|
|
|
|
|
|
by Bender
23 days ago
|
|
|
This is a really good write-up. I can't really think of anything important to add. I don't know if it is worth adding but there is one small piece that can be kept at home rather than depending on Cloudflare or Google though by itself is rather moot but I will mention it anyway. If using Unbound DNS [0] at home as a DNS resolver one can enable DoH if Unbound was compiled using --with-libnghttp2 thus allowing an HTTPS listener and enabling ECH tested / verified on [1]. I realize its just one tiny piece of the puzzle but we can take away the logging of DNS queries away from the big providers. If people do not trust their home ISP they can put Unbound on a VM or physical server somewhere else. I only mention this because I know some people run PiHole and other security distros on their WiFi or Firewall hardware at home. Documentation [2][3] I am half tempted to put a DoH listener out there for anyone to experiment with and see what kind of abuse it gets. [0] - https://nlnetlabs.nl/projects/unbound/about/ [1] - https://tls-ech.dev/ [2] - https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/d... [3] - https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound... |
|
|
DoH is a critical enabler of ECH, and getting it right isn't easy - especially dodging all of the free services provided by the giants.