LWN: Comments on "Red Hat Enterprise Linux 10 released"

Encrypted DNS

Cyberax — Fri, 23 May 2025 16:25:45 +0000

On the other hand, DoH works _everywhere_. Even in China, while DoT is often unstable.

Encrypted DNS

nim-nim — Fri, 23 May 2025 09:11:44 +0000

It’s increased integration with unbound and DoT.

DoH is very popular with Google and webapp-writers that want to short-circuit other players. Pretty much everyone else just wants classical DNS, with added encryption. Which is why DoH has made the headlines everywhere, while DoT deployment has quietly advanced.

If you try to setup your own DNS stack it becomes ludicrously obvious why it is so. Deploy a DoT-capable DNS server and you’re done things just work. Try to do the same with DoH and you need the same amount of work to setup DoT *plus* some HTTPs config to route the DoH traffic to the right place and avoid stomping on other HTTPS users. And it buys you *nothing* on top of the DoT setup and you can not shut down the DoT setup anyway *because* you’re sure to have a legacy app or appliance somewhere that only speaks classical dns somewhere and is unlikely to change anytime soon and requires you to run a stack able to speak something else than HTTPs.

DoT = x86_64: all the goodies plus backwards compatibility
DoH = ia64: lots of backwards compatibility problems with little to redeem it over x86_64

Encrypted DNS

ab — Thu, 22 May 2025 09:30:20 +0000

It is DoT. There is an article in works for LWN with more details but you can also check Fedora Magazine's one: https://fedoramagazine.org/enabling-system-wide-dns-over-...

RHEL 9.6 also released

joib — Thu, 22 May 2025 04:54:53 +0000

FWIW, I think that's a sensible policy. For people who want news about every minor version of every distro ever there's sites like distrowatch that specializes in that kind of news.

Encrypted DNS

Wol — Wed, 21 May 2025 12:14:28 +0000

> > and block all other network access.

You missed that. The network would only be usable for DNS lookups :-)

Cheers,
Wol

RHEL 9.6 also released

jzb — Wed, 21 May 2025 12:12:09 +0000

As a rule, we don't usually do briefs for minor releases of RHEL (or Debian, SUSE, Ubuntu, etc.) unless there's something particularly newsworthy about them. We have the impression that those are not of great interest to the majority of readers. (Whereas even if folks aren't, say, RHEL users they may want to keep informed about major releases and the general direction of other distributions...)

Encrypted DNS

paulj — Wed, 21 May 2025 10:31:21 +0000

What would stop a client using a SOCKS5 proxy to run its own DoH requests over that SOCKS connection to its own private DoH server?

Encrypted DNS

Wol — Wed, 21 May 2025 06:40:16 +0000

> Now, getting around DNS-based filtering such as country-imposed censorship is a good thing, but getting around DNS-based filtering that you want is a bad thing.

Which is, or should be, illegal. I would think it's a clear breach of the UK CFAA, but of course, just because it's illegal doesn't mean it'll be enforced. Especially if the people breaking it are big boys with money.

Of course, it'll only take one major security breach caused by an ad network that admins blocked, to cause a massive stink and fix this particular problem, but it'll just surface again in a different guise.

Let's hope the security guys make a big enough stink that DoH is disabled by default as a matter of policy ...

Cheers,
Wol

SOCKS proxy?

dskoll — Wed, 21 May 2025 03:15:18 +0000

That's too much tinkering for me. 🙂 I just want to veg out and watch my cat videos. (But this is pretty off-topic from the RHEL 10 announcement, though I guess it's on-topic for why I don't like DoH.)

SOCKS proxy?

pabs — Wed, 21 May 2025 03:13:53 +0000

Looks like you are right about that, but I note some folks get around that by enabling dev mode and using mitmproxy.

https://github.com/hulu/roku-dev-cli
https://gist.github.com/triwav/deb4b48bec9881f7a07e4da8bb...
https://scribe.rip/https:/medium.com/hulu-tech-blog/autom...

SOCKS proxy?

dskoll — Wed, 21 May 2025 02:53:38 +0000

Not as far as I know, and at any rate, I doubt a Roku would even support any sort of proxy for its network access.

SOCKS proxy?

pabs — Wed, 21 May 2025 02:46:29 +0000

Does the Pi-hole setup support forcing clients to go through a SOCKS proxy?

Encrypted DNS

dskoll — Wed, 21 May 2025 02:41:16 +0000

Sure. If I were a complete purist, I wouldn't run anything on my network that wasn't open source.

But the reality is that (older) Rokus are pretty convenient and cheap streaming devices. I want to give them network access so they can stream videos, but I also want to block them from spying on me or serving ads. I can do both of those things decently with Pi-hole, but if my Roku used DoH with its own DoH servers, it would be much harder. (This is one reason I'm sticking with a fairly ancient Roku... my model hadn't completely enshittified yet...)

Encrypted DNS

Cyberax — Wed, 21 May 2025 00:53:34 +0000

This breaks some video applications running on smart TVs or similar "player boxes".

I would suggest just chucking all of them into a "sewer" VLAN that is isolated from anything else.

Encrypted DNS

pabs — Wed, 21 May 2025 00:30:35 +0000

Alternatively, you could require they go through a filtering SOCKS5 proxy that does the DNS requests itself, and block all other network access.

Encrypted DNS

pabs — Wed, 21 May 2025 00:26:06 +0000

> The issue is that endpoints can use DoH servers other than the endpoint you provide

It sounds like you can't control those endpoints, so you shouldn't trust those endpoints, so you shouldn't provide network access to them?

