undefined | Better HN

0 pointsAnthonyMouse2y ago0 comments

> It doesn't matter much that your LAN itself is trustworthy if the only way out of it isn't.

> Yes, you can do that, but it doesn't do anything to help with the problem that DoH solves.

Well sure it is, because if you know the ISP isn't trustworthy, then you can have your own local DNS server encrypt the DNS traffic to the upstream DNS server of your choosing.

> I want to live in a world in which you can have privacy without having to be on a VPN 24/7.

Something has to encrypt the DNS queries. Why is TLS/HTTPS any better than a VPN?

> Couldn't it host a file with the IP on a service like Dropbox or GitHub Pages? People aren't likely to block them at the firewall.

Those services will take down the page when it's hosting malware.

> Isn't this basically "privacy for computer programs is bad because malware benefits from it", which is wrong for the same reason that "privacy for people is bad because criminals benefit from it"?

The question is, privacy from who? Privacy from governments and corporations is good. Privacy from the device owner is bad.

> What's your ISP doing with all of the data they collect from your insecure DNS queries?

Nothing, when you configure your LAN or device to encrypt them.

> And if you're concerned about Cloudflare in particular, then just use some other DoH provider.

Hard-coding Cloudflare in multiple applications on multiple devices makes it arduous to do this, which is the entire criticism.

0 comments

2 comments · 1 top-level

josephcsible2y ago· 1 in thread

> Well sure it is, because if you know the ISP isn't trustworthy, then you can have your own local DNS server encrypt the DNS traffic to the upstream DNS server of your choosing.

Isn't DoH exactly the way to "encrypt the DNS traffic"?

> Something has to encrypt the DNS queries. Why is TLS/HTTPS any better than a VPN?

Because with a VPN, you need a VPN endpoint that costs somebody money to run. With TLS/HTTPS, there are no extra systems in the mix.

> Those services will take down the page when it's hosting malware.

Don't domains hosting malware get seized and taken down too?

> The question is, privacy from who? Privacy from governments and corporations is good. Privacy from the device owner is bad.

I 100% agree with this. DoH only provides the former, though.

> Nothing, when you configure your LAN or device to encrypt them.

Again, isn't DoH exactly the way to encrypt them?

> Hard-coding Cloudflare in multiple applications on multiple devices makes it arduous to do this, which is the entire criticism.

Other than Firefox, what applications currently have Cloudflare hardcoded as their default DoH provider?

AnthonyMouseOP2y ago

> Isn't DoH exactly the way to "encrypt the DNS traffic"?

There are any number of ways to do it, the most relevant factor being that the user can choose which DNS server they want to trust, not which protocol you use.

> Because with a VPN, you need a VPN endpoint that costs somebody money to run. With TLS/HTTPS, there are no extra systems in the mix.

Someone is paying to run the DoH servers. You might also ask why they're doing so, for free, when that costs money.

> Don't domains hosting malware get seized and taken down too?

Malware often uses domains on foreign registries that are legally complicated to seize, so it only happens to the most serious offenders and can take a long time.

You also have vendor spyware which is not going to have its domain seized but is also not going to resort to Github pages for name resolution.

> I 100% agree with this. DoH only provides the former, though.

It doesn't. If legitimate applications are using DoH to a server outside of the device owner's control without providing an expedient way to make them all stop, that server can't be blocked without breaking too many things, and then malware running on the owner's device can use it without being blocked or monitored.

> Other than Firefox, what applications currently have Cloudflare hardcoded as their default DoH provider?

When someone is setting a bad precedent it's reasonable to be concerned about what happens when others follow suit.

j / k navigate · click thread line to collapse