undefined | Better HN

0 pointsphicoh7y ago0 comments

I don't like software defaulting to sending all DNS queries to a large cloud provider. That strikes me as bad for privacy.

But I don't understand the network argument. If you are perfectly fine with TLS traffic then insisting on seeing DNS traffic sounds weird to me.

At the same time, if you force TLS traffic to go through a proxy then that will immediately restore visibility of DNS as well.

I guess network operators still have to come to terms with the idea that in the future all traffic will be encrypted.

Yes, it is annoying if you can't see anything in wireshark. But plain text is just a thing of the past.

0 comments

vetinari7y ago

The GP isn't arguing against TLS; he is arguing against random apps ignoring network-wide settings. When such app breaks, he cannot diagnose the problem, he has to diagnose first that the problem is caused by an app that ignores a setting it shouldn't ignore.

phicohOP7y ago

It is always the case that an app can break due to something in the app itself. An app may for example link with a different TLS implementation that breaks. Or an app may use the local DNS resolvers but do DNSSEC local validation.

With QUIC (HTTP3) a large part of the network stack will be part of the application. So you lose that visibility as well.

j / k navigate · click thread line to collapse

0 comments

vetinari7y ago

phicohOP7y ago

With QUIC (HTTP3) a large part of the network stack will be part of the application. So you lose that visibility as well.

j / k navigate · click thread line to collapse