[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DOH (was: geolocation services disabled and Gnome maps)

	Hi.

On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> > The questionable idea behind DOH is that the browser makers do not trust
> > your local resolver.
> 
> Mozilla claims it's a privacy issue:
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https

It's a privacy issue along with the other things.
With the default settings the Firefox user is handing all DNS resolution
to Cloudflare. Not an equivalent to complete browsing history, but close
enough.


> > 1) One can use a local resolver with the ability *not* to resolve
> > certain DNS queries, which refer to the sites which just happen to
> > contain advertisements, fingerprinting, tracking, cryptomining etc.
> > Since all two major browser makers (Google and Mozilla) happen to rely
> > on revenue generated by advertising *and* users' browsing habits this
> > obviously can not be tolerated.
> 
> Wasn't there a fairly recent kerfluffle about an upcoming change to
> chrome that would break things like the uMatrix addon?

There was, indeed.


> If firefox wasn't a viable alternative to chrome, what are the chances
> that change would have been implemented?

It is implemented already, it's just there are alternatives to
declarativeNetRequest that are working - so far.


> > 3) Bad guys and gals can hijack DNS too, to the usual hilarious results.
> 
> And the bad guys and gals can use DOH to "hide" their traffic and
> circumvent things like pihole.

There is tor or i2p for *that* already.


> I just did a quick search and couldn't find anything for smart TVs
> using DOH.

Probably because they aren't there yet. A typical smart TV is based on
the Android, and Google haven't said their word about DOH so far.


> > With the advent of HTTPS all this may be seen as moot points (if you're
> > redirected elsewhere the certificate validation should fail), but
> > nevertheless DOH is forced upon the collective throat of Firefox users
> > as we speak (and Chrome users are likely to follow them Soon™).
> > Currently a Firefox user is supposed to trust Cloudflare to do DNS
> > queries for them, and HTTPS is used for this purpose because Security™.
> 
> For some values of "security", DOH _is_ more secure.

As far as the "last mile" is concerned - maybe. As far as the whole
Internet goes - not so much as overall security of DNS queries depends
of DNSSEC implemented in every zone (and it ain't there yet).


> How many people use a dnssec validating resolver?

See above. Besides, DNSSEC is for integrity of zones, not privacy.
You need DNS-over-TLS if you need last one.


> At least Cloudflare resolvers have dnssec enabled.

*And* the ability to see users' DNS queries. Neat, right?

Reco
Reply to: