@DanSchaper I was talking to @jfb .
Good, so you're done with me then? I'm done with you.
Yes, I am. In my opinion, DoT is false privacy. You put a bit of your traffic in an encrypted tunnel, but it goes to the same upstream DNS server that is the problem all along.
I would much rather run my own resolver, have complete control of the results (unfiltered, unaltered, unchanged and authenticated). In addition, no upstream DNS server has my DNS history. Instead of having to trust my ISP and an upstream DNS server, I only need to trust the ISP, as there is no longer an upstream server involved.
@jfb the accuracy of the responses of the DNS server you are querying is a separate issue to whether you are communicating with that server securely.
Why is that? You have to trust what they send you, don't they? If you don't use them in the first place (i.e. run your own resolver), you solve that problem along with removing their access to your history.
Communications between unbound and the nameservers is equally secure as any communications between you and an encrypted DNS server. That is the purpose of DNSSEC.
You may not concerned about your DNS queries being sniffed by third party routers but I'm sure many are.
That is somewhere down my list of things I worrry about along with getting struck by lighting or drowning in a tsunami (and I live 1200 miles from the closest ocean).
Communications between unbound and the nameservers is equally secure as any communications between you and an encrypted DNS server. That is the purpose of DNSSEC.
DNSSEC does not encrypt anything. It's for validating the accuracy of replies, not encrypting them. I seem to have a different bar for "security" than you do.
When you visited this website, you hid the DNS query for the domain name. But, isn't the IP you visited visible to all those third parties that can't see the DNS query? Does that meet your bar for security?
You're OK with pre-packaging all your DNS history for the upstream DNS provider. That meets the bar for security as well?
The difference is:
-
You are using a normal DNS server somewhere on the Internet
- Encrypted: No
- Your traffic can be intercepted on the wire: Yes
- The upstream DNS provider (e.g. Google) can record which pages you are visiting: Yes
-
You are using a DoT/DoH DNS server somewhere on the Internet
The exact realization is not of primary interest here- Encrypted: Yes
- Your traffic can be intercepted on the wire: No
- The upstream DNS provider (e.g. Google) can record which pages you are visiting: Yes
-
You are running a local instance of a recursive resolver like Unbound
- Encrypted: No
- Your traffic can be intercepted on the wire: Yes
- The upstream DNS provider (e.g. Google) can record which pages you are visiting: No
Option 3 looks the best for me.
If you are concerned about someone capturing the pages you visit on the wire, then DoT/DoH don't really help as the listener can simply switch from listening to DNS requests to doing packet-inspection. No question for plain web requests, however, even HTTPS/TLS is not secure against this because of
Server Name Indication ( SNI ) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.
The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. [source]
Hence, even DoT and DoH still allow the eavesdropper and Google (etc.) to get your entire browsing behavior. With Unbound, you, at least, eliminate one of them from getting your data.
2 Likes
Multiple websites can share one IP address. Once ESNI is adopted it will certainly make it harder for third parties to identify the websites visited.
I can choose the upstream provider or indeed be my own upstream provider. None of the outgoing queries from the upstream provider carry my IP address (unlike your local resolver).
Every visit you make to a website provides your IP address, along with much more information. I assume all your browsing is done via VPN.
One IP address can host multiple websites.
The website gets your IP address. Along with your browser agent, OS, geo-location, etc.
Sure, the website does. I'm talking about the routers in between.
Who is interested in looking at your DNS traffic (and why)?
Well, yes, but they did not even decide which name this standard should have. In March, ESNI was renamed to ECHO (Encrypted Client Hello). Three days ago they renames it to ECH. It will surely take some time.
When hosting your own resolver somewhere on the Internet, the lookups will have this IP address on it. I see no real gain in privacy here except for when you are running on a virtual server where the IP is shared among a lot of users. Your particular setup will depend on your personal level or paranoia. There is nothing wrong about this.
Still, a recursive resolver you're using will, at the very least, conceal your browsing habits from the big players like Google, Cloudflare, etc.
Is this really a dangerous point for you? Even intelligence will not be able to parse everything at this point given the sheer amount of data. It will be much more convenient for them to get the data prepared and formatted from Google, etc.
Are you really asking me who cares about harvesting user data?
I am really asking who is interested in your DNS data. You've already noted that you aren't concerned about information gathered by websites you visit (probably a few hundred, if not thousands of websites you visit). And apparently giving an upstream DNS provider your DNS history is not a problem.
What party would be snooping for your DNS traffic in the hopes of harvesting a trove of priceless data?