/tech/ - Technology★

DNS-over-HTTPS-with-SNI probably lets people spy on you just the same.

what's wrong with DNS-over-TLS?

>>1035053

>what's wrong with DNS-over-TLS?

It uses a designated port that is easily blockable. DNS-over-HTTPS uses the port 443 like HTTPS.

>>1035062

... that's it?

so for evasion purposes you can trivially change the port and use a DNS server that serves DNS-over-TLS on port 443.

if there's nothing wrong with the security of the traffic that's sent with the port, then it's fine. probably better than DNS-over-HTTPS.

it's a decade too late to think government firewalls are all about ports and that if you hide in the web traffic they can't do anything about you.

its not in your post but did he tell why he wanted tls instead

>>1035070

>that if you hide in the web traffic they can't do anything about you

If it is mixed with other HTTPS traffic, then they have to snoop in on all HTTPS traffic.

>>1035079

>DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

and:

>That's inverted. A network operators who defends their control plane may be more worried by outside actors than by it's users. Defensive tunneling from my house or work is not in your interest or mine. Don't do it. Esp not by default. Please.

eh, but malware can get its DNS from any kind of ad-hoc process that it likes. DNS over pastebin.

I simply route everything through Tor, which should be encrypting my connections anyway. Don't see any reason hacking around things when outside observes shouldn't even have an idea about what IP address you are really connecting to.

>someone disagrees with me on one specific issue, he must be morally corrupt

Kill yourself OP

>>1035134

>he thinks it's a mere disagreement

>>1035134

this is something that would affect everyone tho. anything that makes censoring easier than its now is bad

>DNS-over-HTTPS (RFC 8484), which he considers a "political project",

does DNS-over-TLS require purchasing a domain name and an HTTPS certificate from the extremely kosher Certificate and Domain name jews?

wait until pozjew and chromejew block any DNS that doesn't have a kosher domain name, ie your own DNS resolver, or a resolver that doesn't go along with the jewish censorship of a particular set of domain names, or DNS servers that service non-standard tld's, like opennic

>>1035220

anything new that comes out is almost 100% certainly more kosher than the previous thing it is replacing.

everything new is bad

everything old is less bad

>>1035229

DNS-over-TLS and DNS-over-HTTPS are distinct so please clarify your question.

I hate his fucking face. Is it possible to hate someone just after glancing at their photo only once? It apparently is!

>>1035240

his face doesn't bother me, and he looks alright: https://en.wikipedia.org/wiki/Paul_Vixie

but he's got a twatter so ofc.

<DON'T DISPARAGE MUH FBI

https://twitter.com/paulvixie/status/1098313056197566464

<MUH RUSSIANS ATTACKING EU WHICH IS A "PEACE PROJECT"

https://twitter.com/paulvixie/status/1097767394179600384

<RUSSIAN PSYOPS GAVE US TRUMP AND BREXIT

https://twitter.com/paulvixie/status/1063914419120427009

>>1035038 (OP)

Spy agencies have probably found a security hole in https. I've suspected this since the letsencrypt movement was flooded by monetary "contributors".

>>1035289

how would pushing LE help them if that's the case? was there an alternative that LE made less compelling?

DNS over HTTPS is bloated as shit compared to DNS over TLS.

>>1035038 (OP)

>instead of DNS-over-HTTPS

Who has access to all the CA root certificates?

>>1035238

>so please clarify your question.

<Will any of this nu-dns require a domain name and a certificate from a (((trusted)))/backdoored security authority to function?

I thought per the standard https certificates are only issued to domain names no ip addresses.

>>1035344

that's correct. so what? DNS-over-HTTPS doesn't mean that if you want the IP of "8ch.net" that you connect to 8ch.net on port 443. How would you know 8ch.net's IP to do that?

A DNS server will still be involved.

>>1035346

no, i mean the dns resolver itself.

instead of dns:8.8.8.8 or whatever, are we now going to have

dns: kikeddns.com

but then how is it going to resolve kikeddns.com, when to resolve dns it must first know what it's dns server ip address is, it needs to know kikeddns.com is, but it's the dns server.

this question is because "dns over https" implies an "https certificate" which requires a domain name.

even if the above issue of a dns server resolving itself is ignored, it means that to shut down a non-kosher dns server it could easily be done by revoking the domain name required to run it, and therefore no https certificate would be recognized because they must be tied to a domain name, not an ip address.

