Trust?

Posted May 30, 2025 14:22 UTC (Fri) by brunowolff (guest, #71160)
In reply to: Trust? by Cyberax
Parent article: System-wide encrypted DNS

You didn't understand the original comment. The point was not that DNSSEC was a man in the middle attack. Rather that the protection it provides against a man in the middle attack isn't very helpful, because the threat actors that can mess with DNS have a lot of overlap with the ones that can manipulate where your IP traffic really goes.
Nor did I claim that DOH was a man in the middle attack. I said it decreases your privacy, because now your ISP and Cloudflare or Google get to see all of the destinations of your IP traffic. If you almost always visit Cloudflare protected sites or Google services, than that probably doesn't matter to you. Not everyone is going to have that profile. DOH helps if you use sites where traffic for servives that can be distinguished by DNS, but not by destination address a significant amount. Or if you think your ISP is tracking or modifying your DNS queries, but is not tracking or messing with the routing of your traffic. With things like AWS the former could apply to some people. and it is certainly plausible that some ISPs are doing the latter. Then maybe you could get a net increase in privacy buy letting Cloudflare or Google track everything you do in the case where they would mostly get that info anyway.

Trust?

Posted May 30, 2025 17:40 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

> I said it decreases your privacy, because now your ISP and Cloudflare or Google get to see all of the destinations of your IP traffic

Nope. With DoH my ISP or anybody on the network path will NOT see the queries. Only Google or Cloudflare will see them.

And even that is reduced via oblivious DNS: https://blog.cloudflare.com/oblivious-dns/

Trust?

Posted May 30, 2025 18:09 UTC (Fri) by brunowolff (guest, #71160) [Link] (2 responses)

Please actually read the comments you are replying to more carefully. DOH does not keep your ISP from seeing where you connect to. For most people the primary use of DNS is to look up IP addresses corresponding to domain names. Under that condition your ISP gets essentially the same information as seeing your DNS requests would. Now it might be that you use DNS for a substantial amount of use that does not involve IP addresses you are connecting to and for some reason your trust Cloudflare or Google more than your ISP. In that case DOH might be clearly better for you.

Trust?

Posted May 30, 2025 21:41 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

> Please actually read the comments you are replying to more carefully. DOH does not keep your ISP from seeing where you connect to.

It does. It obscures the host name, so mere passive probing is insufficient for reliable detection. The ISP will have to actively probe the target host to find out what it serves, which also fails if it is a multiplexing load balancer.

Moreover, traffic monitoring is an order of magnitude more complex and expensive than just passively snooping on DNS requests. That's because traffic is usually handled completely in the dataplane of routers, and diverting it for inspection is expensive. But diverting a handful of DNS packets per minute for a typical host? That's easy.

So in practice, DoH/DoT will increase the privacy.

Trust?

Posted Jun 3, 2025 13:15 UTC (Tue) by paulj (subscriber, #341) [Link]

> For most people the primary use of DNS is to look up IP addresses corresponding to domain names.

The way the Internet works today is that - to a high likelyhood - the IP addresses of web sites that you visit belong to CDNs, which host (or at least act as the front-ends for) many many many (potentially millions or even orders of magnitude more) different hostnames. Your ISP knowing you connect to, say, Akamai or Cloudflare, doesn't really leak any significant information about which web site you were visiting.

However, Cloudflare, Akamai, Google, etc., obviously still know - at an IP level (ignoring cookies, logged in sessions, etc.). If that bothers you, use Tor (and run your DNS over Tor via, e.g., dnscrypt-proxy). For logged-in sessions, etc., you are choosing to be known.