On Wed, Jan 05, 2022 at 12:41:23PM -0500, Celejar wrote: [...] > The configuration I'm talking about is as follows: the browser makes > ordinary, unencrypted DNS requests to the Pi-hole, over a trusted > network If the browser decides to make the DNS requests over HTTPS (DoH [1], that's what we are talking about), the DNS server in your Pi-hole doesn't even get to see those requests. > (your LAN, or a VPN). HTTPS isn't necessary here insofar as you > trust your own network to be secure. (And if you're really worried about > intruders [...] No, no. I'm not worried about those things. I'm worried that the browsers do their own thing to do name lookup so they escape my control (be it via /etc/hosts, be it via an own DNS server, local or Pi-hole). > https://www.reddit.com/r/pihole/comments/ku0i8k/configuring_dnsoverhttps_on_pihole/ Again: I'm not that much concerned about my lookup's privacy. The Pi-hole having an option to do DoH lookups is fine. But do I trust my browser to not do direct DoH lookups all by itself, bypassing my Pi-hole (or whatever I've set up as a controlled DNS)? What about its next version? Cheers [1] Browser folks have decided that making DNS requests over HTTP(S) is much more secure than over the "traditional" avenue. In a way, they are right. In another they are horribly wrong- https://en.wikipedia.org/wiki/DNS_over_HTTPS -- t
Attachment:
signature.asc
Description: PGP signature