On 4/3/20, Elmar Stellnberger <estellnb@elstel.org> wrote:
Encryption can be a source of arbitrary code execution exploits if not
implemented properly. Encrypting DNS would have other application
purposes and makes sense as long as you use a proxy. If you connect
directly hiding the domain name is ineffective because someone who spys
at the connection also knows the IPs you connect to and via SNI the
cleartext of the domain you surf at.
Yes, but "trusting the answer" and "keeping my communications private"
are not quite the same thing. If we're talking about "trusting the
answer" I'll take DoT or running my own dnssec enabled resolver. When
I'm more concerned about "keeping my communications private" I'll take
TOR & accept the trade-off of slower speed.