Hi! I was not arguing for "no security at all". It's just this motivation for DoT/DoH (disguising the request from your ISP) that I don't get.
I have only a cursory knowledge of these technologies, but I think DNSSEC is the far better approach against the type of forgery you mentioned. Why do you expect CloudFlare or any other DoH provider not to be corrupted? I have just as much trust in them as in the commercial VPN provider you mentioned, or my ISP for that matter: very very little. As a European user, I definitely don't want all my DNS traffic to be routed through a single US company by default. But YMMV... On Sun, May 24, 2020 at 11:22 PM Sad Clouds <[email protected]> wrote: > On Sun, 24 May 2020 20:55:29 +0200 > Jörn Clausen <[email protected]> wrote: > > > I simply don't get how this is a use case for DoT or DoH. Even if you > > disguise the DNS lookup, the next packet you send will be directed to > > the address you just looked up. Unless this happens to be a virtual > > hosting service, it is quite clear to your ISP what you are doing. I > > recommend this talk by Paul Vixie > > There is always potential for surveillance. You may think you're safe > on a VPN, but if you didn't setup the endpoints yourself, on your own > hardware, how can you trust some VPN provider 100%? You can't. > > I think the value of DoT is to stop DNS traffic hijacking and > redirection. Even if you configure /etc/resolv.conf to point to some > trusted DNS server, your ISP (or anyone else) can surreptitiously > redirect it to their own DNS server for various purposes (tracking, > filtering, serving ads, etc). Yes there are other ways to track people, > but the less info you leak in plain text the better. > -- Joern Clausen https://www.oe-files.de/photography/
