undefined | Better HN

0 pointsfreebuju5y ago0 comments

Again you keep referring to DoT and DoH which I insist do not encrypt your dns queries from your ISP. They may offer added security but do not keep your requests private. ODoH attempts to keep your requests private from the resolver only. A benefit which is a good step but doesn't ultimately keep your dns private from your ISP.

This is the major flaw I find with such claims of encrypted dns. Your isp can still see which sites you visit, oDoH or not.

0 comments

judge20205y ago

So if your DNS request is encrypted to the resolver, and from the resolver to a second resolver (first resolver is ODOH proxy), then is unencrypted from that resolver to the authoritative nameserver, where does the ISP get to see your DNS query? Unless you mean SNI, which is its own thing being worked on[0] (yes, it only works for big CDNs to look benign and you probably could still correlate IPs via traffic patterns. Doesn't mean it'll be as easy as it is now, though).

0: https://blog.cloudflare.com/encrypted-client-hello/

j / k navigate · click thread line to collapse

0 pointsfreebuju5y ago0 comments

This is the major flaw I find with such claims of encrypted dns. Your isp can still see which sites you visit, oDoH or not.

0 comments

judge20205y ago

0: https://blog.cloudflare.com/encrypted-client-hello/

j / k navigate · click thread line to collapse