Menu
What's new
By:
Filters Better Search

Improving DNS Privacy with Oblivious DoH in 1.1.1.1

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I read through the Cloudflare post, and quite frankly, this is a stupid idea. Yet another single point of failure introduced, more latency, and you are just shifting your trust into the hands of the one running the proxy.

DNS resolution is a core, low-level protocol that is critical to many Internet applications such as web browsing (which relies heavily on DNS resolution as the average website often has over a dozen of hostnames in need of DNS lookups). Every time you make it more complicated and you increase its latency, it will have a very visible negative impact on the user experience. DNS was originally designed the way it was for very good reasons:

- UDP based for the lowest latency possible
- Very simple and robust to reduce the chances of things breaking
- Highly redundant, you can use ANY nameserver in case your usual primary server went down (and you can typically use at least two different resolvers as a failover)
- Decentralized as much as possible, so you aren't forced to put all of your trust into the hands of one specific provider

Modern "solutions" are constantly throwing overboard all of these basic design principles, and they keep making things worse. DoT and DNSSEC were reasonable compromises because of the core issues they addressed. DoH makes it worse for no good reason (and enough already with the "it's the only way to avoid censorship", it takes just a few firewall configs to completely block DoH), and ODoH makes it even worse, once again for no real good reasons.

Seriously folks, start thinking of the Internet as a public place. Do any of you wear a costume and a full face mask whenever you go out shopping, because you don't want anyone else to know you went into this store or that store? Why is doing that so "important" on the Internet, but not important when you go out shopping? Do you go to a company's special building to hire someone to go into the supermarket for you, just so that supermarket won't know you shop at their place, but you trust that company's proxy buyer to respect your privacy better than the supermarket? This is exactly what is going on here with ODoH.

People are confusing "wants" with "needs" in this case. What you want does not always equal what you need, and what you need does not always equal what you want.
 
@RMerlin I don't think the supermarket analogy is all that apt.

If inside the supermarket they had people that followed you down every isle, kept track of every item you put in your cart, picked up or even glanced at, and then saved that info to send you targeted adds, that's uncomfortable and feels like an invasion of privacy even in a public place.

I'm in no way saying that we need to muck around with DNS, nor am I commenting on the new 'standards' vs. DNSSEC. I am saying that the amount that corporations know about us (nevermind ISPs or governments) is probably already too much.

Just one point for reference: https://www.forbes.com/sites/kashmi...teen-girl-was-pregnant-before-her-father-did/

Just my $0.02 :)
 
RMerlin said:
I read through the Cloudflare post, and quite frankly, this is a stupid idea. Yet another single point of failure introduced, more latency, and you are just shifting your trust into the hands of the one running the proxy.

DNS resolution is a core, low-level protocol that is critical to many Internet applications such as web browsing (which relies heavily on DNS resolution as the average website often has over a dozen of hostnames in need of DNS lookups). Every time you make it more complicated and you increase its latency, it will have a very visible negative impact on the user experience. DNS was originally designed the way it was for very good reasons:

- UDP based for the lowest latency possible
- Very simple and robust to reduce the chances of things breaking
- Highly redundant, you can use ANY nameserver in case your usual primary server went down (and you can typically use at least two different resolvers as a failover)
- Decentralized as much as possible, so you aren't forced to put all of your trust into the hands of one specific provider

Modern "solutions" are constantly throwing overboard all of these basic design principles, and they keep making things worse. DoT and DNSSEC were reasonable compromises because of the core issues they addressed. DoH makes it worse for no good reason (and enough already with the "it's the only way to avoid censorship", it takes just a few firewall configs to completely block DoH), and ODoH makes it even worse, once again for no real good reasons.

Seriously folks, start thinking of the Internet as a public place. Do any of you wear a costume and a full face mask whenever you go out shopping, because you don't want anyone else to know you went into this store or that store? Why is doing that so "important" on the Internet, but not important when you go out shopping? Do you go to a company's special building to hire someone to go into the supermarket for you, just so that supermarket won't know you shop at their place, but you trust that company's proxy buyer to respect your privacy better than the supermarket? This is exactly what is going on here with ODoH.

