Chrome 83 ships out with enabled DoH

triatic · May 24, 2020, 9:05pm

Hosting a recursive resolver on the Pi is very bad for privacy. All your DNS queries will be sent unencrypted across the internet, helpfully stamped with your WAN IP address.

DanSchaper · May 24, 2020, 9:09pm

Okay, at this point I have to question your knowledge of the entire concept.

jfb · May 24, 2020, 9:11pm

And the recipient of those queries is who? The nameservers, and they could care less about your browsing. The TLD gets a request for the .com server, the .com server gets the next request, etc. Only the final level nameserver gets the complete request for the domain you seek, and very shortly after the request you will be browsing to the site and the site will see your browser, OS, IP, etc.

With encrypted DNS, the upstream server also has your WAN IP, along with every complete DNS query you ever make.

I'd rather operate my own nameserver over which I have complete control, rather than trust an upstream provider with the entire history, with which they are free to do as they choose.

triatic · May 24, 2020, 9:11pm

@DanSchaper why? Are you disputing a recursive resolver sends unencrypted queries?

jfb · May 24, 2020, 9:12pm

What is the danger of unencrypted queries to authoritative nameservers?

triatic · May 24, 2020, 9:12pm

The DNS queries traverse third party routers to get there.

jfb · May 24, 2020, 9:13pm

Why is this a problem? Almost all your traffic on the internet makes a few hops to get to the endpoint.

triatic · May 24, 2020, 9:13pm

If it's not a problem, then why do we encrypt HTTPS?

DanSchaper · May 24, 2020, 9:14pm

To verify data wasn't modified in transit.

triatic · May 24, 2020, 9:15pm

@DanSchaper and to protect the data from prying eyes.

DanSchaper · May 24, 2020, 9:15pm

@triatic Wrong.

jfb · May 24, 2020, 9:15pm

TLS ensures that the site that you have connected to is in fact that site, and not another site purporting to be that site. The data is not altered in transit.

DNSSEC ensures that the replies from the nameservers are unaltered, and none of the DNS information is sensitive as far as I can tell.

triatic · May 24, 2020, 9:16pm

@jfb apparently @DanSchaper is disputing the traffic is hidden.

DanSchaper · May 24, 2020, 9:17pm

I'm not but when you're on the losing end of the argument you go for making shit up.

triatic · May 24, 2020, 9:18pm

@DanSchaper Oof you get salty when you're wrong.

DanSchaper · May 24, 2020, 9:18pm

I'm always salty, and I'm not wrong.

jfb · May 24, 2020, 9:19pm

From whom are you hiding your DNS traffic, and why? You still have to trust the upstream DNS server, whom you have handily provided your entire DNS history? That's OK?

triatic · May 24, 2020, 9:20pm

Why is DNS traffic sensitive? Because it announces all the websites you visit to any router which cares to sniff your traffic. You are disputing the need for DoT for some reason.

jfb · May 24, 2020, 9:20pm

And how confident are you that the upstream DNS server is in fact returning the real IPs, not IP's of their choosing?

DanSchaper · May 24, 2020, 9:20pm

Not disputing DoT at all, dispuing DoH is worth anything more than said monkeyshit.