
On Sun, Apr 12, 2020 at 07:46:38PM -0400, Lee wrote:
> > The questionable idea behind DOH is that the browser makers do not trust
> > your local resolver.
> Mozilla claims it's a privacy issue:
> https://support.mozilla.org/en-US/kb/firefox-dns-over-https

It's a privacy issue along with the other things.
With the default settings the Firefox user is handing all DNS resolution
to Cloudflare. Not an equivalent to complete browsing history, but close

> > 1) One can use a local resolver with the ability *not* to resolve
> > certain DNS queries, which refer to the sites which just happen to
> > contain advertisements, fingerprinting, tracking, cryptomining etc.
> > Since all two major browser makers (Google and Mozilla) happen to rely
> > on revenue generated by advertising *and* users' browsing habits this
> > obviously can not be tolerated.
> Wasn't there a fairly recent kerfluffle about an upcoming change to
> chrome that would break things like the uMatrix addon?

There was, indeed.

> If firefox wasn't a viable alternative to chrome, what are the chances
> that change would have been implemented?

It is implemented already, it's just there are alternatives to
declarativeNetRequest that are working - so far.

> > 3) Bad guys and gals can hijack DNS too, to the usual hilarious results.
> And the bad guys and gals can use DOH to "hide" their traffic and
> circumvent things like pihole.

There is tor or i2p for *that* already.

> I just did a quick search and couldn't find anything for smart TVs
> using DOH.

Probably because they aren't there yet. A typical smart TV is based on
the Android, and Google haven't said their word about DOH so far.

> > With the advent of HTTPS all this may be seen as moot points (if you're
> > redirected elsewhere the certificate validation should fail), but
> > nevertheless DOH is forced upon the collective throat of Firefox users
> > as we speak (and Chrome users are likely to follow them Soon™).
> > Currently a Firefox user is supposed to trust Cloudflare to do DNS
> > queries for them, and HTTPS is used for this purpose because Security™.
> For some values of "security", DOH _is_ more secure.

As far as the "last mile" is concerned - maybe. As far as the whole
Internet goes - not so much as overall security of DNS queries depends
of DNSSEC implemented in every zone (and it ain't there yet).

> How many people use a dnssec validating resolver?

See above. Besides, DNSSEC is for integrity of zones, not privacy.
You need DNS-over-TLS if you need last one.

> At least Cloudflare resolvers have dnssec enabled.

*And* the ability to see users' DNS queries. Neat, right?


Reply via email to