LTS

linuxrocks123 — Tue, 20 May 2025 23:08:50 +0000

Ugh. Nice to know dysfunctional security theater is alive and well.

RHEL 9.6 also released

dowdle — Tue, 20 May 2025 21:36:48 +0000

AlmaLinux 9.6 release info:
https://almalinux.org/blog/2025-05-20-almalinux_96_release/

RHEL 9.6 also released

dowdle — Tue, 20 May 2025 21:34:38 +0000

I couldn't find a release announcement but their DOCS have been updated to the 9.6 series. AlmaLinux also has 9.6 out today.

Encrypted DNS

dskoll — Tue, 20 May 2025 20:47:54 +0000

The DNS endpoints need to be known to the specific device that's using DNS-over-HTTP.

I would not put it past "Smart TV" manufacturers, for example, to run their own servers that are known only to their devices. Sure, there's a small risk that the endpoints could become unmoored from the servers if the server IPs change before the endpoints can be updated, but as long as one of the IPs keeps working, the endpoints can always get the new list.

Encrypted DNS

sionescu — Tue, 20 May 2025 20:41:43 +0000

> that's a game of whack-a-mole

For the moment it's much easier than one might think because the DNS endpoints (or any mechanism for bootstrapping such a list) need to be well-known.

LTS

pbonzini — Tue, 20 May 2025 20:13:57 +0000

It's still a Frankenkernel. It's just a coincidence, like RHEL6 had 2.6.32; patches are backported into the RHEL10 kernel straight from Linus's tree rather than from the stable trees.

In fact there are more patches than before because the kernel's so-called "CVEs" are assigned as soon as something remotely looking like a fix appears in Linus's tree, and FedRAMP requires triaging and possibly backporting the fix even if the patch isn't applied to the upstream 6.12 kernel series.

Encrypted DNS

dskoll — Tue, 20 May 2025 19:27:23 +0000

The issue is that endpoints can use DoH servers other than the endpoint you provide, in a way that's annoying to block.

I do use use-application-dns.net but that simply asks politely that an endpoint not use DoH... it doesn't enforce it. And while Firefox respects it for now, I imagine there is a fair bit of pressure from advertisers to use DoH as a way to get around DNS-based filtering.

Now, getting around DNS-based filtering such as country-imposed censorship is a good thing, but getting around DNS-based filtering that you want is a bad thing.

If endpoints stop respecting use-application-dns.net then the only practical way to prevent them from looking up domains that you do not want resolved is to block the specific DNS-over-HTTPS servers that they use, and that's a game of whack-a-mole.

Encrypted DNS

neverpanic — Tue, 20 May 2025 19:00:11 +0000

Spoiler: It's DoH and DoT, configured potentially as early as during the first boot of the installation, with some automation and tooling around it. The target audience is admins looking for no unencrypted DNS traffic.

Encrypted DNS

bradfa — Tue, 20 May 2025 18:12:34 +0000

My personal difficulty is with network devices, especially video streaming boxes/apps, who use DNS over HTTPS in order to hide their own DNS lookups so that they can serve me ads. I have port 53 blocked on my router except for my Pi-Hole and I even have a handful of well known DNS over HTTPS IPv4 addresses blocked for port 443. It's not enough.

Granted, this kind of oppressive network restriction is exactly the reason why DNS over HTTPS is a good thing. When this kind of thing is used to give people access to DNS for "good" reasons it's a big win. But when I'm trying to oppress the ad-serving devices in my own house, I find it frustrating that DoH gets around my restrictions.

LTS

alspnost — Tue, 20 May 2025 18:05:34 +0000

Wow, they're actually using an LTS kernel (v6.12) for the first time! Not some weird Frankenkernel, like they usually do. Although I assume there's still a mountain of RH-specific patches piled in there, so it might still be quite different to the vanilla 6.12? Still, looks like a nice release, and hopefully we'll be seeing Rocky 10 in short order.

Encrypted DNS

zdzichu — Tue, 20 May 2025 18:02:09 +0000

Why more difficult? When you control DNS, it doesn't matter what transport clients use. Or if you don't want to setup your own DOH endpoint, there's always use-application-dns.net.

Encrypted DNS

daroc — Tue, 20 May 2025 17:37:07 +0000

We actually have a guest article working its way through the pipeline about the encrypted DNS setup in RHEL 10. So stay tuned for more coverage!

Encrypted DNS

dskoll — Tue, 20 May 2025 16:18:51 +0000

I am not a fan of DoH. While I understand what it's intended to do, it makes things like running a Pi-Hole network-wide ad blocker more difficult, if not impossible. So it's understandable that Google and other advertisers like it.

Encrypted DNS

tialaramex — Tue, 20 May 2025 16:13:49 +0000

I was hoping their blog post would have more details but it did not. When they say "encrypted DNS" they're presumably referring to DPRIVE but are we talking specifically one or more technologies like DNS-over-HTTPS, or DNS-over-TLS or are we talking about APIs or ...? Is there maybe also ECH (the yet-to-be-published RFC which encrypts the server's name for TLS 1.3 by delivering the "Hello" message twice, once as plain text but with potentially bogus cover information and then again, perhaps encrypted with genuine contents if you can decrypt them or perhaps just nonsense because you can't have known an encryption key so the plain text was correct) in some of the Red Hat tools?

DoH is so ordinary today as to be entirely uncontroversial (but welcome of course), but some other features here would be really interesting.