Conversation
Notices
-
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 18-Sep-2024 08:10:43 JST 
feld
DNS Encryption is a lie. You're just trading who gets to MITM you, track your habits, and sell your data -- the ISPs/transit folks or the cloud corp you picked to be your DoH provider - Haelwenn /элвэн/ :triskell:, on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ and Doughnut Lollipop 【記録係】:blobfoxgooglymlem: like this.
-
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 18-Sep-2024 09:44:10 JST 
Haelwenn /элвэн/ :triskell:
@feld Yeah, it's basically like using a proxy. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 18-Sep-2024 09:56:13 JST
Haelwenn /элвэн/ :triskell:
@Nimbius666 @feld Yeah but choose a small enough one and you can get tracked just as much as just using any other resolver or even worse (like a resolver at home won't always contact the same server). feld likes this. -
Embed this notice
Crispy Branzino (nimbius666@comp.lain.la)'s status on Wednesday, 18-Sep-2024 09:56:16 JST 
Crispy Branzino
@lanodan @feld you can use other doh providers besides the cloud cartels.
It is telling although, the number of ISPs that absolutely lost their mind when doh first rolled out. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 18-Sep-2024 09:58:13 JST
Haelwenn /элвэн/ :triskell:
@Nimbius666 @feld Like the only time I would use DoH would be outside of home, except I might as well just use Tor or a VPN to my home network instead. feld likes this. -
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 18-Sep-2024 10:03:13 JST
feld
@Nimbius666 @lanodan I did that with dnscrypt back in 2013 but it lost its appeal. The root server operators fought hard against supporting dnscrypt which was one of the long term goals IIRC Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Crispy Branzino (nimbius666@comp.lain.la)'s status on Wednesday, 18-Sep-2024 10:03:14 JST
Crispy Branzino
@lanodan @feld I doh my local network to a recursor I run on a cloud instance...overkill but it kept my former ISP out of my physical mail. -
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 18-Sep-2024 10:04:41 JST
feld
@Nimbius666 @lanodan These days the CPUs of the root servers can probably offload crypto faster than the NICs are linked at so idk why we can't just fix this Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 18-Sep-2024 10:05:25 JST
Haelwenn /элвэн/ :triskell:
@feld @Nimbius666 I guess instead we got DNSSEC which terribly sucks. -
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 18-Sep-2024 10:11:25 JST
feld
@lanodan @Nimbius666 Also worthless as you have to trust your recursor which many people don't control
I was super hopeful we could fix this in the early 2010s but the movement was killed -
Embed this notice
feld (feld@friedcheese.us)'s status on Wednesday, 18-Sep-2024 10:14:03 JST
feld
Just imagine if you weren't allowed to do HTTPS to webservers directly because the burden would be too high for them to handle the crypto but you could secure your browsing if you proxied your browser's traffic through Cloudflare (who can see your HTTP)
That's basically our DNS security story -
Embed this notice
David Chisnall (david_chisnall@infosec.exchange)'s status on Wednesday, 18-Sep-2024 21:27:59 JST 
David Chisnall
@feld I wanted to build a DNS resolver with CCF (distributed key-value store that ran in SGX enclaves and other TEEs). The clients would be able to get a remote attestation that they were connected to a server that ran a specific version of the server code. The network would be able to send queries to authoritative servers from any node, maintain an internal cache, and do spurious lookups to make it hard to attack with traffic analysis.
I think this would meet the requirements for DNS encryption.
feld likes this. -
Embed this notice
feld (feld@friedcheese.us)'s status on Thursday, 19-Sep-2024 04:43:29 JST
feld
@drahardja there's no way to get a full copy of all the DNS zones and keep them in sync, but it would probably be terabytes of data honestly.
The only thing you can do is run a VPS / colocated server somewhere and tunnel your DNS traffic to that server, but the communication between that server and the DNS roots / authoritative NSes will always be unencrypted.
So whoever runs your colo/VPS network and the parties inbetween will always be able to see your queries and its source IP -- possibly including your REAL source IP or at least the subnet of the originating request because of EDNS Client Subnet which is important for directing you to the nearest server based on your geographic location
The metadata leaks of who made the DNS query are not going away anytime soon. -
Embed this notice
Dave Rahardja (drahardja@sfba.social)'s status on Thursday, 19-Sep-2024 04:43:30 JST 
Dave Rahardja
@feld Is there a way to easily set up your own DNS server? Surely the zonefiles aren’t that big relative to modern storage sizes any more.
-
Embed this notice
feld (feld@friedcheese.us)'s status on Thursday, 19-Sep-2024 08:45:28 JST
feld
@mason you motivated me to finally make a shitty diagram -
Embed this notice
mason (mason@thames.blisses.org)'s status on Thursday, 19-Sep-2024 08:45:33 JST 
mason
@feld Aren't you conflating DNS over HTTPS and DNSSEC here? If not, I'd love to hear more.
All GNU social JP content and data are available under the