Hacker News new | ask | show | jobs
by EQYV 2041 days ago
Isn't this more to prevent ISPs from modifying the results of your DNS queries? Also, in the future when we get encrypted SNI, users of websites behind CDNs like CloudFlare or similar (where the website you are visiting will not be discernible from the IP you're connecting to) will benefit from DoH + eSNI.
2 comments
octoberfranklin 2041 days ago
Another goal is to deal with the problem of "no log" VPN providers being forced to tag all internet-bound traffic on port 53 with the customer IP it originated from.

This has evolved into the universal compromise, since the VPN provider still gets to claim that they themselves aren't doing any logging. But of course their upstream ISP is now easily able to do so.

This is why mullvad intercepts all DNS queries (even to 8.8.8.8 or 1.1.1.1). Try using OpenNIC from behind mullvad: you won't get the extra TLDs.

Logging DNS makes it easy to selectively deanonymize people. All you have to do is get them to browse to a website that resolves a weird domain name.

link
throwaway525142 2041 days ago
Where can I read more about VPN providers tagging internet-bound traffic on port 53 with the customer IP address?
link
octoberfranklin 2041 days ago
> Where can I read more about VPN providers tagging internet-bound traffic on port 53 with the customer IP address?

First, read this: https://en.m.wikipedia.org/wiki/EDNS_Client_Subnet

And this: https://tools.ietf.org/html/draft-hardie-privsec-metadata-in...

Then, start a VPN provider and wait for the NSL to arrive, like Mozilla did.

Not a coincidence that they suddenly started pushing DoH hard shortly after launching their own VPN. Before that it was just another protocol; after the VPN they suddenly were in a big huge hurry to put people on DoH by default whether the system resolver supported it or not.

link
gsich 2041 days ago
If your ISP is running the DNS with DoH/DoT then those queries can still be modified. Encrypted DNS does not solve the problem of DNS record manipulation.

For the rest, encrypted SNI might help, but it's still a draft so not really in use. Also 95%+ of sites are identifiable by IP only.

link