[troquerre]

There will always be a need for a shared global namespace, and DNS needs to improve its security and privacy as the world continues to rely on it. I don’t think DoH is the answer since it just shifts trust from ISPs to CDNs[1]. On the security end, there’s a new DNS protocol called Handshake (https://handshake.org) that’s trying to shift the root of trust from CAs to a distributed ledger. It’s still early but it shows promise with NextDNS.io and Vercel.com supporting it.

[1] CDNs are a lesser evil than ISPs but I still wouldn’t want to need to trust them to protect my privacy.

[ribasushi]

> CDNs are a lesser evil than ISPs

This keeps being repeated, and I simply do not understand it. Could you elaborate how you arrive at this conclusion that CDN > ISP?

My take:

An unsavory ISP is the only thing I can "vote against" as an end user. I can boycott it by switching elsewhere, I can pick from a ton of mobile providers, I can use a VPN to "subcontract" my connectivity experience to an order of magnitude more providers, or if I am really so inclined I can shuffle all of that by the likes of Tor.

There is NOTHING I can do as an individual to avoid a CDN, aside from never visiting content backed by that CDN.

[andreareina]

Every ISP I have access to performs DNS-based blocking; to the extent of intercepting ALL UDP DNS traffic (i.e. using other resolvers doesn't work). DoH gets around that.

And I think from the context of the parent, you can choose your CDN('s resolver) -- my version of Firefox (77 on macOS) has NextDNS among the default DoH providers.

[rswail]

The issue isn't whether you can choose your resolver for Firefox, it's that it balkanizes the namespace resolution mechanism.

Sure, Firefox is using CDN resolver #1, "optimized for the browser experience", while Spotify uses the CDN resolver #2, "optimized for music discovery".

The namespace will balkanize, and with that the control moves to the owners of the resolvers. That would be a natural evolution of the infrastructure purely due to literal "network effects".

If data can be gleaned from current DNS requests, what data can be gleaned from a browser sending metadata? Who controls those DoH servers?

At least the current DNS namespace, nominally, is devolved, particularly with the explosion of TLDs. That has other disadvantages, but there are advantages too.

[troquerre]

NextDNS is great. I've been using it for the last few months to access Handshake sites[1] and there have been no issues, and it's important that there are more resolvers than just Cloudflare and Google on the market.

[1] You need to enable it in your NextDNS settings.

[esperent]

If you can switch ISP, good for you. On my road, there's only one, and it's owned by the government.

[swiley]

Even without switching ISPs you can just use a different recursive resolver by editing your libc resolver config file. This is more difficult when each application has its own config (or none at all.)

[andreareina]

Without Do{H,T}, your ISP sees all your DNS queries anyway, and some will MitM them.

[stiray]

This is also my concern. ISPs are typically located in same country making them follow the laws of that country.

I belive authors of the DoH idea were doing it with good intentions but road to hell is paved with good intentions.

What we are doing with DoH is actually breaking decentralised internet infrastructure to centralized (or lets say, less centralized...for now) and this was never a good thing (historywise).

For test why is this bad you can try to block google and amazon ASNs and try to surf around the web. You will notice that the internet is quite different (a hint, yandex.ru was the only search engine I have found that still works)

For instance selling the information about user accessing some domain would be a big no-no in my country.

They are obliged by law to protect customers information except if ordered by court.

With DoH all bets are off. Surely it will give some privacy for users where ISPs are sticking their noses into customers data (like in USA), they wont be able to do it anymore but for me, I trust in our ISPs (or laws) while I surely dont trust google or cloudflare.

We will just give internet resolving into hands of multinational corporations, what could go wrong, right? (Just quick ideas: for $10 / day we offer redirection from yourdomain.com to sellingcrap.com or we resolve .ourinternaldomain only over DoH and not resolve to external ips to force you to use our DoH,...)

[kitteh]

What about your ISPs employees? Do you trust a sysadmin pulling 40-50k a year (or less) to not sell your DNS resolver data?

Do you think your ISP has better controls and a security team than some of the big CDNs and cloud providers to detect and prevent this?

The reason I bring it up is because I know a number of ISPs whose sysadmins were on the take and selling bulk regular dumps of DNS resolver data under the table to other parties for years.

[stiray]

That would be criminal offense - it would mean criminal investigation and quite probably a fine for ISP (negligence). It is just not worth the risk.

If we go into those waters they can also break into my house, smack me on my head, use rubberhose cryptoanalysis, decrypt my machines and copy data from there.

For 3rd party company outside of our juristiction there is nothing that protects my data, actually they will abuse them as part of their bussines model.

The data transfers are not free, if someone is setting up free DNS resolving (cloud storage, providing emails, operating system for phones,...) there is some hidden profit within (the good old: "if something is free you're the product")

For ISP I pay for their service and this is a huge difference (also regarding laws - a much broader set applies)

[hurtyfi]

> The reason I bring it up is because I know a number of ISPs whose sysadmins were on the take and selling bulk regular dumps of DNS resolver data under the table to other parties for years.

Can you substantiate this claim? I've heard of ISPs in the USA who sell data, but what you're describing sounds a little bit far fetched.

