Ok, but there are more important reasons. Walled-garden directories is a symptom not a cause. For that matter, SNI and path-based load balancers are examples of the application-level address resolution overlay already in practice. Those techniques merely implement, not drive, balkanization.
Basically, application-layer DNS doesn’t pass the “but for” test. As in, it is not correct to say “but for application-layer DNS, Facebook/WeChat/Google couldn’t build walled gardens. With it they can.”
Not just CDNs, ISPs can certainly operate their own DoH servers on their existing DNS infrastructure. If they want to continue selling their users' browsing data to marketing firms, that is what they will have to do.
This also moves trust to the browser and OS TLS certificate stores, which may be problematic depending on your opinion of whether or not you can trust every single one of the governments and organizations behind the hundreds of root CAs.
I am using DNSCryptProxy on a Pi and it fully supports DoH + eSNI even without cloudflare. Works perfectly with Firefox.
The service picks from 65 DoH servers based against the fastest ping time.
That was/is a lot better than before when in reality my only choice was my ISP DNS. In fact I just learned for the last few years that my ISP was hijacking all DNS requests anyway.
I agree that due to social issues the problems are fairly real (ISPs ain't gonna do shit). But on a purely technical level DoH should be fine.
But it seems like none of them have done that. Maybe the policy terms are objectionable? Let's see:
"Only aggregate data that does not identify individual users or requests may be retained beyond 24 hours."
But how will the poor ISP make extra money selling DNS query information?
"When a domain requested by the user is not present, the party operating the resolver should provide an accurate NXDOMAIN response and must not modify the response or provide inaccurate responses that direct the user to alternative content."
An ISP that obeys this can't put up advertising banners or sell search engine redirects when you typo a name - they'll have to actually earn money providing Internet service instead.
It is not merely encrypting the information. Hand-in-hand comes running the resolvers (which, as you noted everyone can) and having all the DNS-using software use them.
Which is much bigger problem, that causes the centralization. Applications are coming today hard-coded for a specific resolver. Configuring it is application-specific and not-automatable, and certainly not automatable in generic manner for all applications. I.e. as a network operator you cannot say that everyone should be using this or that resolver, as you can with the plain old 53/udp DNS and DHCP.
Users are not going to reconfigure each and every application every time they change their network. They will leave it at the default value. The net effect is that the centralization will just happen.
They can, but up until Firefox legitimized this practice, they didn't, maybe except some malware.
> DoH/DoT is showing up in operating system resolvers just not as fast as apps like browsers were willing/able to add it.
The browsers were so fast, that they skipped the discussion about ramification of this change with the rest of community and just abused their position. One might even wonder, why.
Does not make for good relations in future.
> Standard DHCP options for defining DoH details are still missing though
Yup. Here, browsers are not using their position to finish their push, so maybe the situation is acceptable for them.
[1] CDNs are a lesser evil than ISPs but I still wouldn’t want to need to trust them to protect my privacy.
This keeps being repeated, and I simply do not understand it. Could you elaborate how you arrive at this conclusion that CDN > ISP?
My take:
An unsavory ISP is the only thing I can "vote against" as an end user. I can boycott it by switching elsewhere, I can pick from a ton of mobile providers, I can use a VPN to "subcontract" my connectivity experience to an order of magnitude more providers, or if I am really so inclined I can shuffle all of that by the likes of Tor.
There is NOTHING I can do as an individual to avoid a CDN, aside from never visiting content backed by that CDN.
And I think from the context of the parent, you can choose your CDN('s resolver) -- my version of Firefox (77 on macOS) has NextDNS among the default DoH providers.
Sure, Firefox is using CDN resolver #1, "optimized for the browser experience", while Spotify uses the CDN resolver #2, "optimized for music discovery".
The namespace will balkanize, and with that the control moves to the owners of the resolvers. That would be a natural evolution of the infrastructure purely due to literal "network effects".
If data can be gleaned from current DNS requests, what data can be gleaned from a browser sending metadata? Who controls those DoH servers?
At least the current DNS namespace, nominally, is devolved, particularly with the explosion of TLDs. That has other disadvantages, but there are advantages too.
[1] You need to enable it in your NextDNS settings.
I belive authors of the DoH idea were doing it with good intentions but road to hell is paved with good intentions.
What we are doing with DoH is actually breaking decentralised internet infrastructure to centralized (or lets say, less centralized...for now) and this was never a good thing (historywise).
