undefined | Better HN

0 pointsxnyanta1y ago0 comments

DoH will prevent government from hijacking your query in the first place. These blockades are only possible because of DNS being clear text and suceptible to MITM

0 comments

vFunct1y ago

That's one level of security, but even for DoH, it's possible for entities to attack and control an HTTPS server, returning falsified DNS queries, and now the antigovernment.com website you logged in to talk about anti-government politics is actually run by government. The only way to prevent that is via DNSsec to make sure that antigovernment.com goes to a real antigovernment.com server.

tsimionescu1y ago

This makes no sense whatsoever.

If the government can transparently MITM your HTTPS connections with the DoH server, they can just as well MITM your connection to the real antigovernment.com server regardless of what DNS you use. And in fact, if they can't MITM your connection to the real antigovernment.com, they also can't trick you to talk to their fake antigovernment.com regardless of intercepting your DNS: you will connect to the attacker IP, the attacker IP will give you a bogus certificate, your browser will refuse to connect.

yegle1y ago

Wait what do you mean? They can have an HTTPS server and MITM, but how can they get a certificate for the DoH server I use?

labcomputer1y ago

They only need a certificate signed by an authority trusted by your resolver. And, unlike for the website itself, your browser does not show certificate information for the DoH server.

DoH also does not solve the problem of where the DNS server you use gets its information from: A government can compromise the other side as well.

2 more replies

j / k navigate · click thread line to collapse