Paul Vixie is anti-RFC 8484 and is thus morally corrupt

Question

Paul Vixie is anti-RFC 8484 and is thus morally corrupt

Samuel Powell

He wants everyone to use DNS-over-TLS (RFCs 7858, 8310) instead of DNS-over-HTTPS (RFC 8484), which he considers a "political project", so that he and others can spy more easily on network traffic:

twitter.com/paulvixie/status/1053765281917661184

Attached: fR5Z1q4e.jpeg (512x512, 30.38K)

February 24, 2019 - 18:48

Other urls found in this thread:

en.wikipedia.org/wiki/Paul_Vixie
tools.ietf.org/html/rfc8484
tools.ietf.org/html/rfc7858
tools.ietf.org/html/rfc8310
172.217.13.110
tools.ietf.org/html/rfc8484#section-4.1.1
twitter.com/SFWRedditVideos

Cameron Anderson

DNS-over-HTTPS-with-SNI probably lets people spy on you just the same.
what's wrong with DNS-over-TLS?

February 24, 2019 - 19:02

Juan Bailey

It uses a designated port that is easily blockable. DNS-over-HTTPS uses the port 443 like HTTPS.

February 24, 2019 - 19:09

Noah Martinez

... that's it?
so for evasion purposes you can trivially change the port and use a DNS server that serves DNS-over-TLS on port 443.
if there's nothing wrong with the security of the traffic that's sent with the port, then it's fine. probably better than DNS-over-HTTPS.
it's a decade too late to think government firewalls are all about ports and that if you hide in the web traffic they can't do anything about you.

February 24, 2019 - 19:28

Joshua Jackson

its not in your post but did he tell why he wanted tls instead

February 24, 2019 - 19:34

Kayden Gray

If it is mixed with other HTTPS traffic, then they have to snoop in on all HTTPS traffic.

February 24, 2019 - 19:36

Angel Gomez

and:
eh, but malware can get its DNS from any kind of ad-hoc process that it likes. DNS over pastebin.

February 24, 2019 - 19:38

Oliver Anderson

I simply route everything through Tor, which should be encrypting my connections anyway. Don't see any reason hacking around things when outside observes shouldn't even have an idea about what IP address you are really connecting to.

February 24, 2019 - 19:52

Mason Kelly

Kill yourself OP

February 24, 2019 - 20:26

Robert Jackson

...

February 24, 2019 - 20:34

Luke Parker

this is something that would affect everyone tho. anything that makes censoring easier than its now is bad

February 24, 2019 - 23:02

Benjamin Fisher

does DNS-over-TLS require purchasing a domain name and an HTTPS certificate from the extremely kosher Certificate and Domain name jews?

wait until pozjew and chromejew block any DNS that doesn't have a kosher domain name, ie your own DNS resolver, or a resolver that doesn't go along with the jewish censorship of a particular set of domain names, or DNS servers that service non-standard tld's, like opennic

February 24, 2019 - 23:32

Grayson Howard

anything new that comes out is almost 100% certainly more kosher than the previous thing it is replacing.
everything new is bad
everything old is less bad

February 24, 2019 - 23:34

Logan Torres

DNS-over-TLS and DNS-over-HTTPS are distinct so please clarify your question.

February 24, 2019 - 23:48

Brayden King

I hate his fucking face. Is it possible to hate someone just after glancing at their photo only once? It apparently is!

February 24, 2019 - 23:49

Ian Cruz

his face doesn't bother me, and he looks alright: en.wikipedia.org/wiki/Paul_Vixie
but he's got a twatter so ofc.

February 25, 2019 - 00:26

Nathaniel Smith

Spy agencies have probably found a security hole in https. I've suspected this since the letsencrypt movement was flooded by monetary "contributors".

February 25, 2019 - 02:10

Dylan Harris

how would pushing LE help them if that's the case? was there an alternative that LE made less compelling?

February 25, 2019 - 02:12

Dylan Thompson

DNS over HTTPS is bloated as shit compared to DNS over TLS.

February 25, 2019 - 03:16

Ryan Nelson

Who has access to all the CA root certificates?

February 25, 2019 - 06:15

Joseph Williams

...

February 25, 2019 - 07:35

Jace Lee

that's correct. so what? DNS-over-HTTPS doesn't mean that if you want the IP of "8ch.net" that you connect to 8ch.net on port 443. How would you know 8ch.net's IP to do that?
A DNS server will still be involved.

February 25, 2019 - 08:20

Aiden Evans

no, i mean the dns resolver itself.

instead of dns:8.8.8.8 or whatever, are we now going to have
dns: kikeddns.com
but then how is it going to resolve kikeddns.com, when to resolve dns it must first know what it's dns server ip address is, it needs to know kikeddns.com is, but it's the dns server.

this question is because "dns over https" implies an "https certificate" which requires a domain name.

even if the above issue of a dns server resolving itself is ignored, it means that to shut down a non-kosher dns server it could easily be done by revoking the domain name required to run it, and therefore no https certificate would be recognized because they must be tied to a domain name, not an ip address.

