undefined | Better HN

0 pointsArnavion4y ago0 comments

Right, DNSSEC will solve the "manipulate" problem, but it won't solve the "see" problem. But whether that's a concern is up to you. You could run your resolver on a VPS and speak DoT / DoH to that, which shifts the leak from your ISP to your VPS provider.

0 comments

tptacek4y ago

It doesn't solve the "manipulate" problem we're talking about here, either: nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain; it only (situationally) prevents them from redirecting it somewhere else. (And, of course, it only works if you're running your own recursive server; it does nothing whatsoever in the 8.8.8.8-type use case).

progval4y ago

> nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain

But at least it is detectable thanks to NSEC and NSEC3 records.

cyounkins4y ago

Kind of. An intermediary can drop packets and the client will never get the response.

tptacek4y ago

It's detectable when the site that the DNS provider is censoring falls off the Internet!

ArnavionOP4y ago

Yes, that's true.

j / k navigate · click thread line to collapse

0 comments

tptacek4y ago

progval4y ago

> nothing about DNSSEC prevents a DNS server (or middlebox) from denying results to a disfavored domain

But at least it is detectable thanks to NSEC and NSEC3 records.

cyounkins4y ago

Kind of. An intermediary can drop packets and the client will never get the response.

tptacek4y ago

It's detectable when the site that the DNS provider is censoring falls off the Internet!

ArnavionOP4y ago

Yes, that's true.

j / k navigate · click thread line to collapse