For test why is this bad you can try to block google and amazon ASNs and try to surf around the web. You will notice that the internet is quite different (a hint, yandex.ru was the only search engine I have found that still works)
For instance selling the information about user accessing some domain would be a big no-no in my country.
They are obliged by law to protect customers information except if ordered by court.
With DoH all bets are off. Surely it will give some privacy for users where ISPs are sticking their noses into customers data (like in USA), they wont be able to do it anymore but for me, I trust in our ISPs (or laws) while I surely dont trust google or cloudflare.
We will just give internet resolving into hands of multinational corporations, what could go wrong, right? (Just quick ideas: for $10 / day we offer redirection from yourdomain.com to sellingcrap.com or we resolve .ourinternaldomain only over DoH and not resolve to external ips to force you to use our DoH,...)
Do you think your ISP has better controls and a security team than some of the big CDNs and cloud providers to detect and prevent this?
The reason I bring it up is because I know a number of ISPs whose sysadmins were on the take and selling bulk regular dumps of DNS resolver data under the table to other parties for years.
If we go into those waters they can also break into my house, smack me on my head, use rubberhose cryptoanalysis, decrypt my machines and copy data from there.
For 3rd party company outside of our juristiction there is nothing that protects my data, actually they will abuse them as part of their bussines model.
The data transfers are not free, if someone is setting up free DNS resolving (cloud storage, providing emails, operating system for phones,...) there is some hidden profit within (the good old: "if something is free you're the product")
For ISP I pay for their service and this is a huge difference (also regarding laws - a much broader set applies)
Can you substantiate this claim? I've heard of ISPs in the USA who sell data, but what you're describing sounds a little bit far fetched.
If you know such people you should consider reporting it to the police.
Yes. What use do you have for that data? Especially if it's only one user. There is not much that you can do.
At the same time it could actually hurt privacy of people already protected by law in developed countries.
As an aside, anyone else notice how it seems like all blockchain projects are annoyingly full of marketing speak, and talk in circles for the tech part. How hard is it to clearly and concisely list the technical goals and properties your solution has?
With Handshake, certs can be pinned directly on the blockchain, which becomes more secure as more nodes join the network and across time as more blocks get mined on top of the pinned cert. This shifts the system from diminishing security to accumulating security. That’s the main innovation behind Handshake.
There are other differences in the issuance model as well. Namecoin’s issuance destined it for failure from day one since names are registered for a flat fee without restriction. This meant that squatters and early adopters could lock up the namespace without paying the true market price of the name. Handshake uses an auction system for name registration and releases the namespace over time (the release date is determined by hashing the name % 52), which means that names are registered for their true market price and newcomers can still register good names. This difference is critical and already playing out successfully — the highest auction was for 200k HNS, which is equivalent to $20k USD and 7/12 of the namespace is still unreleased.
The main innovation of handshake is they reinvented DANE on the blockchain? Don't get me wrong, DANE in DNS has some issues, but how is that an improvement from namecoin? Are you saying namecoin is incapable of storing the hash of a certificate in its name records? I'd also bet the cost of a 51% attack on handshake is significantly less than the cost of hacking a CA. [Edit: after posting this i realize im not sure the 51% attack is a relavent attack here, since "double spending" isn't going to help someone pull off a MITM]
The other inovation, is instead of scoping it so it doesnt conflict with existing system, instead handshake directly conflicts with existing DNS names. I fail to see why that is a good thing.
I will admit the auction system is an interesting solution to the cybersquatting problem. I dont think its what most people want out of a naming system (if own microsoft, i want my domain to be microsoft.com, not to wait 10 years for it to be released), but it is an interesting solution.
Very? If you find https://handshake.org/ too marketing-y (I don't) perhaps you'll find the design notes more substantial: https://handshake.org/files/handshake.txt
DoH's point is mostly to hide DNS traffic. DNSSEC's point is to validate a DNS record all the way to root.
The benefits on Handshake over existing solutions are unclear to me.
It's also relevant to note that 51% attacks to most payment/store-of-value blockchains like Bitcoin, but for Handshake 51% attacks don't really affect the security of the network because an attacker would need to get the private keys for a name in order to attack its certificate.
Keep in mind some of these US companies that are willing to run resolvers think censoring the DNS over the content it points to is a good thing.
https://www.linux.com/training-tutorials/vim-tips-basics-sea...
