Hacker News new | ask | show | jobs
by snvzz 2282 days ago
>DoH also means breaking stuff like pihole and other ad filtering.

No, it doesn't.

e.g. I run DoH behind my home's dns cache server.

>its also kind of pointless if the state knows youre using it outside of a tunnel...they can just watch your next packets to see where you decided to go.

This is where HTTPS and eSNI further help.
1 comments
ignoramous 2282 days ago
> e.g. I run DoH behind my home's dns cache server.

I think GP is referring to the fact that apps can now bypass network / os wide dns stub / recursive resolvers undetected with DoH.

> This is where HTTPS and eSNI further help.

I believe TLS v1.3 specifically has anti-censorship and anti-surveillance properties baked in: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

link
kohtatsu 2281 days ago
They could have had their own resolver before, or even hard coded IPs.

Using software that doesn't respect you is the problem.

link
seized 2281 days ago
Firewalls can redirect port 53 to another IP. That prevents things from hard coding to a specific IP.

https://forum.opnsense.org/index.php?topic=9245.0

link
kohtatsu 2281 days ago
Euh, it prevents a custom resolver sure, but hard-coded IPs bypass the need for DNS completely.
link