undefined | Better HN

0 pointsstupidthrottle6y ago0 comments

> His main argument seems to be that the network operator should have control over DNS requests

And why is that an unreasonable position for a network operator to hold?

0 comments

judge20206y ago

The issue comes from network operators wanting to control DNS from being a middleman in the connection, but there is no way to ensure the people acting as middlemen in the connection are authorized to be in the middle or authorized to change those DNS requests.

If a network operator can change DNS, then the ISP, network hops, or a malicious twin AP can as well.

stupidthrottleOP6y ago

> If a network operator can change DNS

The network operator provides an IP through the DHCP response, which also includes proper DNS-settings for that network.

How is this malicious or replacing “your” DNS? The DNS belongs to the network.

judge20206y ago

ISPs also provide "their" DNS rr's. That does not mean you have to use ISPs' DNS RR to access the DNS.

> The DNS belongs to the network.

This is the question - should the network really be able to tell the client what IP corresponds with a DNS name? if no, then there's no good solution to blocking websites where you can't install things on the client's device. Meanwhile, if you say yes, then you must also say yes to ISPs being able to tell the client what IP corresponds to a DNS name. The only solution in an enterprise context is to buy new hardware (or install a software update if Cisco is feeling benevolent) that runs a DoH server. In a school-bocking-porn context, you could ban the biggest offenders via IP (mindgeek sites have a dedicated IP space I think, and you could cron your own DNS lookups for other non-CDN sites) and use SNI whitelist until eSNI is added to iOS.

topranks6y ago

The main argument should be that the OS controls what DNS is used.

The user of the OS can then set their own DNS. If applications just ignore this and use their own it takes away power from the user. Sure Firefox lets you turn it off, but a lot of people won’t bother.

j / k navigate · click thread line to collapse

0 comments

judge20206y ago

If a network operator can change DNS, then the ISP, network hops, or a malicious twin AP can as well.

stupidthrottleOP6y ago

> If a network operator can change DNS

The network operator provides an IP through the DHCP response, which also includes proper DNS-settings for that network.

How is this malicious or replacing “your” DNS? The DNS belongs to the network.

judge20206y ago

ISPs also provide "their" DNS rr's. That does not mean you have to use ISPs' DNS RR to access the DNS.

> The DNS belongs to the network.

topranks6y ago

The main argument should be that the OS controls what DNS is used.

j / k navigate · click thread line to collapse