Hacker News new | ask | show | jobs
by ignoramous 2282 days ago
> e.g. I run DoH behind my home's dns cache server.

I think GP is referring to the fact that apps can now bypass network / os wide dns stub / recursive resolvers undetected with DoH.

> This is where HTTPS and eSNI further help.

I believe TLS v1.3 specifically has anti-censorship and anti-surveillance properties baked in: https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
1 comments
kohtatsu 2281 days ago
They could have had their own resolver before, or even hard coded IPs.

Using software that doesn't respect you is the problem.

link
seized 2281 days ago
Firewalls can redirect port 53 to another IP. That prevents things from hard coding to a specific IP.

https://forum.opnsense.org/index.php?topic=9245.0

link
kohtatsu 2281 days ago
Euh, it prevents a custom resolver sure, but hard-coded IPs bypass the need for DNS completely.
link