undefined | Better HN

0 pointscubesnooper4y ago0 comments

But that would leak all of my DNS queries in cleartext.

I use cloudflared to do DNS lookups via Cloudflare’s Tor onion. It’s weak to vulnerabilities like this one, but it disassociates my DNS lookups from myself, and TLS certificates mitigate the risk of hitting spoofed sites.

0 comments

2 comments · 1 top-level

teddyh4y ago· 1 in thread

> But that would leak all of my DNS queries in cleartext.

The longer-term solution is to wait for DoT to become prevalent in authorative servers.

But, realistically, won’t you “leak” your IP anyway when you make your actual connection? I mean, why are you looking up things in the DNS if not to connect to them? And if you make a connection, you leak your IP.

If you’re not concerned with the other party’s DNS servers, but with the root servers and TLD DNS servers snooping on your queries, I think you’ll have to wait for QNAME minimization to arrive.

cubesnooperOP4y ago

Recursive resolution leaks all my DNS queries in plaintext to my ISP, the nameservers, and everyone in between; on top of that, my ISP can monitor what sites I’m viewing through SNI and server IP. If my DNS queries are encrypted and anonymized, my ISP only gets SNI and server IP. And ECH seems to be moving quickly, so within a couple of years I expect the SNI leak to be plugged.

> The longer-term solution is to wait for DoT to become prevalent in authorative servers.

That has a serious deployment problem, far more so than ECH. It’s going to be years (and years and years) before a person can successfully do recursive resolution via TLS. Is that even on anyone’s roadmap?

j / k navigate · click thread line to collapse