[belorn]

When you say "under the table", do you mean unbeknown to the customer or the employer? The later will likely result in the employee being fired, fined and possible jailed. I would also suspect that a criminal do not file taxes for selling stolen data, so one can likely add tax fraud.

If you know such people you should consider reporting it to the police.

[gsich]

>What about your ISPs employees? Do you trust a sysadmin pulling 40-50k a year (or less) to not sell your DNS resolver data?

Yes. What use do you have for that data? Especially if it's only one user. There is not much that you can do.

[hamilyon2]

Your comment opened my eyes in a sense. DoH could be both huge net positive for people in country like Russia, where not law mandetes logging every internet request and indefinite storage of them.

At the same time it could actually hurt privacy of people already protected by law in developed countries.

[bawolff]

Handshake sounds exactly like namecoin which has been here for a while. I guess its trying to be better by not requiring all nodes to be full nodes or something. I feel like that is not the reason why namecoin failed.

As an aside, anyone else notice how it seems like all blockchain projects are annoyingly full of marketing speak, and talk in circles for the tech part. How hard is it to clearly and concisely list the technical goals and properties your solution has?

[troquerre]

Handshake took inspiration from predecessors like Namecoin but it’s very different. First is scope: Namecoin puts domain names on its blockchain under the .bit TLD whereas Handshake targets TLDs. It does so because Handshake aims to improve the security of TLS by shifting trust from CAs to its blockchain. The CA model is weak bc only a single CA among the thousands of CAs that your computer trusts needs to get compromised in order for your security to get compromised. And the likelihood of a single CA failure increases over time. That’s the opposite of what you want in a robust system.

With Handshake, certs can be pinned directly on the blockchain, which becomes more secure as more nodes join the network and across time as more blocks get mined on top of the pinned cert. This shifts the system from diminishing security to accumulating security. That’s the main innovation behind Handshake.

There are other differences in the issuance model as well. Namecoin’s issuance destined it for failure from day one since names are registered for a flat fee without restriction. This meant that squatters and early adopters could lock up the namespace without paying the true market price of the name. Handshake uses an auction system for name registration and releases the namespace over time (the release date is determined by hashing the name % 52), which means that names are registered for their true market price and newcomers can still register good names. This difference is critical and already playing out successfully — the highest auction was for 200k HNS, which is equivalent to $20k USD and 7/12 of the namespace is still unreleased.

[bawolff]

So let me get this straight:

The main innovation of handshake is they reinvented DANE on the blockchain? Don't get me wrong, DANE in DNS has some issues, but how is that an improvement from namecoin? Are you saying namecoin is incapable of storing the hash of a certificate in its name records? I'd also bet the cost of a 51% attack on handshake is significantly less than the cost of hacking a CA. [Edit: after posting this i realize im not sure the 51% attack is a relavent attack here, since "double spending" isn't going to help someone pull off a MITM]

The other inovation, is instead of scoping it so it doesnt conflict with existing system, instead handshake directly conflicts with existing DNS names. I fail to see why that is a good thing.

I will admit the auction system is an interesting solution to the cybersquatting problem. I dont think its what most people want out of a naming system (if own microsoft, i want my domain to be microsoft.com, not to wait 10 years for it to be released), but it is an interesting solution.

[bityard]

If I buy a domain via auction on handshake for $20,000, who does that money go to?

[tasuki]

It gets burned. The original Handshake developers seem very fond of both burning money and giving it away [1].

[1] https://handshake.org/grant-sponsors/

[tasuki]

> How hard is it to clearly and concisely list the technical goals and properties your solution has?

Very? If you find https://handshake.org/ too marketing-y (I don't) perhaps you'll find the design notes more substantial: https://handshake.org/files/handshake.txt

[ca98am79]

you can also view it at http://handshake.txt if you are using a handshake resolver

[tasuki]

Spoiler: it's a redirect!

[mytailorisrich]

Handshake does not seem to try to solve the same problem as DoH, but rather somewhat what DNSSEC is solving.

DoH's point is mostly to hide DNS traffic. DNSSEC's point is to validate a DNS record all the way to root.

The benefits on Handshake over existing solutions are unclear to me.

[troquerre]

The root of trust for DNSSEC is a key that's stored and controlled by people, and needs to go through routine key signing ceremonies. This is fallible and even recently there have been issues with the key signing ceremony https://www.icann.org/news/blog/root-key-signing-key-ceremon.... One could argue that this system works "good enough" but ultimately I'd prefer that the root of trust for security on the internet to be more robust than relying on humans to avoid error. That's what Handshake is trying to do — instead of using a key in a physical vault as the root of trust, you use a distributed blockchain that's very difficult to break.

It's also relevant to note that 51% attacks to most payment/store-of-value blockchains like Bitcoin, but for Handshake 51% attacks don't really affect the security of the network because an attacker would need to get the private keys for a name in order to attack its certificate.

[skynode]

Handshake is more of a solution to a political/governance problem than a technical one.

[swiley]

IMO compared to google (or most companies running ads) my ISP has been extremely well behaved. They mostly act as a pipe.

Keep in mind some of these US companies that are willing to run resolvers think censoring the DNS over the content it points to is a good thing.