On Thu, Dec 10, 2020 at 02:17:36AM +0000, coderman wrote: > https://www.schneier.com/blog/archives/2020/12/oblivious-dns-over-https.html > > Oblivious DNS-over-HTTPS > > This[new > protocol](https://techcrunch.com/2020/12/08/cloudflare-and-apple-design-a-new-privacy-friendly-internet-protocol/), > called Oblivious DNS-over-HTTPS (ODoH), hides the websites you visit from > your ISP. > > > Here’s how it works: ODoH wraps a layer of encryption around the DNS query > > and passes it through a proxy server, which acts as a go-between the > > internet user and the website they want to visit. Because the DNS query is > > encrypted, the proxy can’t see what’s inside, but acts as a shield to > > prevent the DNS resolver from seeing who sent the query to begin with. > > IETF[memo](https://tools.ietf.org/html/draft-pauly-dprive-oblivious-doh-02). > > The[paper](https://arxiv.org/pdf/2011.10121.pdf): > > > Abstract:The Domain Name System (DNS) is the foundation of a human-usable > > Internet, responding to client queries for host-names with corresponding IP > > addresses and records. Traditional DNS is also unencrypted, and leaks user > > information to network operators. Recent efforts to secure DNS using DNS > > over TLS (DoT) and DNS over HTTPS (DoH) havebeen gaining traction, > > ostensibly protecting traffic and hiding content from on-lookers. However, > > one of the criticisms ofDoT and DoH is brought to bear by the small number > > of large-scale deployments (e.g., Comcast, Google, Cloudflare): DNS > > resolvers can associate query contents with client identities in the form > > of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this > > problem. In this paper we ask what it would take to make ODoH practical? We > > describe ODoH, a practical DNS protocol aimed at resolving this issue by > > both protecting the client’s content and identity. We implement and deploy > > the protocol, and perform measurements to show that ODoH has comparable > > performance to protocols like DoH and DoT which are gaining widespread > > adoption,while improving client privacy, making ODoH a practical privacy > > enhancing replacement for the usage of DNS. ---end quoted text---
i heard it requires to attach a pubkey to the request which cloudflare uses to encrypt to the response. 1/ pubkey crypto expensive 2/ cloudflare can still track you based on your pubkey it's the usual creepy cloudflare shit. fuck cloudflare!
