[PLUG] DNS over HTTPS

Tom tgrom.automail at nuegia.net
Sun Dec 29 10:52:08 UTC 2019


On Sun, 29 Dec 2019 03:35:32 +0000
Tomas Kuchta <tomas.kuchta.lists at gmail.com> wrote:

> Could you explain the details why/how DNS over Https would you "not
> recommend using it. It's just a way for data-mining
> companies to suck up more of your private life"?
> 
> The way I understand it, it is meant to provide privacy from your ISP
> and traffic observation along the way to the DNS. It should not make
> anything else worse/better.
> 
> Thanks,
> Tomas
> 
> On Sun, Dec 29, 2019, 03:01 Tom <tgrom.automail at nuegia.net> wrote:
> 
> > On Wed, 25 Dec 2019 20:14:00 -0800
> > "Mike C." <mconnors1 at gmail.com> wrote:
> >
> > > Has anyone dug into this much or actually using it?
> > >
> > > It's experimental in Chrome but not currently available in
> > > the .deb version.
> > >
> > > Apparently, It has been a Firefox feature for a few years, but
> > > Chrome has been my browser of choice for many years now.
> > >
> > > OpenWrt supports DoH through DNSMasq and HTTPS-DNS-Proxy. Which is
> > > nice because then all your LAN / WLAN devices can use it after
> > > setting up once and makes troubleshooting any problems related to
> > > it much easier.
> > >
> > > I know a few years ago, DNSMasq was pretty standard on Ubuntu /
> > > Debian based distros. Which makes me think there's probably a
> > > HTTPS-DNS-Proxy package for most Linux distros.
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> > I would not recommend using it. It's just a way for data-mining
> > companies to suck up more of your private life. There's no security
> > or reliability to it over normal DNS. In fact, the security and
> > reliability is worse.
> >
> > --
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

normal DNS queries are decentralized and with DNSSEC tamper resistant.
When you encapsulate all your queries and send them to a central
server CloudFlare for example, you've just made your situation worse
privacy wise. Where as before only your ISP could see just the domain
your visiting if they cared to do an active man-in-the-middle attack on
your connection, cloudflare with it's 80+% control over popular
websites introduces a massive layer of centralization to the act of
resolving names. Sending all your queries to them they can sell that
userdata, get hacked and leak it all, or be coerced into disclosing it.

-- 



More information about the PLUG mailing list