People are confusing "wants" with "needs" in this case. What you want does not always equal what you need, and what you need does not always equal what you want.
Click to expand...
For those with an interest on why DoH has such a bad wrap, you can read about it here
www.zdnet.com

DNS-over-HTTPS causes more problems than it solves, experts say

Several experts, companies, and national entities have voiced very convincing concerns about DoH and its features.
www.zdnet.com www.zdnet.com
The problem I have with the whole DNS Privacy seen is that it is not truly private as RMerlin has pointed out. The only reason this maybe appealing is to control government censorship.. Some countries do not believe in some of the same freedoms people observe in other countries. DoH is hard or next to impossible to detect and block. This is not in reference to the ISP. The ISP can still see what you do as there are other ways to track your traffic.(For example your non-private IP address). The big flaw in DoH is that it evades even security application measures put in place by adminitstators. You could be putting yourself at more risk simply by evading cyber-security measures that are implemented for your actual protection. Cyber Security measures are often put in place to redirect your traffic if it is in the presences of known malware. DoH puts the blinders on rendering these cybersecurity measures useless. (this is why it is important to use a DoH provider that replaces this missing security blanket.)
 
cptnoblivious said:
If inside the supermarket they had people that followed you down every isle, kept track of every item you put in your cart, picked up or even glanced at, and then saved that info to send you targeted adds, that's uncomfortable and feels like an invasion of privacy even in a public place.
Click to expand...

This is already happening. For instance, most local supermarkets here have points cards that allows them to know which products people buy, and they send rebate vouchers based on their usual purchase habits. Nothing would technically stop them from also using facial recognition combined with security cameras to achieve the same. China for instance have large scale facial recognition cameras in place in some areas.
 
RMerlin said:
This is already happening. For instance, most local supermarkets here have points cards that allows them to know which products people buy, and they send rebate vouchers based on their usual purchase habits. Nothing would technically stop them from also using facial recognition combined with security cameras to achieve the same. China for instance have large scale facial recognition cameras in place in some areas.
Click to expand...

Some of it certainly is. Some stores may also track the MAC from your phone if it's WIFI is enabled as you walk around and it's scanning networks. And it wouldn't be hard to pair the two datasets.

But, you can only worry about so much before you start reaching for the tinfoil.

Still, the level of tracking isn't yet in the same league. :)
 
cptnoblivious said:
@RMerlin I don't think the supermarket analogy is all that apt.

If inside the supermarket they had people that followed you down every isle, kept track of every item you put in your cart, picked up or even glanced at, and then saved that info to send you targeted adds, that's uncomfortable and feels like an invasion of privacy even in a public place.
Click to expand...


But that is exactly what they do. Store discount/club/loyalty cards and loyalty debit/credit cards all collect exactly that data about your spending and habits.

Every store that uses POS scanning systems at the tills stores every detail about your purchases and card details it is all listed and time stamped.

Retailers, suppliers and manufacturers use that data to make supply predictions. Your personal data is worth $ millions and is sold every day.

Supermarket chains offer club/loyalty cards where you earn points which you can exchange for discounts on goods. You register your card, they have your name, address, phone , email .......... they know ALL of your habits and preferences , the ages and gender of your children, when you are on holiday etc. They only do this for one reason , they make millions £ $ selling that data on to other companies.

In the UK, TESCO have predictive shopping , sign up and they analyse your shopping habits , then you walk in to the store on your chosen day and your "usual" shop will be ready for you in a box .
 
thecheapseats said:
Does this covid-mask make my butt look big?...
(sorry man - couldn't resist - I live for punchlines)...
Click to expand...

My neighbour got a black eye answering questions like that.

Wife, getting ready for a dinner party:

"Does this make my butt look big? "

Husband:

"Yes dear, but to be fair it is a very small bathroom"

He still sleeps on the couch.
 
I read "Improving DNS privacy" but in my mind, I actually read "we are working on a way to serve more ads and bypass corporate filtering"
And to think there are people actually believing that somehow these "secure" DNS providers with their DoH and all the other acronyms are more trustworthy. "No, they will not use and sell my data. They actually care about user privacy and spent money on it because they are nice"
 
Looks like ODoH will be available soon thru DNSCrypt-proxy.

Link
&
Extra info
 
Last edited:
You must log in or register to reply here.

Similar threads

X
Prevent client auto DoH
Replies
6
Views
588
Xboxsx4life
X
PR3MIUM
Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks
Replies
15
Views
615
sfx2000
sfx2000
T
ControlD with Merlin
2
Replies
25
Views
769
tnpapa
T
C
How to set upstream DNS but force clients to use the router for DNS?
Replies
2
Views
566
chrisisbd
C
CntrlAltDel
DNScrypt DNSCrypt Error During Setup
Replies
1
Views
1K
Zastoff
Zastoff
Similar threads
Thread starter Title Forum Replies Date
sfx2000 Microsoft, DNS, and 192.168.1.0 General Network Security 4
B Which 3rd party dns filters do you use? General Network Security 19
P Threat protection / DNS filtering / Router security (on home network) General Network Security 1
C DNS changes General Network Security 8
tomasm Cloudflare DNS problems caused by Comcast? General Network Security 23
RMerlin How do malware-blocking DNS providers compare? General Network Security 67
L&LD iPhone offer privacy? No, never. General Network Security 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 685 (members: 10, guests: 675)
Top