Re: Securing DNS traffic

Hi!

I was not arguing for "no security at all". It's just this motivation for DoT/DoH (disguising the request from your ISP) that I don't get.

I have only a cursory knowledge of these technologies, but I think DNSSEC is the far better approach against the type of forgery you mentioned. Why do you expect CloudFlare or any other DoH provider not to be corrupted? I have just as much trust in them as in the commercial VPN provider you mentioned, or my ISP for that matter: very very little. As a European user, I definitely don't want all my DNS traffic to be routed through a single US company by default. But YMMV...

On Sun, May 24, 2020 at 11:22 PM Sad Clouds <cryintothebluesky%gmail.com@localhost> wrote:

On Sun, 24 May 2020 20:55:29 +0200
Jörn Clausen <joernc%googlemail.com@localhost> wrote:

> I simply don't get how this is a use case for DoT or DoH. Even if you
> disguise the DNS lookup, the next packet you send will be directed to
> the address you just looked up. Unless this happens to be a virtual
> hosting service, it is quite clear to your ISP what you are doing. I
> recommend this talk by Paul Vixie

There is always potential for surveillance. You may think you're safe
on a VPN, but if you didn't setup the endpoints yourself, on your own
hardware, how can you trust some VPN provider 100%? You can't.

I think the value of DoT is to stop DNS traffic hijacking and
redirection. Even if you configure /etc/resolv.conf to point to some
trusted DNS server, your ISP (or anyone else) can surreptitiously
redirect it to their own DNS server for various purposes (tracking,
filtering, serving ads, etc). Yes there are other ways to track people,
but the less info you leak in plain text the better.