We see enormous value in DNS monitoring and alerting daily and it’s a fantastic layer for what we are looking for. And yes tunneling has always been possible but it’s another layer an attacker has to stand up.
-
-
This Tweet is unavailable.
-
There’s a lot of easy things they don’t do it turns out
2 replies 0 retweets 14 likes -
Replying to @SwiftOnSecurity @yaaadmanting and
So people often come up with "your DNS monitoring is worthless because it only raises the bar". Meanwhile those same folks advocate DNS over HTTPS which only raises the privacy bar by the tiniest bit - but apparently that is enough if they do it.
1 reply 1 retweet 2 likes -
Replying to @PowerDNS_Bert @SwiftOnSecurity and
Actually it raises the privacy bar a lot. Almost all network level inspection in the UK is based on DPI / DNS interception.
1 reply 0 retweets 1 like -
Replying to @MalwareTechBlog @Ma_15702265146 and
So how much harder is it to do SNI parsing than DNS parsing? Doesn't seem to be functionally different. Much DPI infrastructure already does SNI.
4 replies 0 retweets 2 likes -
Replying to @PowerDNS_Bert @Ma_15702265146 and
DoH is a necessary first part of the puzzle, your argument seems to be "Unless DoH can also encrypt SNI, it's bad for privacy. Unless eSNI can encrypt DNS, it's also bad for privacy. Therefore plaintext must be best for privacy". That just seems disingenuous?
3 replies 0 retweets 3 likes -
Replying to @taviso @PowerDNS_Bert and
No, it's that until eSNI is widely deployed, plaintext DNS that avoids Cloudflare and Google is better for privacy.
1 reply 0 retweets 0 likes -
Replying to @phenlix @PowerDNS_Bert and
I don't understand what changes after ESNI is deployed? To be clear, we're just talking about changing the default to a provider who has agreed to strict standards. It can be overridden. I have no opinion on who provides it, so long as they've agreed to high standards.
1 reply 0 retweets 0 likes -
Replying to @taviso @PowerDNS_Bert and
A DNS query will result in some other connection (probably wrapped in TLS) being established, and hiding DNS queries does very little for privacy because SNI will still be sniffed.
1 reply 0 retweets 0 likes
Right, so the argument is "DoH is useless because of SNI", and "eSNI is useless because of DNS", therefore we shouldn't deploy either? Can you see why I'm skeptical of this argument? It just doesn't make any sense, who says something has to solve everything at once?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.