I'm not against DNS encryption per se, it's nice, but why not to implement DoH/DoT resolver as e.g. an external program, ship it with Chrome/Firefox to make it work OS-wide, and make it optional then, like Android did?Or why not to make a step further and embrace DoT-enabled NS?>
-
-
I was all hands for HTTPS, and DNS encryption is no doubt is a good thing, but its implementation is controversial at best.
1 reply 0 retweets 0 likes -
Replying to @ValdikSS @paulvixie and
It should, and no doubt will be, built-in to system resolvers at some point. We have to make do with the levers we have. The problem with DoT is it's trivial to force people to downgrade to plaintext DNS, so it's pretty reasonable to think snoopers will do that.
1 reply 0 retweets 0 likes -
The people arguing against it are going to be on the wrong side of history. In five years they'll remember how they argued that plaintext is good for privacy, and it's dangerous not to let the your isp or hotel wifi monitor your activity, they're gonna look real silly.
2 replies 0 retweets 0 likes -
Replying to @taviso @paulvixie and
I'm not an ISP or even a public resolver host, but I use private DNS to implement uncommon per-domain routing method for VPN, with my custom DNS resolver, for censorship circumvention. https://antizapret.prostovpn.org/tech.html
1 reply 0 retweets 0 likes -
Replying to @ValdikSS @paulvixie and
Cool, and nobody has proposed anything that would prevent you from doing that. You only have to worry if you want to snoop on or interfere with queries from machines that you don't own and/or don't have permission from the owner. Those people do have to worry
1 reply 0 retweets 0 likes -
Replying to @taviso @paulvixie and
Does Chrome correctly handle DNS changes in runtime? This censorship circumvention service is public and provided as OpenVPN VPN. What would happen if the user uses 8.8.8.8 in DNS configuration and has Chrome opened, but then connects to the VPN? Would it fallback to VPN DNS?
1 reply 0 retweets 0 likes -
Note that Windows 10 does not have preferred DNS anymore, it sends DNS queries to all known configured DNS servers, via all available network interfaces. I had to implement option which blocks any requests to port 53 in OpenVPN to workaround this.https://github.com/OpenVPN/openvpn/commit/dd628d2e0d786e478fd99d54000dceaa42d53855 …
1 reply 0 retweets 0 likes
I'm not a Chrome engineer, I just think DoH is a good idea.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.