> > normal DNS queries are decentralized and with DNSSEC tamper resistant. >
No. DNSSEC is a set of extensions to designed to protect applications from using forged or manipulated DNS data. It does this by authentication of DNS responses. There's no encryption. There's no guarantee that a public or private DNS server that you connect to has implemented all the extensions or that they've been implemented correctly. This isn't unlike email server extensions. DNS queries aren't decentralized. You set a DNS resolver and all your DNS queries go to that DNS resolver. That's centralized by definition. When you encapsulate all your queries and send them to a central server > CloudFlare for example, you've just made your situation worse privacy wise. > Where as before only your ISP could see just the domain > your visiting if they cared to do an active man-in-the-middle attack > on your connection, cloudflare with it's 80+% control over popular websites > introduces a massive layer of centralization to the act of > resolving names. Sending all your queries to them they can sell > that userdata, get hacked and leak it all, or be coerced into disclosing it. > You seem to be conflating a service, Cloudfare, which is a Content Delivery Network that also provides a public DNS resolver with a secure protocol, DNS over HTTPS, which provides end-to-end encryption of DNS query data. Not that I trust Cloudfare farther than I can throw it, they do claim that don't seller user DNS data and they've also launched a service called Project Galileo the provides cyber security for web sites of journalists, artists and human rights groups. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
