Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses
> On Nov 1, 2023, at 13:28, Michael Thomas wrote: > > > On 10/28/23 3:13 AM, John Levine wrote: >> It appears that Michael Thomas said: If you're one of the small minority of retail users that knows enough about the technology to pick your own resolver, go ahead. But it's a reasonable default to keep malware out of Grandma's iPad. >>> How does this line up with DoH? Aren't they using hardwired resolver >>> addresses? I would hope they are not doing anything heroic. >> Generally, no. I believe that Chrome probes whatever resolver is configured >> into the system and uses that if it does DoH or DoT. >> >> At one point Firefox was going to send everything to their favorite >> DoH resolver but they got a great deal of pushback from people who >> pointed out that they had policies on their networks and they'd have >> to ban Firefox. Firefox responded with a lame hack >> where you can tell your cache to respond to some name and if so >> Firefox will use your resolver. > > That's probably what I'm remembering with Firefox. But doesn't probing the > local resolver sort of defeat the point of DoH? That is, I really don't want > my ISP to be able to snoop on my DNS history. Sending it off to one of the > well known resolvers at least gives me a chance to know whether they are evil > or not because there aren't very many of them vs every random ISP out there. > Since nobody but people like us know about those resolvers it seems to me > that without preconfiguration meaningful DoH is pretty limited? The point of DoH is to move the ability to monetize your DNS history away from the public resolver world and into the hands of the content providers and other DoH providers. I’m not sure I see that as an improvement, but I guess it depends on who you want to donate to. Personally, I run my own resolvers and that doesn’t leak any data that wouldn’t have to be leaked anyway (after all, the DoH resolvers have to query the upstream authoritative servers on my behalf anyway, and with EDNS0, they’re likely passing along enough to deanonymize those queries, at least in my case. YMMV Owen
Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses
On 10/28/23 3:13 AM, John Levine wrote: It appears that Michael Thomas said: If you're one of the small minority of retail users that knows enough about the technology to pick your own resolver, go ahead. But it's a reasonable default to keep malware out of Grandma's iPad. How does this line up with DoH? Aren't they using hardwired resolver addresses? I would hope they are not doing anything heroic. Generally, no. I believe that Chrome probes whatever resolver is configured into the system and uses that if it does DoH or DoT. At one point Firefox was going to send everything to their favorite DoH resolver but they got a great deal of pushback from people who pointed out that they had policies on their networks and they'd have to ban Firefox. Firefox responded with a lame hack where you can tell your cache to respond to some name and if so Firefox will use your resolver. That's probably what I'm remembering with Firefox. But doesn't probing the local resolver sort of defeat the point of DoH? That is, I really don't want my ISP to be able to snoop on my DNS history. Sending it off to one of the well known resolvers at least gives me a chance to know whether they are evil or not because there aren't very many of them vs every random ISP out there. Since nobody but people like us know about those resolvers it seems to me that without preconfiguration meaningful DoH is pretty limited? Or maybe I just don't understand what problem they were trying to solve? Mike
Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses
It appears that Michael Thomas said: >> If you're one of the small minority of retail users that knows enough >> about the technology to pick your own resolver, go ahead. But it's >> a reasonable default to keep malware out of Grandma's iPad. > >How does this line up with DoH? Aren't they using hardwired resolver >addresses? I would hope they are not doing anything heroic. Generally, no. I believe that Chrome probes whatever resolver is configured into the system and uses that if it does DoH or DoT. At one point Firefox was going to send everything to their favorite DoH resolver but they got a great deal of pushback from people who pointed out that they had policies on their networks and they'd have to ban Firefox. Firefox responded with a lame hack where you can tell your cache to respond to some name and if so Firefox will use your resolver. R's, John
