On Sun, 29 Dec 2019 06:55:09 -0800 "Mike C." <[email protected]> wrote:
> > > > normal DNS queries are decentralized and with DNSSEC tamper > > resistant. > > > > No. DNSSEC is a set of extensions to designed to protect applications > from using forged or manipulated DNS data. It does this by > authentication of DNS responses. There's no encryption. > > There's no guarantee that a public or private DNS server that you > connect to has implemented all the extensions or that they've been > implemented correctly. This isn't unlike email server extensions. > > DNS queries aren't decentralized. You set a DNS resolver and all your > DNS queries go to that DNS resolver. That's centralized by definition. > > > When you encapsulate all your queries and send them to a central > server > > CloudFlare for example, you've just made your situation worse > > privacy wise. Where as before only your ISP could see just the > > domain your visiting if they cared to do an active > > man-in-the-middle attack on your connection, cloudflare with it's > > 80+% control over popular websites introduces a massive layer of > > centralization to the act of resolving names. Sending all your > > queries to them they can sell that userdata, get hacked and leak it > > all, or be coerced into disclosing it. > > I never said DNSSEC provides encryption, I said it provides tamper resistance. And Like any security protocol, the security doesn't work unless your TURN IT ON. And regarding DNS resolvers and centralization. There is nothing preventing you at all from running a recursive resolver. Especially with Unbound it's both easy and can run on small embedded computers with ease. DNS queries are decentralized, and using a local ISP's servers is a hell of a lot more decentralized than using CloudFlare. And even then, there's nothing stopping you at all from running your own recursive resolver on your own computer. Even OpenBSD includes a stripped down recursive resolver called Unwind for local recursive resolving. And yes, I do stand by when I said DNS over HTTPS is offers no benefits to privacy and stability, in fact making them worse. Lets say you do end up using it, and you got out of your way to setup your own https resolver outside of your ISP's network (assuming your threat model is a ISP). To call that problem solved is to think with blinders on. You need to think about the system as a whole when it comes to security. What comes over DNS is usually metadata. As in who your connecting to but not what. When you make a DNS query your usually not just doing it for the heck of it. Your doing it because you wish to connect to a site. So, you resolve the name of 'example.tld' over the encrypted connection. The attacker can't see that that was the server name that was requested. You then open of a TCP/443 connection to 'example.tld's webserver (or any other kind of server). As the attacker I can just look at who your connecting to to get the same information. The problem is still there, you've just slightly changed the area at which the attacker needs to look. So now that we have established why there is zero benefit over regular DNS let me talk about some real solutions to this problem. Your attacker is your ISP snooping on your connections. First and easiest solution is to just use the Tor Browser Bundle. You can get it from here. https://www.torproject.org/ Tor does not rely on DNS and all it's connections are tunneled through onion routing. It is the easiest, most complete solution to this problem. It also helps you bypass censorship. 2, Find a VPN service that you trust more than your ISP. But remember that your just moving the problem to another network, so make sure your VPN isn't going to snoop on you as well. Because that is where the trust point is. All your DNS abd HTTP(S) traffic will go over the VPN and all your ISP will be able to see is that you are using a VPN and who that VPN provider is. Now to talk about the reliability of the thing. Your definitely not helping reliability by shoe-horning more functionality into the web. DNS is a purpose-built protocol built to do one thing and one thing only. Not only that but you've got the complexity and latency of HTTP and TLS to stack up upon that. If you really care about your privacy, you should start with the software running on your own computer before you start worrying about things like DNS. Mozilla is NOT privacy respecting. That's just marketing and lies. They do not care about you or your privacy. You can confirm this yourself by opening up a fresh copy of firefox on a computer and looking at how many unsolicited requests and "telemetry" it makes with a program like WireShark. Compound this with continuous user-subversive development of "features" that gets shoved into new releases, requiring a constant upkeep of mitigation procedures to resemble anything private. A good read on this can be found here https://digdeeper.neocities.org/ghost/mozilla.html and here https://spyware.neocities.org/articles/firefox.html . You may also want to take a look at all the patches that go into the Debian release of Firefox before it's deemed release worthy and the whole debacle that led up to the creation of the IceWeasel branding. All the anti-features that need to be 'metigated' in Firefox. -- _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
