Menu
What's new
By:
Filters Better Search

Ars: NSA says watch out for 3rd party DNS resolvers with DoH/DoT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

Dan Goodin

Guest
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

Continue reading on ArsTechnica
 
Last edited by a moderator:
Dan Goodin said:
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

Continue reading on ArsTechnica
Click to expand...

Amen
 
Dan Goodin said:
Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

Continue reading on ArsTechnica
Click to expand...

What is the most reliable and trustworthy dns ?
 
L&LD said:
Unbound, which you control, and which gives you access directly to authoritative DNS servers.

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) | SmallNetBuilder Forums (snbforums.com)
Click to expand...

So unbound is setting my own dns server ? I dont understand it fully but from what ive read its like i create my own dns server and im not relying on my isp or 3rd party ones. I need to educate myself more to not fook smth up when setting it up since its not as easy as plugging usb to router formatting it with right file system then enabling merlin custom scripts and using proper commands in ssh right? People often mention pfsense along side unbound and its some kind of firewall so what is the connection between unbound and pfsense? Is it some layer of firewall independent of router one?
 
No, I did not say that. Read the link and make some good searches for what you don't know or are assuming right now.
 
L&LD said:
No, I did not say that. Read the link and make some good searches for what you don't know or are assuming right now.
Click to expand...

So all the instructions are on the page and i should just pick the right option from the command promp gui ? Or is there a tutorial or guide explaining all the options and its meaning somewhere? It seems like easy mode covers everything or do i need to study advanced mode to get most out of it?
 
And this is the reason I've stick to google or cloudflare. Not that I totally trust them, but I trust them more then the rest. This is one of the reason why I am still using PiHole and not some ad blocking dns provider.

PiHole does uses user generated list, but my understanding is, these lists can just specify blocklist and not alter the ips.
 
Enterprises have been worrying about this for a long time. We have struggled with the TLS journey as well. The mandates to control, log, inspect, and protect all flows gets quite difficult as more encryption creeps in at the app/service levels. We have done our best to block/restrict DoH/DoT at the firewalls and proxy servers. We need our clients to utilize the enterprise DNS server for compliance and security reasons. Very different behavior and expectations in the enterprise vs at home.
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
D News [Ars] Critical takeover vulnerabilities in EOL'd D-Link NASes are being exploited General Network Security 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 790 (members: 20, guests: 770)
Top