|
|
|
|
|
|
by lol768
3576 days ago
|
|
|
The site doesn't specify directly, but would the communication between Bob (the end-user) and Trent (the trusted entity) be encrypted? If not, why not? It's always annoyed me how much of a mess DNS is when it comes to confidentiality. Why should my ISP or employer be able to deduce which sites I'm visiting by simply inspecting my UDP datagrams (filtering to port 53) and looking at the plaintext queries? Why was this thought to be a good idea? In the wider scheme of things, there's far too much trust with many internet services/protocols. I like that NeoDNS provides a public key for the queried service - maybe with a scheme like this we can stop sending hostnames for SNI in plaintext as part of the TLS handshake too. We shouldn't accept these sorts of information leaks anymore, it's been demonstrated too many times in the past that sending things in plaintext is a bad idea. |
|
|
(You can use a proxy/VPN tunnel. Your ISP knows knows you're sending traffic to the proxy, and your proxy knows where you're sending traffic.)
(2) DNS encryption is certainly possible. DNSCurve and DNSCrypt are the ones I know of. But there's just not a lot of motivation. IP packets have an address on them already; the only additional thing DNS or SNI reveals is which of several (usually enumerable) hostnames they are interested at that IP. So...interesting, but generally not compelling.