[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DOH

	Hi.

On Tue, Apr 14, 2020 at 10:26:09PM +0100, Liam O'Toole wrote:
> On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote:
> 
> [...]
> 
> > > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have
> > > to make a connection to the resulting IP address through the ISP's
> > > gateway. The ISP can perform a reverse DNS lookup of the IP address if
> > > they are determined to snoop.
> > 
> > And that is why it's important to use DNS over TLS.
> > Unless your ISP can magically decrypt TLS on the fly, the scenario
> > you're describing is impossible. 
> 
> I think you misunderstand me. I'm talking about making a connection to
> an IP address that you have already obtained by (encrypted) DNS.

I misunderstood you indeed. While it's true that this particular threat
is something that DNS over TLS cannot guard against, I suggest you to
consider this:

1) Not every IP on the Internet has PTR record.
2) There are multiple cases of sharing the same IP between multiple
sites (including HTTPS).
3) For HTTPS (and TLS in general) there's more precise method called SNI
snooping (there's TLSv1.3 against *that*, but it's not widely adopted).

Reco
Reply to: