undefined | Better HN

0 pointssegfaultbuserr6y ago0 comments

Due to the architecture of DNS, DNS is not end-to-end encrypted. There is a potential solution (djb's DNSCurve), but it will not be deployed. As a result, let's do an assessment.

Using Google DNS, self-hosted resolver, or your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Using CloudFlare's DNS w/ DNS-over-HTTPS: only NSA (via a NSL or subpoena), Cloudflare and CloudFlare's upstream can track and see your requests. And I guess 10%-20% of the domain names already use CloudFlare, so for some domain, it's end-to-end encrypted, nobody but NSA and CloudFlare can track you. Even better, Cloudflare is experimenting with peering to upstreams (e.g. Facebook) using private encrypted connections, so the point-to-point encryption ratio would be even higher in the future.

Therefore, using CloudFlare is a net positive.

But one also needs to consider its second-order effect: is giving CloudFlare more leverage over the Internet infrastructure in the long run an acceptable choice over unencrypted DNS? I guess everyone has a different opinion.

0 comments

yegle6y ago

Wait a minute... First Google DNS provide both DNS-over-HTTPS and DNS-over-TLS, second Pihole (or should I say dnsmasq, or FTL the name of their dnsmasq fork) does not support forwarding DNS query request to upstream using neither DNS-over-HTTPS and DNS-over-TLS.

In any case, if you really want a full solution, build your own https://github.com/yegle/your-dns

josteink6y ago

> Using ... your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Technically speaking the NSA wouldn’t be seeing your DNS requests, they would be seeing your ISP’s, for all its users anonymised.

If you use Cloudflare or Google DNS directly from home (or your own resolver), then yes, the NSA and anyone else can track your individual DNS requests directly.

In that regard using your own ISP’s DNS is clearly superior.

yegle6y ago

*if you are using plaintext DNS query. Both Google DNS and Cloudflare DNS support encrypted DNS query over TLS and HTTPS.

KirinDave6y ago

What threat model does concealing DNS but not indirecting traffic via Tor address, given that Tor can also tunnel DNS? Cloudflare's not wrong that the DNS requests are hidden, but many classes of observer who could read your DNS request could also see you connect to the resting host?

Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?

woofcat6y ago

Cloudflare has also rolled out ESNI (https://www.cloudflare.com/ssl/encrypted-sni/) which would mean someone reading your traffic would only be able to tell that you're connecting to a cloudflare IP address.

However be unable to determine which specific site you were accessing.

KirinDave6y ago

What does that accomplish?

As opposed to Tor use, specifically?

woofcat6y ago

Well it to me has a few use cases that are reasonable.

a) Used where Tor is unacceptable, such as some university networks, and workplaces where using anonymization such as Tor/VPN is prohibited by policy.

b) When using Tor protecting yourself from the Tor endpoint collecting information / statistics on what you are visiting.

1 more reply

calimac6y ago

Cloudflare scaled up massively so quickly when they started offering cdns a decade ago.

I judged the company in a negative light when their ceo or cfo wrote an open letter rationalizing their ban silencing some obnoxious website over political belief virtue signaling.

A company that crushes free speech cannot be trusted.

I don’t even remember what the obnoxious or offensive website was but I know that offensive speech is protected speech.

Autocratic technocracy centralized into a few digital monopolies wrap our wrists into digital slave chains labeled “free”.

mperham6y ago

The first amendment applies to government censorship only.

Cloudflare is not the government. A business can choose not to service someone based on almost any criteria, that's not "crushing free speech". You can then choose not to patronize the business based on that policy. This is an important part of a free market.

j / k navigate · click thread line to collapse

0 comments

yegle6y ago

In any case, if you really want a full solution, build your own https://github.com/yegle/your-dns

josteink6y ago

> Using ... your ISP's DNS: NSA, your ISP, everyone and every dog at the middle of your link to the Internet can track and see your requests.

Technically speaking the NSA wouldn’t be seeing your DNS requests, they would be seeing your ISP’s, for all its users anonymised.

If you use Cloudflare or Google DNS directly from home (or your own resolver), then yes, the NSA and anyone else can track your individual DNS requests directly.

In that regard using your own ISP’s DNS is clearly superior.

yegle6y ago

*if you are using plaintext DNS query. Both Google DNS and Cloudflare DNS support encrypted DNS query over TLS and HTTPS.

KirinDave6y ago

Follow up question, do you trust CloudFlare not to manipulate the results of DNS more or less than Google?

woofcat6y ago

However be unable to determine which specific site you were accessing.

KirinDave6y ago

What does that accomplish?

As opposed to Tor use, specifically?

woofcat6y ago

Well it to me has a few use cases that are reasonable.

a) Used where Tor is unacceptable, such as some university networks, and workplaces where using anonymization such as Tor/VPN is prohibited by policy.

b) When using Tor protecting yourself from the Tor endpoint collecting information / statistics on what you are visiting.

1 more reply

calimac6y ago

Cloudflare scaled up massively so quickly when they started offering cdns a decade ago.

I judged the company in a negative light when their ceo or cfo wrote an open letter rationalizing their ban silencing some obnoxious website over political belief virtue signaling.

A company that crushes free speech cannot be trusted.

I don’t even remember what the obnoxious or offensive website was but I know that offensive speech is protected speech.

Autocratic technocracy centralized into a few digital monopolies wrap our wrists into digital slave chains labeled “free”.

mperham6y ago

The first amendment applies to government censorship only.

j / k navigate · click thread line to collapse