February 25, 2019 - 09:16

Adrian Perry

there is an additional issue here of browsers hardcoding this bullshit into the browser, requiring users to use a specific set of dns servers, ones with valid https certificates, and forcing users to stop using their own local resolvers, ie tordns, or even just their router for performance reasons.

it's going to turn into yet another power grab; i like the idea of encrypted dns, but not with yet another third party right in the middle of it, the certificate issuers, and the domain registrar.

February 25, 2019 - 09:22

Jaxson Davis

Sure if you want to leak that you're using HTTP-over-DNS. More realistically, you'd just have the IP of kikeddns.com. You connect to that IP and ask for kikeddns.com and the TLS works completely normally and you use it to resolve other hostnames.

February 25, 2019 - 09:23

Levi Morales

with the
they'll probably just hardcode the shit into the browser.

February 25, 2019 - 09:25

Kevin Scott

there's no magical dependency of HTTPS on the normal public DNS system. You've probably gotten this idea from browsers and tools ignoring your hosts file or explicit IPs. That's a (((deliberate security feature))) of those tools.

February 25, 2019 - 09:29

Gavin Barnes

What about DNSCrypt? I'm using it for a couple of years now. Is there any advantage of using DoH over DNSCrypt?

February 25, 2019 - 11:12

Connor Young

DNS-over-HTTPS:
- tools.ietf.org/html/rfc8484

DNS-over-TLS:
- tools.ietf.org/html/rfc7858
- tools.ietf.org/html/rfc8310

February 25, 2019 - 12:01

Henry Cox

It gives people who aren't into crypto a false sense of security.
One should never consider a system 100% secure. But mozilla, google and other fags want EVERYTHING to go trough https. It could be a coincidence but I begin to see enough of this sort of scheme.
There's another variation too this for example to make people believe that an information is true and to make if believably true they are on purpose going to censor the subject of that information on a certain media.

February 25, 2019 - 13:23

Tyler Fisher

Yes. DNS over HTTPS means it's impossible for your DNS requests to be MITM or taken.
So is DNS Over HTTPS. The main difference is that with DNScrypt metadata and timing-based attacks are technically possible, but not with DoH. On the other hand, DoH *could* centralize DNS more.
I think I read somewhere that DoH can be used to bypass DNS filters. Another thing to bear in mind is that DNScrypt is not a standard, so it could change at any moment.

Both are good options and can be used in tandem.

February 25, 2019 - 14:13

Evan Miller

A DNS client is trivial to implement and is not in any way a hurdle preventing browser vendors from using their own resolvers. In reality, Chrome already has an internal DNS suite that it sometimes chooses to use. I'm thinking that DNS/HTTPS is being championed over its competition because it goes along with the "everything over HTTP" mentality that's been popular for the past half-decade or so.

You can use a hardcoded bootstrap service which is great if you want to do surveillance. You could also use an IP as an HTTP host rather than a domain. The following link goes to the website of a US intelligence agency, for example: 172.217.13.110

February 25, 2019 - 14:37

Cooper Johnson

You don't need to resolve an IP address. Do you think the browser sends a DNS query to find out where 8.8.8.8 is, so it can send the actual DNS thing you want? Retard.

The problem DoH solves is that DNS requests leak a bunch of info. The DNS resolver simply re-sends your request to several other servers and the request(s) can be MITM'd or leaked. DoH can avoid that.

February 25, 2019 - 14:45

Dylan Carter

Looking at tools.ietf.org/html/rfc8484#section-4.1.1 , it looks like DoH uses the exact same architecture as DNS but with an intermediary HTTPS transport layer on top, which I don't think makes it any different than DNSCrypt for general purpose use.

February 25, 2019 - 14:52

Kevin Walker

could just put the ips of the domains i use in the hosts file and turn off dns completely.

February 25, 2019 - 14:55

Josiah King

As pants-on-head retarded as DNS over HTTPS is, this isn't really a problem. SSL/TLS certificates are issued and verified against a common name (the CN string) and sometimes using the subject alternate name (SAN) extension to provide multiple names in a single cert. There's nothing to inherently verify against in any cert. We all just basically decided to agree that the common name is where the domain goes.
It could, like all trusted root certs, simply be a self-signed cert that you must explicitly add to your trust store, or it could have the common name be the IP address of the server. There's a myriad of ways to do this.

February 25, 2019 - 14:55

Christian Gutierrez

Newfag here, is there a way to enforce specific rather than pre-defined DoT server through asuswrt-merlin? Thanks

February 25, 2019 - 22:46

Connor Evans

Why DoT and not DoH?

February 26, 2019 - 19:32

1 2 ... 4 Next

Paul Vixie is anti-RFC 8484 and is thus morally corrupt

Last threads