NAT64 AIUI utterly breaks DNS privacy and security by requiring forged results and precluding contact with v4 hosts (like the DoH provider) via IP address.
This Tweet was deleted by the Tweet author. Learn more
Conversation
This Tweet was deleted by the Tweet author. Learn more
Under NAT64 with DNS64, the resolver provider is hostile: the ISP. Hostility of the ISP is the whole problem DoH is trying to solve. DNSSEC rightly makes it impossible to get valid signatures from such forged DNS results.
1
1
I'm not sure how "Google provides DNS64" - the DNS64 results are specific to the NAT64'd network, no? And AIUI you'd have no way to reach Google's DNS on a NAT64 network.
1
This Tweet was deleted by the Tweet author. Learn more
1
1
In the strict mode where it's explicitly configured, Android's DNS-over-TLS uses a traditional DNS lookup for the DNS server name and enforces that everything else goes via DNS-over-TLS and that it has a valid certificate. I have it set to "one.one.one.one" as an example.
1
1
3
This Tweet was deleted by the Tweet author. Learn more
Wait you can put that in your router and it will work?
1
1
Probably not, but they had to make that for Android 9 Private DNS support:
developers.cloudflare.com/1.1.1.1/settin
Private DNS supports configuring a single DNS-over-TLS server which may explain why they only have "one.one.one.one" without also getting "one.zero.zero.one" too.