Encrypted DNS
Encrypted DNS
Posted May 20, 2025 16:18 UTC (Tue) by dskoll (subscriber, #1630)In reply to: Encrypted DNS by tialaramex
Parent article: Red Hat Enterprise Linux 10 released
I am not a fan of DoH. While I understand what it's intended to do, it makes things like running a Pi-Hole network-wide ad blocker more difficult, if not impossible. So it's understandable that Google and other advertisers like it.
Posted May 20, 2025 18:02 UTC (Tue)
by zdzichu (subscriber, #17118)
[Link] (15 responses)
Posted May 20, 2025 18:12 UTC (Tue)
by bradfa (subscriber, #71357)
[Link]
Granted, this kind of oppressive network restriction is exactly the reason why DNS over HTTPS is a good thing. When this kind of thing is used to give people access to DNS for "good" reasons it's a big win. But when I'm trying to oppress the ad-serving devices in my own house, I find it frustrating that DoH gets around my restrictions.
Posted May 20, 2025 19:27 UTC (Tue)
by dskoll (subscriber, #1630)
[Link] (13 responses)
The issue is that endpoints can use DoH servers other than the endpoint you provide, in a way that's annoying to block.
I do use use-application-dns.net but that simply asks politely that an endpoint not use DoH... it doesn't enforce it. And while Firefox respects it for now, I imagine there is a fair bit of pressure from advertisers to use DoH as a way to get around DNS-based filtering.
Now, getting around DNS-based filtering such as country-imposed censorship is a good thing, but getting around DNS-based filtering that you want is a bad thing.
If endpoints stop respecting use-application-dns.net then the only practical way to prevent them from looking up domains that you do not want resolved is to block the specific DNS-over-HTTPS servers that they use, and that's a game of whack-a-mole.
Posted May 20, 2025 20:41 UTC (Tue)
by sionescu (subscriber, #59410)
[Link] (1 responses)
For the moment it's much easier than one might think because the DNS endpoints (or any mechanism for bootstrapping such a list) need to be well-known.
Posted May 20, 2025 20:47 UTC (Tue)
by dskoll (subscriber, #1630)
[Link]
The DNS endpoints need to be known to the specific device that's using DNS-over-HTTP.
I would not put it past "Smart TV" manufacturers, for example, to run their own servers that are known only to their devices. Sure, there's a small risk that the endpoints could become unmoored from the servers if the server IPs change before the endpoints can be updated, but as long as one of the IPs keeps working, the endpoints can always get the new list.
Posted May 21, 2025 0:26 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (9 responses)
It sounds like you can't control those endpoints, so you shouldn't trust those endpoints, so you shouldn't provide network access to them?
Posted May 21, 2025 0:30 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted May 21, 2025 0:53 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link]
I would suggest just chucking all of them into a "sewer" VLAN that is isolated from anything else.
Posted May 21, 2025 10:31 UTC (Wed)
by paulj (subscriber, #341)
[Link] (1 responses)
Posted May 21, 2025 12:14 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
You missed that. The network would only be usable for DNS lookups :-)
Cheers,
Posted May 21, 2025 2:41 UTC (Wed)
by dskoll (subscriber, #1630)
[Link] (4 responses)
Sure. If I were a complete purist, I wouldn't run anything on my network that wasn't open source.
But the reality is that (older) Rokus are pretty convenient and cheap streaming devices. I want to give them network access so they can stream videos, but I also want to block them from spying on me or serving ads. I can do both of those things decently with Pi-hole, but if my Roku used DoH with its own DoH servers, it would be much
harder. (This is one reason I'm sticking with a fairly ancient Roku... my model hadn't completely enshittified yet...)
Posted May 21, 2025 2:46 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted May 21, 2025 2:53 UTC (Wed)
by dskoll (subscriber, #1630)
[Link] (2 responses)
Not as far as I know, and at any rate, I doubt a Roku would even support any sort of proxy for its network access.
Posted May 21, 2025 3:13 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (1 responses)
https://github.com/hulu/roku-dev-cli
Posted May 21, 2025 3:15 UTC (Wed)
by dskoll (subscriber, #1630)
[Link]
That's too much tinkering for me. 🙂 I just want to veg out and watch my cat videos. (But this is pretty off-topic from the RHEL 10 announcement, though I guess it's on-topic for why I don't like DoH.)
Posted May 21, 2025 6:40 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Which is, or should be, illegal. I would think it's a clear breach of the UK CFAA, but of course, just because it's illegal doesn't mean it'll be enforced. Especially if the people breaking it are big boys with money.
Of course, it'll only take one major security breach caused by an ad network that admins blocked, to cause a massive stink and fix this particular problem, but it'll just surface again in a different guise.
Let's hope the security guys make a big enough stink that DoH is disabled by default as a matter of policy ...
Cheers,
Why more difficult? When you control DNS, it doesn't matter what transport clients use. Or if you don't want to setup your own DOH endpoint, there's always Encrypted DNS
use-application-dns.net.
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Wol
Encrypted DNS
SOCKS proxy?
SOCKS proxy?
SOCKS proxy?
https://gist.github.com/triwav/deb4b48bec9881f7a07e4da8bb...
https://scribe.rip/https:/medium.com/hulu-tech-blog/autom...
SOCKS proxy?
Encrypted DNS
Wol