Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

posted by Fnord666 on Saturday October 05 2019, @07:11PM   Printer-friendly
from the can't-see-where-you're-going dept.

upstart writes:

Submitted via IRC for chromas

Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.

The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.

Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.

Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.

By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.

Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.

Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.

Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."

Original Submission

 
This discussion has been archived. No new comments can be posted.
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move | Log In/Create an Account | Top | 49 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by c0lo on Sunday October 06 2019, @05:57AM

    by c0lo (156) Subscriber Badge on Sunday October 06 2019, @05:57AM (#903303) Journal

    What I suggest is, the world Net may progress to a completely new naming model, liberated from classic DNS weak points and kludges, for example which could be by design 1. decentralized, resilient to dynamic network topology changes 2. not strictly hierarchical but peer-structured 3. carried by tamper-proof protocol, and maybe 4. capable to auto-learn and/or verify chains of trust without some toplevel authority.

    For those to exist it requires more geeks willing work together* and able** to run the decentralized services than the world has at the current time.

    * just google "decentralized dns" to see how fragmented the landscape is
    ** ISP clamp down on protocols/ports and all is just a dream

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2