Submitted via IRC for chromas
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.
The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.
Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.
Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.
By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.
Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.
Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.
Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."
(Score: 2) by jmichaelhudsondotnet on Sunday October 06 2019, @09:35AM (1 child)
One more thing to tack on here,
When it came down to it, who hacked into Hillary's emails(not what they found, everyone agrees that was real including podesta getting wired about being in the pool with children and references to spirit cooking and the eye of minerva),
who hacked Hillary's email is a question to this date no one can answer. During a campaign for arguably the most important job in the world, in the most surveilled internet in the world, literally miles away from the headquarters of the 50 government agencies and the root DNS server in Maryland itself, who are paid billions of dollars to prevent and enforce such things, with ALL OF THE BITS FROM THE WIRES, all we get is
He said, she said. Russians, guccifer, crowdstrike, 17+ spy agencies, michael steel, bozo the clown and snuffelupagus all have equal credibilty and say opposite things.
So anyone who says that this is about the rule of law, security, chasing criminals, catching criminals, the constitution, protecting america, and that you can 'trust us', in the case in this world where it most mattered to provide a clear answer on what happened, the entire american military and police establishment was unable to.
Just like epstein got off the hook, this is about establishing a ruling class which cannot be questioned or called in to question in any way, with a prison intercom network to allow them to more easily enforce their tyranny on us rubes living in our well-decorated cages.
(Score: 0) by Anonymous Coward on Sunday October 06 2019, @02:21PM
Dude, about halfway through your first post, you shouldn't have had that second rip. And 2/3 of the way through, you definitely didn't need the chaser rip. And... then you went and tried the shatter and came back to post again?
Agree this is a great thread! But you lost the thread halfway through yours. Less drugs, more hugs!
Ok a little less jokingly: your delivery here would be hot on a soapbox or in an impassioned dining room discussion. But typed out with the luxury of pacing, it loses a lot of momentum given the claims. "Literally miles away from a root DNS in Maryland" etc are interesting and should be thought provoking (there's a rule that insecurity is safe if the gain from exploiting the insecurity is lower than the loss of exposing the ability to detect/find/exploit that insecurity, which comes to mind). But your delivery makes it hard to resist dismissing as impassioned crackpot.