Conversation

Notices

1. Embed this notice
   da_667 (da_667@infosec.exchange)'s status on Wednesday, 25-Jan-2023 01:34:42 JST da_667

   Your periodic reminder that DNS over HTTPS does nothing for your privacy.

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Wednesday, 25-Jan-2023 02:16:44 JST da_667

     in reply to

     I mean, any DNS provider can provide you with platitudes promising to not log your IP address or DNS queries, but you'll never actually know if they are or they aren't unless you see the server configs yourself. So there's that.

     Cloudflare claims that they don't log PII, but then immediately say that the may hold on to personally identifiable query data for up to 25 hours.
     https://www.cloudflare.com/privacypolicy/

     They claim to do a lot of redaction in their dns-specific policies, but there is a lot of deliberate word usage. They don't story anything in non-volatile memory. The only capture ".05% of all traffic sent to Cloudflare’s network infrastructure" (but don't specifically mention their DNS infrastructure).

     What I'm getting at is that if you didn't learn about how much companies value your privacy by the cascade of breaches over the past decade or the intelligence community leaks, then you weren't paying attention.

     Also, several malware authors, and a number of new and aspiring frameworks use DoH as a C2 method. There's no clear communication from major DoH providers on how they plan on handling abuse of infrastructure. I brought concerns to cloudflare executives of known malware campaigns using their DoH infra, and they didn't give a shit.

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Wednesday, 25-Jan-2023 02:16:46 JST da_667

     in reply to

     I want you to consider that nowhere in the RFC is privacy mentioned as a primary design goal of DoH. The only two goals are first-hop integrity, and bringing DNS resolution to the application.

     So you have some measure of privacy/integrity to the DoH server, but no idea whether whether or not, or to whom they're giving your DNS queries to.

     On top of that, bringing DNS resolution into the web application is going to have implications with regards to ad blocking.

     With the sunsetting of manifest V2, and supposedly limiting the effectiveness of ad blockers, they're coming for your browsing data, and are here to make you watch ads. You know, those same ads from ad delivery networks that are serving you malware currently.

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Wednesday, 25-Jan-2023 02:19:23 JST da_667

     • silverwizard

     @silverwizard it frustrates me to no fucking end, that DoH was opt-in by default on all new installs of Chrome and firefox, completely bypassing any filtering the user may have had set up. Hope you have ublock origin installed.

     silverwizard likes this.