undefined | Better HN

0 pointsJohnFen7y ago0 comments

You would be correct if that were my attitude, but it's not. This is not a panacea, it's one component in a larger security posture.

0 comments

shawnz7y ago

If DNS-based access control is not sufficient on it's own, then is it really worth it to block DoH (which could have other significant security and privacy benefits) just to retain the possibility of using it? Why not focus on improving those other, already necessary access control technologies and forget about abusing DNS for this purpose, so we get the best of both worlds?

JohnFenOP7y ago

Because I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.

Also, I disagree that denying the lookup of certain domain names is abusing DNS. If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.

Also, I'm not aware of a method that can accomplish the sort of coverage that blocking DNS lookups can. If you have an alternative, I'd be genuinely interested in hearing about it.

shawnz7y ago

> I believe in multilayered security. No one approach to security is sufficient, but combining as many approaches as possible can allow each approach to help cover the weaknesses of the other approaches.

Agreed with you there, I'm not saying that multilayered security is a bad thing.

What I'm saying is that right now, in terms of easy and accessible DNS privacy, we have 0 layers. Don't you think it might be worth sacrificing this one partial, incomplete access control solution in favour of solving that?

glennpratt7y ago

> If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.

Without cooperation of the device, that is indistinguishable from that of a bad actor.

You can get what you want by owning the device and requiring it to cooperate (ie with controlled software or a certificate to allow monitoring / blocking).

j / k navigate · click thread line to collapse

0 comments

shawnz7y ago

JohnFenOP7y ago

Also, I'm not aware of a method that can accomplish the sort of coverage that blocking DNS lookups can. If you have an alternative, I'd be genuinely interested in hearing about it.

shawnz7y ago

Agreed with you there, I'm not saying that multilayered security is a bad thing.

glennpratt7y ago

> If I were running a DNS server that was being used by the public, or that was being used by downstream DNS servers, that would be different.

Without cooperation of the device, that is indistinguishable from that of a bad actor.

You can get what you want by owning the device and requiring it to cooperate (ie with controlled software or a certificate to allow monitoring / blocking).

j / k navigate · click thread line to collapse