You know you’re being bamboozled when you see appeals to: 1. Layer violations. 2. The sanctity of the network control plane. 3. Enterprise networks.https://twitter.com/paulvixie/status/1053886628832382977 …
-
Show this thread
-
1/ I respect
@paulvixie tremendously, but I’m confused… as far as I know, there has never been any kind of broad requirement (or even agreement) that DNS requests *must* be performed in a way that allows for monitoring, filtering or, as happens today, modifications/“massaging”.2 replies 0 retweets 4 likes -
the internet isn't made of requirements or agreements. there was however an alignment norm, before RFC 8484, under which anyone in the data path was expected to be able to withdraw cooperation for traffic they didn't want to carry. (1)
3 replies 0 retweets 2 likes -
Replying to @paulvixie @nbougalis and
i don't support permissionless DNS monitoring or filtering, but where it's a feature desired (permitted) by the network owner or head of household or CISO, those people should not have to negotiate with DoH's backers -- period, no exceptions. (2/2)
4 replies 0 retweets 2 likes -
How is this not the same as saying that ordinary home users should have to ask their ISP for permission to have basic DNS privacy?
1 reply 0 retweets 3 likes -
that's a troubling equivocation. if a home user cannot trust their ISP, they need something a hell of a lot stronger than DoH. so, that excuse won't wash.
1 reply 0 retweets 3 likes -
They obviously, manifestly cannot. I’m on AT&T. AT&T manipulates and records my DNS. There are more of “me” than “you”. Why do “you” win?
1 reply 0 retweets 17 likes -
if AT&T manipulates and records your DNS then they are at moral hazard and ought to be at regulatory hazard -- but you will need something a lot stronger than DoH to make any difference in their success at selling your PII. DoH isn't excused.
1 reply 0 retweets 4 likes -
I honestly do not understand this argument. They monitor and manipulate my DNS now. They cannot do so with DoH.
2 replies 0 retweets 5 likes -
Replying to @tqbf @paulvixie and
They can see the query and response sizes, approximately, and then what IPs you connect to, and then SNI if it's not encrypted. We're a bit from being more fully protected against what some of the NFV gear can profile, but it's progress sort of ...
1 reply 1 retweet 1 like
In practice, DoH is moving the privacy problem to providers such as Google who have their own not great aligned incentives, CloudFlare, who had CloudBleed, and Cisco/OpenDNS who want to use it sell security.
-
-
Replying to @colmmacc @paulvixie and
You don’t think that’s just because they’re the organizations best equipped to boot this up, and that the privacy management responsibility will inevitably get moved around to other providers with clearer incentives?
2 replies 0 retweets 2 likes -
Replying to @tqbf @paulvixie and
I'll take Google/CloudFlare/Cisco over the average ISP for now, for sure. It's an improvement. I'm a little worried Google will over time use the data to refine targeted ads, and CloudFlare may penalize competitor CDNs who use DNS queries for locality. It's not ideal!
3 replies 2 retweets 7 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.