>>1035353

there is an additional issue here of browsers hardcoding this bullshit into the browser, requiring users to use a specific set of dns servers, ones with valid https certificates, and forcing users to stop using their own local resolvers, ie tordns, or even just their router for performance reasons.

it's going to turn into yet another power grab; i like the idea of encrypted dns, but not with yet another third party right in the middle of it, the certificate issuers, and the domain registrar.

>>1035353

>instead of dns:8.8.8.8 or whatever, are we now going to have

>dns: kikeddns.com

Sure if you want to leak that you're using HTTP-over-DNS. More realistically, you'd just have the IP of kikeddns.com. You connect to that IP and ask for kikeddns.com and the TLS works completely normally and you use it to resolve other hostnames.

>>1035354

with the

>modern browsers are complete shit and need to be constantly updated

>if you don't constantly update then you'll get 0wned

>this is normal and healthy situation, software is hard :^)

>anyway don't you want latest HTML6 help-your-wife-cuck-you features

they'll probably just hardcode the shit into the browser.

>>1035353

>it means that to shut down a non-kosher dns server it could easily be done by revoking the domain name required

there's no magical dependency of HTTPS on the normal public DNS system. You've probably gotten this idea from browsers and tools ignoring your hosts file or explicit IPs. That's a (((deliberate security feature))) of those tools.

What about DNSCrypt? I'm using it for a couple of years now. Is there any advantage of using DoH over DNSCrypt?

>>1035353

DNS-over-HTTPS:

- https://tools.ietf.org/html/rfc8484

DNS-over-TLS:

- https://tools.ietf.org/html/rfc7858

- https://tools.ietf.org/html/rfc8310

>>1035290

>how would pushing LE help them if that's the case?

It gives people who aren't into crypto a false sense of security.

One should never consider a system 100% secure. But mozilla, google and other fags want EVERYTHING to go trough https. It could be a coincidence but I begin to see enough of this sort of scheme.

There's another variation too this for example to make people believe that an information is true and to make if believably true they are on purpose going to censor the subject of that information on a certain media.

>>1035367

Yes. DNS over HTTPS means it's impossible for your DNS requests to be MITM or taken.

>but with DNScrypt the request is encrypted!

So is DNS Over HTTPS. The main difference is that with DNScrypt metadata and timing-based attacks are technically possible, but not with DoH. On the other hand, DoH *could* centralize DNS more.

I think I read somewhere that DoH can be used to bypass DNS filters. Another thing to bear in mind is that DNScrypt is not a standard, so it could change at any moment.

Both are good options and can be used in tandem.

>>1035354

>>1035229

A DNS client is trivial to implement and is not in any way a hurdle preventing browser vendors from using their own resolvers. In reality, Chrome already has an internal DNS suite that it sometimes chooses to use. I'm thinking that DNS/HTTPS is being championed over its competition because it goes along with the "everything over HTTP" mentality that's been popular for the past half-decade or so.

>>1035353

>but then how is it going to resolve kikeddns.com, when to resolve dns it must first know what it's dns server ip address is, it needs to know kikeddns.com is, but it's the dns server.

You can use a hardcoded bootstrap service which is great if you want to do surveillance. You could also use an IP as an HTTP host rather than a domain. The following link goes to the website of a US intelligence agency, for example: http://172.217.13.110

>>1035353

You don't need to resolve an IP address. Do you think the browser sends a DNS query to find out where 8.8.8.8 is, so it can send the actual DNS thing you want? Retard.

>>1035398

The problem DoH solves is that DNS requests leak a bunch of info. The DNS resolver simply re-sends your request to several other servers and the request(s) can be MITM'd or leaked. DoH can avoid that.

>>1035403

Looking at https://tools.ietf.org/html/rfc8484#section-4.1.1 , it looks like DoH uses the exact same architecture as DNS but with an intermediary HTTPS transport layer on top, which I don't think makes it any different than DNSCrypt for general purpose use.

could just put the ips of the domains i use in the hosts file and turn off dns completely.

>>1035353

As pants-on-head retarded as DNS over HTTPS is, this isn't really a problem. SSL/TLS certificates are issued and verified against a common name (the CN string) and sometimes using the subject alternate name (SAN) extension to provide multiple names in a single cert. There's nothing to inherently verify against in any cert. We all just basically decided to agree that the common name is where the domain goes.

It could, like all trusted root certs, simply be a self-signed cert that you must explicitly add to your trust store, or it could have the common name be the IP address of the server. There's a myriad of ways to do this.

Newfag here, is there a way to enforce specific rather than pre-defined DoT server through asuswrt-merlin? Thanks

>>1035527

Why DoT and not DoH?