There are some potential privacy issues with DNS-over-TLS and DNS-over-HTTPS due to implementations reusing connections. It mostly applies to using DNS-over-{TLS,HTTPS} with a VPN or Tor though. Without a VPN or Tor source IP address is enough to tie together the requests anyway.
Conversation
Where are you getting the assumption that CGN is widely used from? In most of Europe it most certainly is not. I can't emagine that it's significantly different in the US, and as far as I know there hasn't been a paper that covers this.
1
1
This Tweet was deleted by the Tweet author. Learn more
NAT64 AIUI utterly breaks DNS privacy and security by requiring forged results and precluding contact with v4 hosts (like the DoH provider) via IP address.
1
This Tweet was deleted by the Tweet author. Learn more
Under NAT64 with DNS64, the resolver provider is hostile: the ISP. Hostility of the ISP is the whole problem DoH is trying to solve. DNSSEC rightly makes it impossible to get valid signatures from such forged DNS results.
1
1
I'm not sure how "Google provides DNS64" - the DNS64 results are specific to the NAT64'd network, no? And AIUI you'd have no way to reach Google's DNS on a NAT64 network.
1
This Tweet was deleted by the Tweet author. Learn more
1
1
In the strict mode where it's explicitly configured, Android's DNS-over-TLS uses a traditional DNS lookup for the DNS server name and enforces that everything else goes via DNS-over-TLS and that it has a valid certificate. I have it set to "one.one.one.one" as an example.
This Tweet was deleted by the Tweet author. Learn more
Yeah, and that's likely part of why they require providing a name rather than an IP address. Getting a certificate issued for a domain is also much more widely supported than an IP address, and since they require a valid certificate when explicitly configured it reduces breakage.
1
They require using a name for the DNS-over-TLS server configuration and always bootstrap it. If you don't explicitly configure it for strict mode the default is the opportunistic mode where it will transparency upgrade to DNS-over-TLS without enforcing having a valid certificate.