On Mon, 25 May 2020 10:17:56 +0200 Jörn Clausen <joe...@googlemail.com> wrote:
> Hi! > > I was not arguing for "no security at all". It's just this motivation > for DoT/DoH (disguising the request from your ISP) that I don't get. > > I have only a cursory knowledge of these technologies, but I think > DNSSEC is the far better approach against the type of forgery you > mentioned. Why do you expect CloudFlare or any other DoH provider not > to be corrupted? I have just as much trust in them as in the > commercial VPN provider you mentioned, or my ISP for that matter: > very very little. As a European user, I definitely don't want all my > DNS traffic to be routed through a single US company by default. But > YMMV... They are different technologies that complement each other. You need both DNSSEC and DoT. You're right, any service provider could be monitoring your activity and I don't believe US vs Europe makes much difference here. I live in the UK and there has been "Data Protection Act" in place well before EU "General Data Protection Regulation". Just because something is legislated does not mean that everybody follows it to the letter. With DNSSEC you validate the integrity of the data, so if somebody managed to poison the cache of some DNS server and insert a bogus entry, hopefully DNSSEC should be able to flag it. However, if someone redirects your DNS traffic (as some ISPs do) they could completely strip out any DNSSEC data and substitute whatever records they like. For example when you type "site.nosuchtld" into your web browser, instead of an error, you get a web page filled with ads or some other nonsense. With DoT you nominate some trusted DNS server and TLS certificate validation should flag if someone attempts to impersonate that server. It's up to you which server to trust CloudFlare, Google or your own that you setup in some trusted data centre.