We do care about privacy and security, neither of which can be done with a shortcut or handholding. That's where you get in to dangerous territory of having someone else do it for you and giving control of your security and privacy to other parties. That is never a good thing.
The point still stands, you may have an encrypted response for your DNS to IP but visiting that IP over a bare, unencrypted connection just exposed all the information that you had hidden.
Dont you visit the IP over a https?
So DoH or DoT aren't better that nothing in any way considering security or privacy?
What about a DNS resolver? so you don't relay in an intermediate DNS server like cloudflare?
They aren't our direct competitor.
IP over https doesn't do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don't know what you bought.
I know some people that have moved to adguard home.
But you are right this https://www.nextdns.io/ will probably end up eating most of your users, and it supports DoH.
I don't think so. nextdns is just an external service like Quad9, Cloudflare or Google. For me there is no difference between them, and also no advantage to use them.
Regarding privacy and performance for me the best solution is Pi-hole + local Unbound.
1 Like
There are quite a few features and advantages that nextdns.io has and pihole doesn't.
People is quite excited with it in social media let's see how it evolves, is something that fits to any user since it doesn't require hardware or any expertise like pihole.
I agree with you that the best would be to call directly the root servers with unbound but again is another feature that pihole doesn't support out of the box
How do they solve the privacy issue? Do you VPN all your traffic through them, or do they just obfuscate the DNS transaction and still leave you completely trackable and identifiable through your ISP and every server that handles your packets from your local workstation to the end server? (Hint, run a traceroute to the server your visiting sometime and look at every single router that knows where you're going...)
Edit: And all the other "competitors" you've mentioned do nothing for privacy, they get all the data you're trying to hide. And they require you to pay them for the experience. So shill them all you want, I'm not worried.
Which of the root servers support encrypted DNS queries?
You have to connect to the IP before the encryption begins. So, after the browser has the IP address for the domain it seeks, it requests that IP address in clear text from the ISP. After a connection is made to that IP, then the TLS handshake process begins and the encrypted connection is created.
DoH and DoT do nothing to increase your privacy (your ISP can see your IP requests, and a third party DNS service has your entire DNS history), but they do have the benefit of security, in that the DNS travels in an encrypted tunnel with protection from third parties modifying it. But, if you use DNSSEC you get security benefits.
Now DoH is standardized RFC8484. Major browsers firefox and chromium (chrome, opera, edge, brave, etc.) will add DoH with the next version (ETA end of October).
A browser/application requests a DNS lookup from Pi-Hole, if it is on the block list it does not do anything with the request, if it is not on the blocklist, it forwards the request or responds from the cache. When it forwards the request Pi-Hole could forward that request, outside of your LAN, via DoH. I do exactly this by running the cloudflard daemon on the Pi-Hole machine so Pi-Hole forwards to that DNS service which forwards it over DoH.
The feature request is for the use of a DoH DNS service to be a builtin option within Pi-Hole.
If the Browser concerned is set to do DNS lookup over DoH (this is usually using a specific service), the the Pi-Hole will be bypassed. Effectively the application is deciding what DNS server to use and is not getting that info from the Network.
IP over https doesn’t do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don’t know what you bought.
I understand the point you are making, but think that might be a little bit of an oversimplification. If you need true anonymity, only a VPN will help, and that is still only if you are careful. However, in the modern web where everything is behind a CDN, its not true that your ISP has a one-to-one map of your web history. SNI is a major data leak, but once ESNI becomes a normal thing then a lot of browser traffic will simply look like connections to these major CDN providers. Between Cloudflare, Imperva, CloudFront, Google Cloud CDN, and Azure CDN - a huge percentage of websites and services will be indiscernible between each other. And as far as ESNI becoming a thing - since so many services are behind these CDNs, its simply a matter of the CDNs enabling support for it (and broswers) - and not each individual website/service. Anyways, I understand the point you are making about the endpoint IP always being known to the ISP (unless you are on a VPN - in which its the VPN that always knows) - but just knowing the endpoint IP Address is not really enough anymore for a large portion of the internet. At least any server thats concerned about DDOS attacks and isn't large enough to mitigate them using their own resources.
Just bumping this since I miss the DOT option in pihole. Now I am proxying trough nginx which means I cannot see the ip address that I am receiving. (NGINX with DNS over TLS = only localhost - #17 by nivong)
See
This is something I need to face since having one of those Android devices with hard coded Google DNS (when the local DNS server - pi-hole - does not provide DNS-over-TLS than always 8.8.8.8 is used).
Details:
While I try other options to fix this (and use pi-hole and resolve local names in my network) on that device one option would be to have Pi-Hole supporting DNS-over-TLS.
For sure not many users affected, but those who care and rely on Pi-Hole... won‘t be happy seeing there‘s no real progress on this unfortunately. To be honest the root source for my problem is an external decision of a device or OS manufacturer so I don‘t blame Pi-hole in any way - would have just been nice to see it‘s implemented and „just“ needs to be enabled. If it would be that easy.
My recommendation is to support "DNS X-Proxied-For" -> quick win: DoH, DOT, DNSCrypt, Loadbalancing, dns rulesets with dnsdist.
The effort for "DNS X-Proxied-For" should be much less than implementing all crypto topics yourself, dnsdist is also already tested.