undefined | Better HN

0 pointszrm6y ago0 comments

Aren't you the one usually telling everyone that DNSSEC is useless even though it solves the same problem, e.g. because the server can be verified with TLS instead? If the DNS attack is nothing more than a denial of service then it seems completely reasonable to wait until the attack is actually observed before applying a mitigation (third party DNS) that can have problematic side effects. Especially when the mitigation can be made as simple as a single checkbox in the browser.

And what makes Cloudflare any more trustworthy than the average ISP? Isn't that just switching the user's resolver from the network they explicitly chose to connect to, to a centralized third party that they didn't?

0 comments

tptacek6y ago

DNSSEC doesn't solve any practical problem, but does have the effect of escrowing TLS keys to world governments. DoH solves an immediate problem, which is that ISPs (and other entities) passively monitor DNS traffic to collect intelligence on network users. DNSSEC does nothing about this problem.

You don't have to use Cloud Flare for DoH, and I wouldn't.

zrmOP6y ago

> DoH solves an immediate problem, which is that ISPs (and other entities) passively monitor DNS traffic to collect intelligence on network users. DNSSEC does nothing about this problem.

That's assuming the DoH provider isn't monitoring queries either. Doesn't Cloudflare have a deal with APNIC to do exactly that?

> You don't have to use Cloud Flare for DoH, and I wouldn't.

That's the point -- the problem isn't that DoH exists, it's when an application changes your DNS provider to Cloudflare by default instead of using the one you have in your system configuration.

tptacek6y ago

You can trivially boot up your own DoH provider if you don't trust any of the existing ones. It's hard to imagine a protocol that would improve this situation: "supported by major vendors, and free to use for everyone".

I won't use Firefox to begin with (I'll reconsider when it's mostly Rust!), and so don't care so much about how Mozilla is handling this. Personally, I wouldn't touch Cloud Flare with a 10 foot pole. But that's not what I'm commenting about; I'm talking about DoH itself, which is an unalloyed good thing, which you can tell in part by the fact that the knives are out for it.

j / k navigate · click thread line to collapse

0 pointszrm6y ago0 comments

0 comments

tptacek6y ago

You don't have to use Cloud Flare for DoH, and I wouldn't.

zrmOP6y ago

> DoH solves an immediate problem, which is that ISPs (and other entities) passively monitor DNS traffic to collect intelligence on network users. DNSSEC does nothing about this problem.

That's assuming the DoH provider isn't monitoring queries either. Doesn't Cloudflare have a deal with APNIC to do exactly that?

> You don't have to use Cloud Flare for DoH, and I wouldn't.

That's the point -- the problem isn't that DoH exists, it's when an application changes your DNS provider to Cloudflare by default instead of using the one you have in your system configuration.

tptacek6y ago

j / k navigate · click thread line to collapse