I'm giving a talk on Weds at #ripe76 on our survey re: interest and concerns about DNS privacy. Want to make sure this isn't like DNSSEC all over again - if we build it, will operators deploy it? Or are we adding complexity that most operators would rather not have?
The only thing that kinda make sense is DoH, that can leverage existing HTTP software. Even though there is no privacy improvement here contrary to popular belief, just authentication to mitigate tampering. Like what DNSSEC has been trying to do in vain.
-
-
“DNS Privacy” tools give *more* information to resolvers. TLS tickets, and long-lived TCP connections now allow them to fingerprint individual devices even behind Tor/VPN/NAT/CGNAT.
-
Not saying that these things are bad. Any security improvement is a good thing. But they don’t provide any privacy. Just authentication. Maybe once SNI encryption is a thing, we can talk. Right now, it’s wankery/marketing/ways to get funding.
- 3 more replies
New conversation -
-
-
DoH cannot solve one of the crucial problems DNSSEC aims to (and does, when operators bother to implement it) solve: source authentication and integrity that survives a journey through an arbitrary number of intermediate, untrusted hops. DoH is hop-by-hop.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Saying there is no privacy improvment when ISP routinely sniff
#DNS traffic to external resolvers is strange.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.