[PLUG] DNS over HTTPS

Tomas Kuchta tomas.kuchta.lists at gmail.com
Sun Dec 29 09:50:48 UTC 2019


I agree that apps should not be breaking network layer model by bypassing
local DNS setup.

I kind of think that the browser were already telling their masters what
you do by other means. This is just another attempt at it.

Maybe the way to address this is to ask Mozilla/Google for central
/etc/firefox.conf to be able to make that local admin choice. Or something
similar.

I see your point,
-T

On Sun, Dec 29, 2019, 03:48 Russell Senior <russell at personaltelco.net>
wrote:

> I can see one way: often your DNS is going through a local resolver. The
> off-site traffic is combined with other client devices before the ISP gets
> a gander at it. The application making the choice of who to ask (often
> without the users real understanding about that choice) isn't an automatic
> win.
>
> For me personally, I'm a little concerned about not having a way of telling
> local users that I know more about how to look up a particular domain
> (which might resolve to a local address when you on my network) than the
> browser vendor. There is a mechanism for opting out which I haven't tried
> yet. There isn't really a good mechanism for saying you trust your local
> network administrator (who I generally trust) more than your ISP (who I
> don't trust to not spy on me).
>
> It's a sticky problem.
>
> On Sat, Dec 28, 2019 at 7:37 PM Tomas Kuchta <tomas.kuchta.lists at gmail.com
> >
> wrote:
>
> > Could you explain the details why/how DNS over Https would you "not
> > recommend using it. It's just a way for data-mining
> > companies to suck up more of your private life"?
> >
> > The way I understand it, it is meant to provide privacy from your ISP and
> > traffic observation along the way to the DNS. It should not make anything
> > else worse/better.
> >
> > Thanks,
> > Tomas
> >
> > On Sun, Dec 29, 2019, 03:01 Tom <tgrom.automail at nuegia.net> wrote:
> >
> > > On Wed, 25 Dec 2019 20:14:00 -0800
> > > "Mike C." <mconnors1 at gmail.com> wrote:
> > >
> > > > Has anyone dug into this much or actually using it?
> > > >
> > > > It's experimental in Chrome but not currently available in the .deb
> > > > version.
> > > >
> > > > Apparently, It has been a Firefox feature for a few years, but Chrome
> > > > has been my browser of choice for many years now.
> > > >
> > > > OpenWrt supports DoH through DNSMasq and HTTPS-DNS-Proxy. Which is
> > > > nice because then all your LAN / WLAN devices can use it after
> > > > setting up once and makes troubleshooting any problems related to it
> > > > much easier.
> > > >
> > > > I know a few years ago, DNSMasq was pretty standard on Ubuntu /
> Debian
> > > > based distros. Which makes me think there's probably a
> HTTPS-DNS-Proxy
> > > > package for most Linux distros.
> > > > _______________________________________________
> > > > PLUG mailing list
> > > > PLUG at pdxlinux.org
> > > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > > I would not recommend using it. It's just a way for data-mining
> > > companies to suck up more of your private life. There's no security or
> > > reliability to it over normal DNS. In fact, the security and
> > > reliability is worse.
> > >
> > > --
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>



More information about the PLUG mailing list