of "8ch.net" that you connect to 8ch.net on port 443. How would you know 8ch.net's IP to do that?
A DNS server will still be involved.
no, i mean the dns resolver itself.
instead of dns:8.8.8.8 or whatever, are we now going to have
dns: kikeddns.com
but then how is it going to resolve kikeddns.com, when to resolve dns it must first know what it's dns server ip address is, it needs to know kikeddns.com is, but it's the dns server.
this question is because "dns over https" implies an "https certificate" which requires a domain name.
even if the above issue of a dns server resolving itself is ignored, it means that to shut down a non-kosher dns server it could easily be done by revoking the domain name required to run it, and therefore no https certificate would be recognized because they must be tied to a domain name, not an ip address.
there is an additional issue here of browsers hardcoding this bullshit into the browser, requiring users to use a specific set of dns servers, ones with valid https certificates, and forcing users to stop using their own local resolvers, ie tordns, or even just their router for performance reasons.
it's going to turn into yet another power grab; i like the idea of encrypted dns, but not with yet another third party right in the middle of it, the certificate issuers, and the domain registrar.
Sure if you want to leak that you're using HTTP-over-DNS. More realistically, you'd just have the IP of kikeddns.com. You connect to that IP and ask for kikeddns.com and the TLS works completely normally and you use it to resolve other hostnames.
with the
they'll probably just hardcode the shit into the browser.
there's no magical dependency of HTTPS on the normal public DNS system. You've probably gotten this idea from browsers and tools ignoring your hosts file or explicit IPs. That's a (((deliberate security feature))) of those tools.
What about DNSCrypt? I'm using it for a couple of years now. Is there any advantage of using DoH over DNSCrypt?
DNS-over-HTTPS:
- tools.ietf.org
DNS-over-TLS:
- tools.ietf.org
- tools.ietf.org
It gives people who aren't into crypto a false sense of security.
One should never consider a system 100% secure. But mozilla, google and other fags want EVERYTHING to go trough https. It could be a coincidence but I begin to see enough of this sort of scheme.
There's another variation too this for example to make people believe that an information is true and to make if believably true they are on purpose going to censor the subject of that information on a certain media.
Yes. DNS over HTTPS means it's impossible for your DNS requests to be MITM or taken.
So is DNS Over HTTPS. The main difference is that with DNScrypt metadata and timing-based attacks are technically possible, but not with DoH. On the other hand, DoH *could* centralize DNS more.
I think I read somewhere that DoH can be used to bypass DNS filters. Another thing to bear in mind is that DNScrypt is not a standard, so it could change at any moment.
Both are good options and can be used in tandem.
A DNS client is trivial to implement and is not in any way a hurdle preventing browser vendors from using their own resolvers. In reality, Chrome already has an internal DNS suite that it sometimes chooses to use. I'm thinking that DNS/HTTPS is being championed over its competition because it goes along with the "everything over HTTP" mentality that's been popular for the past half-decade or so.
You can use a hardcoded bootstrap service which is great if you want to do surveillance. You could also use an IP as an HTTP host rather than a domain. The following link goes to the website of a US intelligence agency, for example: 172.217.13.110
You don't need to resolve an IP address. Do you think the browser sends a DNS query to find out where 8.8.8.8 is, so it can send the actual DNS thing you want? Retard.
The problem DoH solves is that DNS requests leak a bunch of info. The DNS resolver simply re-sends your request to several other servers and the request(s) can be MITM'd or leaked. DoH can avoid that.
Looking at tools.ietf.org
could just put the ips of the domains i use in the hosts file and turn off dns completely.
As pants-on-head retarded as DNS over HTTPS is, this isn't really a problem. SSL/TLS certificates are issued and verified against a common name (the CN string) and sometimes using the subject alternate name (SAN) extension to provide multiple names in a single cert. There's nothing to inherently verify against in any cert. We all just basically decided to agree that the common name is where the domain goes.
It could, like all trusted root certs, simply be a self-signed cert that you must explicitly add to your trust store, or it could have the common name be the IP address of the server. There's a myriad of ways to do this.
Newfag here, is there a way to enforce specific rather than pre-defined DoT server through asuswrt-merlin? Thanks
Why DoT and not DoH?