Can someone please explain to me why DNS-over-HTTPS (DoH) is bad? Signed, someone who transitioned from BIND9 to djbdns circa 2000, learned about Curve25519 via DNSCurve, considers the latter an abject failure...https://twitter.com/kennwhite/status/1170753874279485440?s=21 …
-
Show this thread
-
Replying to @bascule
DoH is good. AFAICT people are complaining about pulling in a specific third party which was previously off-path to provide the service. I understand some of the complexity of the tradeoffs, but it is a perplexing decision from Mozilla.
2 replies 0 retweets 20 likes -
Replying to @FiloSottile @bascule
Some people hate DoH because they are invested in DNS monitoring for various things, from fairly legit (malware detection) through shady (consumer tracking). DoH upends that business model
2 replies 1 retweet 12 likes -
Replying to @damienmiller @bascule
Right, also that, but I don't listen to them because they never made a convincing argument that their values align with users AND that snooping is necessary for providing the actual value.
2 replies 0 retweets 16 likes -
I've learned that (bizarrely) they argue that connecting to hotel wifi is explicit informed consent to monitor DNS, and that users want to be monitored for their protection. I think if this is the strength of their argument, DoH+eSNI+TLS needs to have been default yesterday
2 replies 7 retweets 47 likes -
Replying to @taviso @FiloSottile and
My biggest issue is that Mozilla is forcing the change as the default; which means the countless enterprises and power users who run internal DNS means that we LOSE control over our resolution.
1 reply 0 retweets 2 likes -
Replying to @faultywarrior @taviso and
There are many like myself who don't run split horizon, but run internal resolvers which resolve domains to routable addresses, but said addresses are NOT publicly routed.
3 replies 0 retweets 0 likes
Sure, but there has to be a default, and right now it's trust whatever is in the dhcp option tags. I think it's okay to ask for users to enable that - but it's not a safe default - Think ISPs, free WiFI, etc.
-
-
Replying to @taviso @FiloSottile and
I see both sides of it. What Mozilla hasn't made clear is if this will be an easy option to disable. i.e. open settings and uncheck like it is now to enable it; or if you'll have to play stupid games in about:config to turn it off.
2 replies 0 retweets 0 likes -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.