Ok, but there are more important reasons. Walled-garden directories is a symptom not a cause. For that matter, SNI and path-based load balancers are examples of the application-level address resolution overlay already in practice. Those techniques merely implement, not drive, balkanization.
Basically, application-layer DNS doesn’t pass the “but for” test. As in, it is not correct to say “but for application-layer DNS, Facebook/WeChat/Google couldn’t build walled gardens. With it they can.”
Not just CDNs, ISPs can certainly operate their own DoH servers on their existing DNS infrastructure. If they want to continue selling their users' browsing data to marketing firms, that is what they will have to do.
This also moves trust to the browser and OS TLS certificate stores, which may be problematic depending on your opinion of whether or not you can trust every single one of the governments and organizations behind the hundreds of root CAs.
I am using DNSCryptProxy on a Pi and it fully supports DoH + eSNI even without cloudflare. Works perfectly with Firefox.
The service picks from 65 DoH servers based against the fastest ping time.
That was/is a lot better than before when in reality my only choice was my ISP DNS. In fact I just learned for the last few years that my ISP was hijacking all DNS requests anyway.
I agree that due to social issues the problems are fairly real (ISPs ain't gonna do shit). But on a purely technical level DoH should be fine.
It is not merely encrypting the information. Hand-in-hand comes running the resolvers (which, as you noted everyone can) and having all the DNS-using software use them.
Which is much bigger problem, that causes the centralization. Applications are coming today hard-coded for a specific resolver. Configuring it is application-specific and not-automatable, and certainly not automatable in generic manner for all applications. I.e. as a network operator you cannot say that everyone should be using this or that resolver, as you can with the plain old 53/udp DNS and DHCP.
Users are not going to reconfigure each and every application every time they change their network. They will leave it at the default value. The net effect is that the centralization will just happen.
[1] CDNs are a lesser evil than ISPs but I still wouldn’t want to need to trust them to protect my privacy.
This keeps being repeated, and I simply do not understand it. Could you elaborate how you arrive at this conclusion that CDN > ISP?
My take:
An unsavory ISP is the only thing I can "vote against" as an end user. I can boycott it by switching elsewhere, I can pick from a ton of mobile providers, I can use a VPN to "subcontract" my connectivity experience to an order of magnitude more providers, or if I am really so inclined I can shuffle all of that by the likes of Tor.
There is NOTHING I can do as an individual to avoid a CDN, aside from never visiting content backed by that CDN.
And I think from the context of the parent, you can choose your CDN('s resolver) -- my version of Firefox (77 on macOS) has NextDNS among the default DoH providers.
I belive authors of the DoH idea were doing it with good intentions but road to hell is paved with good intentions.
What we are doing with DoH is actually breaking decentralised internet infrastructure to centralized (or lets say, less centralized...for now) and this was never a good thing (historywise).
For test why is this bad you can try to block google and amazon ASNs and try to surf around the web. You will notice that the internet is quite different (a hint, yandex.ru was the only search engine I have found that still works)
For instance selling the information about user accessing some domain would be a big no-no in my country.
They are obliged by law to protect customers information except if ordered by court.
With DoH all bets are off. Surely it will give some privacy for users where ISPs are sticking their noses into customers data (like in USA), they wont be able to do it anymore but for me, I trust in our ISPs (or laws) while I surely dont trust google or cloudflare.
We will just give internet resolving into hands of multinational corporations, what could go wrong, right? (Just quick ideas: for $10 / day we offer redirection from yourdomain.com to sellingcrap.com or we resolve .ourinternaldomain only over DoH and not resolve to external ips to force you to use our DoH,...)
Do you think your ISP has better controls and a security team than some of the big CDNs and cloud providers to detect and prevent this?
The reason I bring it up is because I know a number of ISPs whose sysadmins were on the take and selling bulk regular dumps of DNS resolver data under the table to other parties for years.
At the same time it could actually hurt privacy of people already protected by law in developed countries.
As an aside, anyone else notice how it seems like all blockchain projects are annoyingly full of marketing speak, and talk in circles for the tech part. How hard is it to clearly and concisely list the technical goals and properties your solution has?
With Handshake, certs can be pinned directly on the blockchain, which becomes more secure as more nodes join the network and across time as more blocks get mined on top of the pinned cert. This shifts the system from diminishing security to accumulating security. That’s the main innovation behind Handshake.
There are other differences in the issuance model as well. Namecoin’s issuance destined it for failure from day one since names are registered for a flat fee without restriction. This meant that squatters and early adopters could lock up the namespace without paying the true market price of the name. Handshake uses an auction system for name registration and releases the namespace over time (the release date is determined by hashing the name % 52), which means that names are registered for their true market price and newcomers can still register good names. This difference is critical and already playing out successfully — the highest auction was for 200k HNS, which is equivalent to $20k USD and 7/12 of the namespace is still unreleased.
Very? If you find https://handshake.org/ too marketing-y (I don't) perhaps you'll find the design notes more substantial: https://handshake.org/files/handshake.txt
DoH's point is mostly to hide DNS traffic. DNSSEC's point is to validate a DNS record all the way to root.
The benefits on Handshake over existing solutions are unclear to me.
It's also relevant to note that 51% attacks to most payment/store-of-value blockchains like Bitcoin, but for Handshake 51% attacks don't really affect the security of the network because an attacker would need to get the private keys for a name in order to attack its certificate.
Keep in mind some of these US companies that are willing to run resolvers think censoring the DNS over the content it points to is a good thing.
https://www.linux.com/training-tutorials/vim-tips-basics-sea...
