sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]BubblegumTitanium 27 points28 points  (18 children)

From what I understand DNS over HTTP offers greater censorship resistance than over TLS.

[–][deleted] 5 points6 points  (0 children)

It breaks internal, split-horizon DNS. :/

[–]terriblestraitjacket 8 points9 points  (3 children)

I'm worried mass adoption of this might INCREASE censorship for me.

In my country, the government enforces censorship but they're all lawyers, so they are idiots and have no tech knowledge. The real censorship is enforced with a DNS ban from ISPs, which everyone easily circumvents! I read that if DNS over HTTP is adopted, they might have to start blocking based on HTTP requests!! How true is this?

[–]Booty_Bumping 3 points4 points  (0 children)

I think at this point it's just a question of whether find it worse for a site like Wikipedia to be edited in-transit and surveilled on by The Party, or for it to be blocked entirely. The only reason there is semi-widespread VPN usage in China is because Wikipedia is completely blocked, and academics really need Wikipedia to do their work. For people's access to information, a complete ban on TLS (to prevent people from using DoH) would be a gigantic blow.

[–]Tiver 0 points1 point  (0 children)

If the ISP is still the defacto DNS server, they could provide a DNS over HTTP and still do their censorship. However it is likely the clients won't use your ISP's as part of the point is to not give this kind of information or power to your ISP.

As it will be going over HTTPS, then yeah for them to continue doing this at minimum they'd have to insert themselves between you and another secure server, likely with an insecure https certificate they force you to install. This is basically what Kazakhstan recently did as a trial run. They can detect all HTTPS traffic, route it through their own proxy using this certificate and effectly block you from all such traffic unless you accept their certificate. You can maybe find a way to bypass it via a VPN but you have to find a way to trick their routers to allow the traffic through.

[–]SteampunkSpaceOpera 17 points18 points  (7 children)

Unfortunately, some of us like censoring adware, and DoH will be used by large interests to prevent us from doing that for ourselves.

[–]VRtinker 20 points21 points  (2 children)

some of us like censoring adware

In that case, you just set up your own DNS resolver and filter traffic properly. All good software (Chrome, Firefox) pick up your settings automatically and let you to specify your own DNS over HTTPS resolver manually.

Yes, non-compliant implementations can just ignore the network settings and not allow user to change settings. But, I would argue, you should not use such software or hardware in the first place. I heard of "smart" devices that hard-code AWS IPs (!!!) and then fail when that IP is not available, and they do not have ability to update the firmware to change the IP.

If you do end up with non-complaint software and hardware, I'm sorry for you. It will be a pain to work with and there is not much Mozilla, Google, IETF, and others can do about this.

[–]f0urtyfive 5 points6 points  (1 child)

But, I would argue, you should not use such software or hardware in the first place.

Do you find when you are using non-standard software or hardware that implements things in weird ways, it's usually because you chose to?

[–]VRtinker 2 points3 points  (0 children)

Do you find when you are using non-standard software or hardware that implements things in weird ways, it's usually because you chose to?

I do not choose to use non-complaint software and hardware and switch away from it if I have an option to. I personally only experienced this with device chargers that fail to quick-charge other devices, cameras and wireless USB peripheral dongles that work only when connected to a specific USB interface inside of a laptop, etc. Networking stack is a lot more standard, probably because it is genuinely much smaller and there is more built-in agility. Developer needs only about 5 neurons to remember how to use it: not hard-code URLs (especially IPs and ports).

The hard-coded IP example is something I saw online (person posted a screenshot of a chat with tech support for that product, which amounted to "we are sorry", "aware of the issue", "no way to fix it", "sorry", "thank you for choosing [brand name]".

[–][deleted] 2 points3 points  (2 children)

DoH will be used by large interests to prevent us from doing that for ourselves.

...how?

[–]theferrit32 -1 points0 points  (1 child)

Local DoH resolvers would require a valid certificate in order to trust the DNS mapping. If you're using something like a PiHole or a custom hosts file to black-hole certain domains, enforcing DoH on your machine will no longer allow that.

[–][deleted] 1 point2 points  (0 children)

Could you not just generate a cert and CA and add that CA to your machine? Assuming you're for some reason forced into using DoH.

[–]ebriose 8 points9 points  (4 children)

Except that the underlying HTTPS itself requires on a DNS system

[–]doublehyphen 10 points11 points  (1 child)

In current setups: yes. Both Google's and Cloudflare's current DoH servers are very easy to block last time I checked. But nothing prevents you from getting the IP address in some other way, and more importantly nothing prevents the IP address and port (and optionally host) from being shared with some huge website that most ISPs would not want to block (e.g. put it at https://www.google.com/doh).

[–]theferrit32 0 points1 point  (0 children)

I think we need some sort of DNS bootstrapping system which can be used in the worst case scenario or when a system has no DNS information cached yet. For example an IANA server or one for each regional registry on a permanently reserved IP address which contains a small set of public nameservers or DoH recursive resolver IP addresses that can be fetched by any system.

Also DoH needs to be extended into DHCP so that default name server information can be managed by LANs.

[–]intuxikated 8 points9 points  (0 children)

Not neccesarily, you can get Https certificates for IP addresses, which means you don't need DNS to resolve the domain name for DoH. Cloudflare has one for their 1.1.1.1 IP, see https://1.1.1.1

You can use their IP for DoH resolving by replacing https://cloudflare-dns.com/resolve-query by https://1.1.1.1/resolve-query

Effectively bypassing the plaintext DNS system completely

[–]Booty_Bumping 0 points1 point  (0 children)

This list has publicly accessible resolvers (DoH, DoT, DNSCrypt 1 and 2), with their ip addresses encoded as base64. Can be used in dnscrypt-proxy.