undefined | Better HN

0 pointskelnos1y ago0 comments

My home router is running a (regular, port 53) DNS server that blocks requests to ads, scams, malware, etc. I have rules set up on the router so any port 53 traffic that tries to go to the public internet gets redirected to my router's DNS server.

A device on my network that decides to use DoH without my knowledge or consent gets to bypass all that. I can try to block a list of the DoH providers I know of, but I'm not going to get them all. And it's just regular HTTPS traffic on port 443, with nothing to distinguish it from someone accessing a website.

0 comments

growse1y ago

An antagonistic device on your network that wants to resolve names doesn't need to use DNS at all.

DoH isn't "magic". It's just a simple, standardised protocol. It's existence makes it no more or less easy for adversarial actors to do name resolution.

chgs1y ago

The choice of DoH is not set from dhcp or the OS, it’s set by the application developer. And that’s wrong.

DNS should be an OS level tool which is consistent to all applications, not an application by application setting.

As the device owner I expect dns to be ck distant whether I run Firefox, chromium, zoom, curl, steam, ping, or he dozens of other programs I run.

HeatrayEnjoyer1y ago

Why should it be system wide? That's a broad and imprecise policy vs app by app.

2 more replies

j / k navigate · click thread line to collapse